Do not miss new blog posts! Subscribe to new posts, news, and updates.

Sensitive Information Types to Automate Office 365 Compliance

You need to protect sensitive information such as credit card numbers and health records to prevent its inadvertent disclosure to comply with business standards and industry regulations, To help with this, we can create Data Loss Prevention (DLP) policies to identify, monitor, and automatically protect sensitive information across M365. Microsoft Office 365 (M365) comes with a number of pre-built templates for passports, credit card numbers, social security numbers, etc, and with our expertise, you can create your own templates specific to your organization. A sensitive information type is defined by a pattern that can be identified by a regular expression or a function. In addition, corroborative evidence such as keywords and checksums can be used to identify a sensitive information type. Confidence level and proximity are also used in the evaluation process.


The sensitive information types are configured in the M365 Compliance Center:


Create new sensitive information types to find and protect information that is unique to your organization. In this example, we are trying to identify and protect information about our top-secret protect Enigma.

Next, you add a matching element, which is the sensitive information that this type will look for in content.

You have three ways to do this:


Keywords that it should look for:

Regular expressions that it should look for (- this require familiarity with RegEx. For more information about the Boost.RegEx (formerly known as RegEx++) engine that's used for processing the text, see Boost.Regex 5.1.3.):

Dictionary of matching terms:

To increase the accuracy of detection, you can optionally add multiple supporting elements, e.g. the word Project is used within 50 characters of the project name Enigma.

When the matching element is detected, at least one supporting element must be found within your specified proximity of the matching element for this type to be matched.


Once you have created a new sensitive information type, you can then create a Data Loss Prevention (DLP) policy to identify and protect the information (see blog post-Data Loss Prevention to Automate Office 365 Compliance), or create a retention policy to automatically delete the content after X days/years. The latter is very useful when using sensitive information types to identify migrated information that should be deleted in X days/years to meet GDPR requirements for data minimization and storage limitation.


Many organisations fail to effectively identify sensitive information due to lack of knowledge and skills in configuring keywords, dictionary and regular expressions which are essential to detect sensitive information. Infotechtion experts can help you configure such policies based on our extensive experience with Microsoft Cloud. Feel free to contact us if you need help automating Office 365 compliance.

© Infotechtion