---
name: Tenant DLP Coverage and Effectiveness Audit
description: Audit Microsoft Purview DLP coverage across Exchange, SharePoint, OneDrive, Teams and endpoints to surface gaps, overlaps and simulation results.
---

# Tenant DLP Coverage and Effectiveness Audit

> **TL;DR:** This skill reads your Microsoft Purview Data Loss Prevention policies across every workload, then produces a coverage and effectiveness report that shows where sensitive data is protected, where gaps remain, and how policies behave in simulation so you can close exposure before it becomes a breach.

## What does Microsoft Purview DLP coverage actually mean?

Microsoft Purview Data Loss Prevention (DLP) lets your organisation define policies that detect and protect sensitive information such as credit card numbers, health records and intellectual property. A policy is only effective when it covers every relevant location: Exchange Online email, SharePoint Online sites, OneDrive accounts, Microsoft Teams chats and channels, and managed endpoints. This skill inspects how those policies map to sensitive information types, sensitivity labels and Microsoft 365 workloads so you can see your true protection surface rather than assuming it. It also reviews policies still running in simulation (test) mode, which match content but do not yet enforce actions.

## When should you run this skill?

- "Show me which Microsoft 365 workloads my DLP policies actually cover and where the gaps are."
- "Are any DLP policies still stuck in simulation mode instead of enforcing?"
- "Do I have overlapping DLP policies that conflict or create duplicate alerts?"
- "Which sensitive information types are protected in email but not in Teams or endpoints?"
- "We are preparing for an audit and need evidence of our DLP coverage posture."
- "After onboarding new sites and devices, confirm DLP still protects them."
- "Help me prioritise which DLP gaps to remediate first by risk."

## How this skill works, step by step

1. Connect read-only to Microsoft Purview using delegated compliance permissions, requesting no write or policy-modification scopes.
2. Enumerate every DLP policy and its rules, capturing the workloads each policy targets across Exchange, SharePoint, OneDrive, Teams and endpoints.
3. Map each policy to the sensitive information types, trainable classifiers and sensitivity labels it relies on for detection.
4. Build a coverage matrix that cross-references workloads against protected sensitive information types to expose locations with no protection.
5. Detect overlaps where multiple policies target the same location and information type, flagging potential conflicts or duplicate enforcement.
6. Identify policies running in simulation mode and summarise their match counts so you can judge readiness to enforce.
7. Review policy actions and conditions to confirm enforcement (block, encrypt, notify) is configured where coverage exists.
8. Derive a risk score per gap by weighting the sensitivity of unprotected data, the exposure of the workload, and whether enforcement is active.
9. Compile the findings into a prioritised report with clear remediation guidance.

## Output format

The skill produces a structured coverage report. Each row represents a workload and sensitive information type combination, with its protection status and risk rating.

| Workload | Sensitive Info Type | Coverage Status | Mode | Risk |
| --- | --- | --- | --- | --- |
| Microsoft Teams | Australia Tax File Number | Not covered | None | High |
| SharePoint Online | Credit Card Number | Covered | Enforced | Low |
| Endpoints | Australia Bank Account | Covered | Simulation | Medium |

A summary follows the table:

- Total DLP policies inspected and how many are enforced versus in simulation.
- Count of uncovered workload and information-type combinations, grouped by risk.
- Overlapping policies that may produce conflicting actions or duplicate alerts.
- Top prioritised remediation actions ordered by derived risk score.

## Scope and safety

This skill is read-only by default and makes no changes to your tenant, policies or data. It only reads configuration and simulation metadata to assess posture.

This skill does NOT:

- Create, modify, enable, disable or delete any DLP policy or rule.
- Change policies from simulation mode into enforcement mode.
- Access, export or move the content of any protected message, file or chat.
- Alter sensitivity labels, sensitive information types or any other configuration.

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Purview DLP for Exchange, SharePoint, OneDrive and Teams | Microsoft 365 E3 (or Office 365 E3) |
| Endpoint DLP and DLP policy simulation (test mode) | Microsoft 365 E5 or E5 Compliance |

### Least-privilege roles

- Global Reader or Compliance Administrator with read-only access for viewing DLP policies and simulation results.
- Compliance Data Administrator if broader read access to Purview compliance configuration is required.

### Microsoft Graph permissions (read-only)

- Microsoft Purview DLP policies are not exposed for enumeration through Microsoft Graph. This skill reads DLP policy, rule and simulation configuration via the Microsoft Purview portal and Security and Compliance PowerShell (for example `Get-DlpCompliancePolicy` and `Get-DlpComplianceRule`) using a least-privilege reader account, so no Graph scopes are requested.

## Sources and compliance

- [Learn about data loss prevention](https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp)
- [Test a DLP policy](https://learn.microsoft.com/en-us/purview/dlp-test-dlp-policies)
- Supports the Essential Eight mitigation strategy of restricting and protecting sensitive data flows, reinforcing data exfiltration controls aligned with ISM controls for data loss prevention and information handling.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.