DLP-02CriticalMaximum Security

Block Bulk Data Exfiltration

Data Protection control for Microsoft 365 and Entra ID

Why This Control Matters

Insider threats and ransomware attackers exfiltrate data before deploying payloads. Detecting and blocking bulk data movement stops data theft in progress and provides early warning of compromise.

Expected State

When this control is compliant, your tenant should meet these criteria:

1DLP policies prevent bulk downloads of sensitive data
2Alerts trigger on exfiltration patterns (>1000 files or >1GB in <1 hour)
3Automated blocking of suspicious bulk operations

Enforcement

Default Mode

Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation

Manual Only

Requires Microsoft Purview DLP with advanced policies or E5 license

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.