While email transport is a mature boundary, Microsoft Teams represents a massive blind spot for many organizations. When external users join your tenant as guests, or when your staff engages in 1:1 external federation chats, sharing a sensitive snippet or a backend file feels as casual as sending a text message.
Under the M365 E5 license, we can configure Purview to deep-scan chat messages and channel posts natively in near-real-time. Let’s build a dedicated Teams scenario, implement the policy rules, and walk through the user experience.
The Use Case Scenario: The Federation Chat Leak
- The Threat: An engineering lead is collaborating on a shared project with an external contractor via a direct Microsoft Teams federated chat. To expedite a support issue, the engineer copies and pastes an unmasked, plain-text API Access Key along with an Internal Server IP Block Map directly into the chat window.
- The Data: The text contains custom regular expression (Regex) strings matching internal infrastructure assets, alongside data tagged under the “Internal Use Only” classification.
- The Goal: Prevent the external contractor from ever reading the sensitive string. Intercept the message within seconds of transmission, visually strip it out, and educate the internal sender via an interactive inline warning.
Step-by-Step Implementation
Because Teams functions via live message streams rather than traditional email transport queues, we configure the policy engine to flag text blocks post-submission.
1. Scoping the Policy
- Open the Microsoft Purview portal (
purview.microsoft.com). - Navigate to Data Loss Prevention > Policies and select + Create policy.
- Choose Custom > Custom policy. Name it
TEAMS-External-Chat-Gatekeeper. - On the Locations page, toggle Teams chat and channel messages to On. Turn off all other workloads to isolate your policy troubleshooting.Note on Private Channels: Under modern Purview architecture, private channel compliance is inherited directly through the parent Team’s group mailbox scope rather than individual user mailboxes. Ensure your scoping strategy accounts for full Microsoft 365 Groups coverage.
2. Configuring the Core Logic
Click + Create rule and build out the following advanced criteria:
| Rule Component | Configuration Setting | Technical Action |
| Conditions | Content contains: • Sensitive info types: Custom API Key Pattern• Trainable Classifiers: Source CodeAND Content is shared from M365: • With people outside my organization | Dictates that the deep-packet inspection engine inside Teams will only flag items when they match the patterns and cross an external tenant boundary. |
| Actions | Restrict access or encrypt content in M365 locations | Check Block only people outside your organization. This allows internal users to view the message structure if needed, but visually wipes it for the external participant. |
| User Notifications | Notify users in Office 365 service with a policy tip | Turn this setting On. Teams DLP relies entirely on integrated chat canvas alerts rather than email-based notifications. |
Step-by-Step Testing & Demonstration
Save your policy and ensure it is active. Note that Teams synchronization templates can take up to one hour to fully propagate across Microsoft’s Chat Service infrastructure.
Test 1: Typing Sensitive Data to an External Guest
- Log in to the New Teams Client as an internal employee.
- Open an existing 1:1 chat window with a federated external user (indicated by the (External) tag next to their name).
- Paste a test string that mirrors your API Key syntax or a protected pattern, then press Enter.
The Immediate User Experience
The message will initially appear normally in the text stream. However, within 2 to 5 seconds, the Purview scanning engine parses the text string:
- The Sender’s View: The original message is retroactively struck through and grayed out. A bright red alert banner drops directly beneath it reading: “This message was blocked. What can I do?”
- The Educational Intercept: If the sender clicks “What can I do?”, a pop-up window surfaces explaining the exact policy violation, presenting an option to report a false positive to the admin if configured.
The Recipient’s View
The external user sees nothing of the original leak. The incoming message bubble is completely overridden on their timeline, displaying only a sterile system alert:
“This message was blocked due to organization policy.”
What the Admin Sees: Real-Time Audit Trails
Because Teams messages are highly transient, your security team needs immediate visibility into these events. If you go to Purview Activity Explorer, the event log maps out the transaction like this:
| Timestamp | Actor | Channel | Recipient Domain | Sensitive Match | Action Taken |
2026-05-21 | eng-lead@co.com | Teams 1:1 Chat | contractor-firm.com | Custom API Key | Message Content Stripped |
This real-time blocking approach stops data leaks right in their tracks, keeping collaboration fast and safe.
For a visual step-by-step breakdown of how these policies process rules live on the backend, this Advanced Teams DLP Guide walk-through shows the interaction between the administrative dashboard and end-user chat windows.
Demonstration Scenario:
Scenario 1: Securing Sensitive Data in Microsoft Teams
Ready to configure Part 3: Endpoint DLP for Cloud/Social Apps (WhatsApp & Viber)?