Blocking Emails Containing PAN or Aadhaar Numbers in Microsoft 365 Business Email (Inbound & Outbound)

📅 01 Jan 2026 📂 General 👁 24 views

Organizations in India that use Microsoft 365 Business Email (Exchange Online) must ensure that sensitive personal identifiers such as PAN (Permanent Account Number) and Aadhaar Number are not shared through email, either accidentally or intentionally.

This article explains:

Whether PAN/Aadhaar blocking is possible in Microsoft 365
What level of control is available in different Microsoft 365 plans
How to technically implement inbound and outbound blocking
Limitations, security considerations, and best practices

The content is written for IT administrators, MSPs, and compliance teams.

Is This Possible in Microsoft 365?

Short Answer

✅ Yes, it is fully possible in Microsoft 365
✅ More mature and native than Google Workspace

Microsoft 365 provides built-in Data Loss Prevention (DLP) capabilities in Exchange Online that can detect, block, quarantine, or warn when emails contain PAN or Aadhaar numbers—both in email body and attachments.

Capability by Microsoft 365 Plan

Microsoft 365 Plan	Email Body	Attachments	OCR (Scanned PDFs/Images)
Business Basic	❌ Limited	❌ No	❌
Business Standard	❌ Limited	❌ No	❌
Business Premium	✅ DLP	✅ DLP	❌
E3 / E5	✅ Advanced DLP	✅ Advanced DLP	✅ OCR (E5)

Recommended Minimum:
Microsoft 365 Business Premium for PAN/Aadhaar blocking

Technical Explanation

Microsoft 365 uses Microsoft Purview Data Loss Prevention (DLP) integrated with Exchange Online.

DLP works by:

Inspecting email content
Scanning attachments (Word, Excel, PDF, TXT, etc.)
Matching sensitive information types (SITs)
Applying policy-based actions

PAN and Aadhaar Detection in Microsoft 365

Microsoft Purview supports:

Built-in Sensitive Information Types

India PAN Number
India Aadhaar Number

These detectors:

Validate format and checksum logic
Reduce false positives
Work across email body and attachments

Use Cases

Common Business Scenarios

CA and accounting firms
HR departments (KYC & payroll)
NBFCs and finance companies
Legal and compliance teams
MSP-managed Microsoft 365 tenants

Policy Objectives

Block outgoing emails containing PAN/Aadhaar
Quarantine or reject incoming emails with PAN/Aadhaar
Alert compliance officers
Maintain audit and investigation logs

Step-by-Step Implementation (Microsoft 365)

Requires Business Premium or higher

Step 1: Open Microsoft Purview Portal

Sign in as Global Admin / Compliance Admin
Go to:
```
https://compliance.microsoft.com
```
Navigate to:
```
Data loss prevention → Policies
```

Step 2: Create a New DLP Policy

Click Create policy
Choose Custom or Financial template
Select Exchange email as the location
Apply to:
- All users
- Or selected users/groups

Step 3: Add Sensitive Information Types

Add conditions:

India PAN Number
India Aadhaar Number

Example condition:


If content contains ≥ 1 India PAN OR Aadhaar number

Step 4: Configure Policy Actions

Recommended actions:

Scenario	Action
Outbound email	Block email
Inbound email	Quarantine or block
Internal email	Block or warn

Enable:

User notification
Admin alert
Audit logging

Step 5: Attachment Scanning

Microsoft DLP automatically scans:

DOCX
XLSX
PDF
TXT
ZIP (non-encrypted)

Encrypted/password-protected files cannot be scanned

Step 6: Policy Mode

Start with:

Test mode (with notifications)

Then move to:

Enforce mode

Example DLP Rule Logic


IF
  Email contains India PAN Number
  OR Email contains India Aadhaar Number
AND
  Location = Exchange Online
THEN
  Block message
  Notify sender
  Alert compliance team
  Log event

Validation & Testing

Test PAN Number

ABCDE1234F

Expected result: Email blocked or quarantined

Test Aadhaar Number


1234 5678 9123

Expected result: Email blocked

Optional Advanced Controls (E5)

With Microsoft 365 E5, you can enable:

OCR for scanned PDFs/images
Endpoint DLP (copy/paste, print, upload)
Auto-labeling with sensitivity labels

Common Issues & Fixes

Issue: False Positives

Fix

Increase detection confidence
Require multiple occurrences
Exclude trusted internal domains

Issue: Encrypted Attachments Bypass DLP

Fix

Block password-protected attachments
Enforce secure portals instead of email

Issue: Users Forward Sensitive Emails

Fix

Apply DLP to inbound + internal emails
Disable auto-forwarding rules

Security & Legal Considerations (India)

Aadhaar Act restricts electronic sharing of Aadhaar numbers
PAN is protected under Indian IT and privacy laws
Microsoft DLP logs support:
- Audits
- Investigations
- Legal discovery (eDiscovery)

Best Practices

Always block outbound PAN/Aadhaar
Use secure document portals instead of email
Enable user education messages
Review DLP incidents monthly
Combine DLP with:
- Sensitivity labels
- Conditional Access
- MFA
Test policies before enforcing

Limitations

Limitation	Details
Business Basic / Standard	No native DLP
Encrypted ZIPs	Cannot be scanned
Screenshots	Require E5 OCR
External mail flow	Needs transport rules if DLP not licensed

Comparison: Microsoft 365 vs Google Workspace

Feature	Microsoft 365	Google Workspace
PAN/Aadhaar detection	Native	Native (Plus/Enterprise)
Attachment scanning	Strong	Strong (Plus/Enterprise)
OCR	E5	Enterprise
DLP maturity	Very high	High
Ease of setup	Easier	Moderate

Conclusion

Yes—Microsoft 365 Business Email fully supports blocking inbound and outbound emails containing PAN and Aadhaar numbers, often more natively and granularly than other platforms.

Summary:

Use Microsoft Purview DLP
Minimum license: Business Premium
Supports body + attachment scanning
Provides audit-ready compliance controls

For Indian organizations handling sensitive identity data, Microsoft 365 DLP is a robust, enterprise-grade solution.

#Microsoft365 #ExchangeOnline #DLP #EmailSecurity #PAN #Aadhaar #MicrosoftPurview #ComplianceIndia #PIIProtection #OutlookSecurity #ITSecurity #DataLeakPrevention #EmailCompliance #PrivacyByDesign #CyberSecurity #EnterpriseSecurity #AuditReady #EmailGovernance #InformationSecurity #RegulatoryCompliance #IndianIT #AccountingSecurity #HRSecurity #SecureEmail #CloudSecurity #BusinessPremium #MicrosoftSecurity #SecurityControls #DataPrivacy #ITGovernance #ComplianceAutomation #RiskManagement #SecurityBestPractices #EmailFiltering #OutlookDLP

microsoft 365 pan blocking aadhaar email blocking microsoft exchange online dlp india microsoft purview dlp aadhaar pan number email block outlook microsoft 365 business premium dlp exchange email compliance india aadhaar detection outlook pan det

Blocking Emails Containing PAN or Aadhaar Numbers in Microsoft 365 Business Email (Inbound & Outbound)

Is This Possible in Microsoft 365?

Short Answer

Capability by Microsoft 365 Plan

Technical Explanation

PAN and Aadhaar Detection in Microsoft 365

Built-in Sensitive Information Types

Use Cases

Common Business Scenarios

Policy Objectives

Step-by-Step Implementation (Microsoft 365)

Step 1: Open Microsoft Purview Portal

Step 2: Create a New DLP Policy

Step 3: Add Sensitive Information Types

Step 4: Configure Policy Actions

Step 5: Attachment Scanning

Step 6: Policy Mode

Example DLP Rule Logic

Validation & Testing

Test PAN Number

Test Aadhaar Number

Optional Advanced Controls (E5)

Common Issues & Fixes

Issue: False Positives

Issue: Encrypted Attachments Bypass DLP

Issue: Users Forward Sensitive Emails

Security & Legal Considerations (India)

Best Practices

Limitations

Comparison: Microsoft 365 vs Google Workspace

Conclusion

Summary:

Was this article helpful?