Microsoft Purview - Paint By Numbers Series (Part 3) - Data Loss Protection for Exchange
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
The Data Loss Protection (DLP) section of this blog series is aimed at Security and Compliance officers who need to prevent data from being emailed to users in untrusted domains.
Document Scope
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the configuration of Teams Data Protection Loss (DLP).
It is presumed that you already have a Sensitive Information Type that you want to use in your DLP policy. For the purposes of this Policy I will use the U.S. Social Security Number (SSN) Sensitive Information Types (or SIT of short).
Out-of-Scope
This document does not cover any other aspect of Microsoft E5 Compliance, including:
- Sensitive Information Types
- Exact Data Matches
- Microsoft Cloud App Security (MCAS)
- Records Management (retention and disposal)
- Data Protection Loss (DLP) for Teams, Endpoint and devices
- Information Protection
- Advanced eDiscovery
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
Overview of Document
- Choose which Sensitive Information Types (or SIT) you wish to use.
- Create a DLP policy
- Test your DLP against emails in Exchange with either an internal or external email address
Use Case
Your company does not want data to be emailed outside of the company, by accident or on purpose.
Definitions
There are no extra definitions for this part of the blog series.
Notes
- There are no extra notes for this part of the blog series.
- It will take a minimum of 15 minutes after DLP policy creation for the account to take affect
Pre-requisites
- Have an recipient email address you can us for testing. This email address can be internal to your organization or external to your tenant.
DLP Creation
- On the left-hand navigation field, select Data Loss Protection.
- In the right-rand pain, select Policies and Create Policy
- First you need to Choose the information to Protect. Select Custom –> Custom Policy and then click Next.
- Name your Policy and give it a description. Then click Next.
- Example = Name – Exchange DLP
- Example = Description – Exchange DLP
- Chose the Locations to apply the policy. For this DLP policy, we will deselect everything Exchange for the Exchange email.
- Under Included, leave the All as the default.
- Under Excluded, leave the None as the default.
- Click Next.
- Define DLP rules settings
- Click Create or Customize advanced DLP rules and click Next.
- Now click Create Rule.
c. In the Customize advanced DLP rules, click Create Rule
d. Name your Rule and give it a description.
i. Example = Name – Exchange SSN DLP
ii. Example = Description – Exchange SSN DLP
e. Under Conditions, click Add Condition and select Add -> Sensitive info types and select your SIT. I am selecting the SIT labeled U.S. SSN – numbers only. Let us place the confidence of this SIT to High Confidence.
f. On the right hands side you will see a drop down. Leave this at the default of Any of these.
g. Do not add a second Condition for this test, but you can add multiple Conditions for your own testing later on.
h. Do not added an Exception. Again, you can do this for your own testing at a later time.
i. Under Actions, select Add an Action -> Restrict Access or Encrypt the content in Microsoft 365 location.
i. Select Block users and then select Block Everyone.
a. Note – If you have access to an external Exchange account for testing, feel free to select Block only people outside your organization.
j. Now go to User Notifications. Here you will set up the alerts to be sent to your administrator or compliance officer.
a. Select On.
b. Select Notify the user who sent, shared or last modified the content. This will alert the users that they have violated the DLP policy. If desired, create a custom email text, email subject, and/or policy top.
k. Next are user overrides. For this document, we will leave this to Off.
l. The last section in the Rules pop-out, is the Incident reports. Here you can select the severity (Low, Medium, High) for the rule. I will select High for my rule.
i. For Send an alert to admins when a rule match occurs, select On. Then click Add or remove people and add the admin or compliance officer you want to receive alerts. For my rule, I will send alerts to the Admin account.
m. Next you can either Send alert every time or Send alert when the volume matches a threshold. We will accept the default of Send alert every time. This will allow for more granular testing to start.
n. For Use email incident reports to notify you when a policy match occurs and turn it to On. Then click Add or remove people and add the admin or compliance officer you want to receive alerts. I will send notifications to the Admin account.
o. For the rest of the options, leave them at the defaults and click Save.
p. Click Save and then click Next.
- Now we arrive at the step to configure Test or turn on the policy. Let us enable Turn it on right away, and then click Next.
- Review your policy and create it. You will see a summary of what you have created. If everything looks correct, click Submit.
DLP Testing
- Open Exchange365 for your test user and create an with another test user. I am using Pradeep and Admin as my two test users. My test data belongs to user John Doe.
- In the email, enter the data you wish to block and click Send. Again, I am using a U.S. SSN – number only as my SIT. This will any block Social Security Numbers without the need of an accompanying keywords such as SSN, SSID, Social Security Number, etc.
- When you click Send, you should see a message similar to the one those below indicating this email message is blocked. This first image is a pop-up that will not appear when you click Send. The second is what message that will appear in your email notifications pop-up IF you are able to click Send.
- Pop-up #1
- Pop-up #2
- Now find a file with blocked SIT inside the file body or in the file name and click Send.
- Again, you will see a message indicating that the message is blocked.
If you want to test overrides, take a look at the following section. Otherwise, proceed to Part 3 of this blog series or any other part you wish to explore.
Overrides
- If you wish to allow user to Override DLP policy, you can go to the Rule and then the section labeled User overrides. Click it to On. Then select which override you want to run for your testing.
Appendix – Official Document Links
- Change the sharing settings for a site - SharePoint in Microsoft 365 | Microsoft Docs
- Learn about data loss prevention - Microsoft 365 Compliance | Microsoft Docs
- Microsoft Further Extends Unified Data Loss Prevention - Microsoft Tech Community
- Learn about data loss prevention - Microsoft 365 Compliance | Microsoft Docs
- Get started with activity explorer - Microsoft 365 Compliance | Microsoft Docs
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.