Forum Discussion
DLP Policy Rule "U.S. Physical Address" exclusion
We have the built in Sensitive Info Type "U.S. Physical Address" in our Default HR & Privacy Info Protection Policy in simulation. This is set to the location of just Exchange Email only. Everyone in the company has our physical address in their email signature. This combination keeps triggering alerts even if I set the instance count to something like 3.
I've asked Co-Pilot for instructions to create an exclusion where I can enter our physical address to be ignored but the instructions always mention options that don't exist in the rule edit screen.
I see online people asking for signatures to be ignored but the response is they can't be. Am I doomed to ask all staff to remove their signature, remove this SIT altogether, or just let the Action of "encrypt email messages" proceed and have our organization look the fool for encrypting every email sent outside the organization? Anyone know how to tell Purview to ignore your own physical address?
8 Replies
If your policy is scoped to Exchange only, you should be able to add some exclusions to the corresponding rule(s). I.e. NOT "subject or body contains..."
Or you can consider creating a custom SIT and configure it to ignore the disclaimer/signature: Common usage scenarios for sensitive information types | Microsoft Learn
Thank you for this most excellent reply.
I believe I understand how to implement your first suggestion. However, while I was doing it, I considered what this might result in. I believe this would make every email with our address or PO box end up being excluded. If so, this isn't what I'm looking to have happen.
I'd like our address or PO box to not be considered as a "U.S. Physical Address" but for all other addresses to be considered.
I've tried to implement a custom SIT. All Regular Expressions I've found online fail both in testing at Purview and at regex101's site. Ones that do work on regex101 have illegal functions at Purview. I'll continue today to test more and try to get a better understanding of what the issue is. I can't use a custom SIT until I find a regex that works.
I wish I could just copy and edit (or just edit) the Microsoft U.S. Physical Address that's built in. It works perfectly. I'm thinking more and more about asking over 100 people to take out our address from the signature.
Thanks again for your reply.
You should be able to create a copy of the built-in U.S. Physical Address SIT and edit it, though you can only do this via PowerShell, not the UI. https://learn.microsoft.com/en-us/purview/sit-modify-a-custom-sensitive-information-type-in-powershell
And yes, it's an overkill for a small company, you can probably come up with an acceptable workaround in the signature itself much easier.
I've attempted to make a custom Sensitive info type with regular expression, with no supporting elements, of the following to find US Physical addresses:
^\d+\s[A-z]+\s[A-z]+(\s[A-z]+)?,\s[A-z]{2}\s\d{5}(-\d{4})?$
With Additional Checks of Exclude specific matches of every combination of our physical address and PO Box I can think of. When I run the test feature with an email containing addresses, it says it found nothing. :/
My custom SIT may have broken it entirely as my test email sent to outside our Org never set off an alert.
I'd see instructions to make a custom SIT but I never understood the options. I found the following https://learn.microsoft.com/en-us/purview/sit-create-a-custom-sensitive-information-type and also looked over "Sensitive information type functions". This led me to "Func_us_address". Building a custom sensitive information type has the Exclude Specific Matches at the bottom of the Edit Pattern flyout. I added every possible spelling of our address to exclude.
Confidence Level = Medium
Primary Element = Function processors: Func_us_address
Character proximity = Detect primary AND supporting elements​ within 300 characters (without Anywhere in the document checked)
Supporting elements = Did not add any
Additional checks = Exclude specific matches: All possible spellings of our physical address and PO Box
AakashMalhotraMicrosoft
You could also create a complex DLP rule-
<Other rule conditions> AND
(Content contains "All physical addresses" AND NOT (Content contains "Custom address SIT"))
I MIGHT have it fixed. Not only does the following Regular Expression pass the test at regex101 dot com but Purview actually accepts it:
^[#.0-9a-zA-Z\s,-]+$
All the others I entered either errored at MSFT with "You cannot configure a pattern with groups or multiple match conditions like (.*, .+, .{0,n} or .{1,n}). Remove the group or the multiple match condition from the pattern to continue" or regex101 said they didn't work. Ones regex101 said didn't work would enter into Purview but do nothing when the Text option was hit.
Under Additional Checks, I entered every combination of our physical address and PO box. The simulation is now running.
Again, thanks for your response.
