Forum Discussion

Francis Ouellet's avatar
Francis Ouellet
Copper Contributor
Oct 24, 2018

DLP with the new sensitivity labels

Hi everyone!

 

I now have access to the new sensitivity labels in the Security & Compliance center and wanted to create a DLP policy with a condition based on a label I published. According to this article the new sensitivity labels should allow me to do so. Unfortunately I only see my retention labels and sensitivity types as the available options in the conditions. Am I missing something?

  • If you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...

  • Francis Ouellet We've been able to make this work by looking at the document properties that the sensitivity labels create. For docs in SharePoint/OneDrive, you have to set up some mapping behind the scenes so you can reference the property - we mapped it to a field called "SensitivityAlias," then set up a condition: 

     

    Document property is: 

    SensitivityAlias = (label value you're looking for)

     

    It works for us for DLP policies applied to SharePoint, and for direct links to docs attached to emails. It does NOT work for copies of docs attached to emails, since it can't see that mapped property - for that, we set up an Exchange transport rule to look for the property value and we mimic the same logic there. Hope that helps!

    • Jonas Back's avatar
      Jonas Back
      Copper Contributor

      It still doesn't seem to create DLP policies applied to Sensitivity Labels. I wonder why is that and it doesn't really make any sense why you only can apply DLP policies to Retention labels.

       

      Anyone heard about this changing even though the docs.microsoft.com article says "it's coming".

  • related question : how do we Monitor/report on Sensitivity labels?

    Hi Everyone.

    I've been trying to figure out what options i have for monitoring the content that has been labelled using the sensitivity labels.

    It appears that the Label activity explorer in SCC (e5 required) reports on Retention labels.

    I thought that I may be able to review based on DLP policy matches.. i.e. if DLP finds content labelled with a sensitivity label it will show up in one of the DLP reports.

    Anyone direct me in relation to how we should be monitoring activity in relation to sensitivity labels?

    Cheers. 

    Colm

     

    Update : It appears that we can monitor the sensitivity labels via an activity report/explorer (preview) in the AIP portal  (see attached)

    reference : https://www.youtube.com/watch?v=UI0p9xqMNfI&feature=youtu.be

     

  • If you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...

    • Francis Ouellet's avatar
      Francis Ouellet
      Copper Contributor

      After I opened a Github issue regarding the clarity of the article (sensitivity vs. retention labels with DLP) Microsoft updated the article with this:

       

      Note that you can currently use only a retention label as a condition, not a sensitivity label. We're currently working on support for using a sensitivity label in this condition.

      Can't wait to have support for sensitivity labels in DLP policies!

       

      Francis

    • Francis Ouellet's avatar
      Francis Ouellet
      Copper Contributor

      Hello VasilMichev

       

      Thanks for your reply! Last week I tried applying a DLP policy with one of the conditions being based on a retention label I had published a while back and I'm constantly running into errors (I've attached a screenshot) I've opened a support ticket (#11831531) within the Office 365 Admin Portal and so far they have not been very helpful in resolving the issue. The error message I am still getting today the following:

       

      Request: /api/policy Status code: 500 Exception: Microsoft.Exchange.PswsClient.PswsException Diagnostic information: {Version:16.00.2656.007,Environment:EUSPROD,DeploymentId:b9d1eaec988246bd97ea05edb88f7c8e,InstanceId:WebRole_IN_0,SID:f4012950-8573-4128-8553-41d89b932b35,CID:6bc2a99c-b028-4eba-9ab2-d5362587c12f} Time: 2018-10-25T13:46:36.3441684Z

       

      Are you able to apply a DLP policy for content with a retention label?

       

      Thanks,

      Francis

      • Joris van der Sligte's avatar
        Joris van der Sligte
        Copper Contributor
        Hi Francis,

        Any update on this? I've the same problems on all my tenants and even the demo tenants from MS give this error. To bad I've a presentation this Friday how to use DLP. Will do with screenshots then.

Resources