Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Exact Data Match (EDM) section of this blog series is aimed at Compliance officers who need to identify not just any PII and PHI data but the exact PII and PHI belonging to their employees and customers/patients.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through:
It is presumed that you already have a Sensitive Information Type that you want to use in your Exact Data Match policy. For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series.
This document does not cover any other aspect of Microsoft E5 Compliance, including:
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
Exact Data Matches (EDM) are used to apply Compliance to specific information, not only a pattern. Here is an example of how to use EDM.
Example – You do not want to look for all Social Security Numbers (SSNs) as not all SSNs are your patient or customer data. Nor are all 9-digit numbers SSNs.
For my spreadsheet, I will be using only a handful of names and SSNs. This will make my testing simpler later on.
I have created 3 columns with the following names: FName, LName, SSN. These column names will be used when creating an EDM Schema later on.
a. Choose your confidence level. Then your Primary Element. I’ll be using “ssn”.
b. In the Primary element sensitive info type, click Choose sensitive info type.
c. Now we must add our SIT that was created in part one of the Blog. I will run a search for “ssn” and add my “U.S. SSN – numbers only” SIT. This SIT will them be run against all the specific social security numbers that I will upload in the next section.
d. When you are satisfied, click Done and then click Done again and then click Next
With the EdmUploadAgent, you will:
Once the that EDM information is into your tenant, you can then proceed to the other steps of the blog for your testing.
C:\scripts\
b. Create a subfolder for your hash. This is where the hashing file will reside.
i. Example
C:\scripts\EDM\hash
c. Create a subfolder for your data. This is where the schema will be downloaded from your Compliance tenant.
i. Example:
C:\scripts\EDM\hash
C:\Program Files\Microsoft\EdmUploadAgent
b. Note – for a list of EdmUploadAgent commands and syntax use the following command:
EdmUploadAgent.exe /?
EdmUploadAgent.exe /Authorize
EdmUploadAgent.exe /SaveSchema /DataStoreName hrdata /OutputDir C:\scripts\EDM\Data
8. Validate your Schema
a. Here is the syntax you will use to validate that the schema is correct.
EdmUploadAgent.exe /ValidateData /DataFile C:\scripts\Edm\hrdata.csv /Schema C:\scripts\EDM\Data\hrdata.xml
9. Hash and upload EDM file
a. Here is the Syntax for hashing and uploading your EDM file into your Tenant’s Compliance Center
EdmUploadAgent.exe /UploadData /DataStoreName hrdata /DataFile C:\scripts\EDM\hrdata.csv /HashLocation C:\scripts\EDM\Hash /Schema C:\scripts\EDM\Data\hrdata.xml
EdmUploadAgent.exe /GetSession /DataStoreName hrdata
I recommend you look at the following blog entries by my co-worker. He wrote a 3-part series in 2020 on using PowerShell to create the components of an EDM in Microsoft Compliance Manager as well as two additional blog entries in the first half of 2021 related to EDM enhancements, including one on how to create the a EDM Schema and EDM Sensitive Information Type (SIT) through the newer Graphical Interface. This blog entry will differentiate from those blog entries in 3 ways:
Here are the links to my co-worker’s related blogs:
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.