Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Data Loss Protection (DLP) section of this blog series is aimed at Security and Compliance officers who need to prevent data from being emailed to users in untrusted domains.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the configuration of Teams Data Protection Loss (DLP).
It is presumed that you already have a Sensitive Information Type that you want to use in your DLP policy. For the purposes of this Policy I will use the U.S. Social Security Number (SSN) Sensitive Information Types (or SIT of short).
This document does not cover any other aspect of Microsoft E5 Compliance, including:
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
Your company does not want data to be emailed outside of the company, by accident or on purpose.
There are no extra definitions for this part of the blog series.
c. In the Customize advanced DLP rules, click Create Rule
d. Name your Rule and give it a description.
i. Example = Name – Exchange SSN DLP
ii. Example = Description – Exchange SSN DLP
e. Under Conditions, click Add Condition and select Add -> Sensitive info types and select your SIT. I am selecting the SIT labeled U.S. SSN – numbers only. Let us place the confidence of this SIT to High Confidence.
f. On the right hands side you will see a drop down. Leave this at the default of Any of these.
g. Do not add a second Condition for this test, but you can add multiple Conditions for your own testing later on.
h. Do not added an Exception. Again, you can do this for your own testing at a later time.
i. Under Actions, select Add an Action -> Restrict Access or Encrypt the content in Microsoft 365 location.
i. Select Block users and then select Block Everyone.
a. Note – If you have access to an external Exchange account for testing, feel free to select Block only people outside your organization.
j. Now go to User Notifications. Here you will set up the alerts to be sent to your administrator or compliance officer.
a. Select On.
b. Select Notify the user who sent, shared or last modified the content. This will alert the users that they have violated the DLP policy. If desired, create a custom email text, email subject, and/or policy top.
k. Next are user overrides. For this document, we will leave this to Off.
l. The last section in the Rules pop-out, is the Incident reports. Here you can select the severity (Low, Medium, High) for the rule. I will select High for my rule.
i. For Send an alert to admins when a rule match occurs, select On. Then click Add or remove people and add the admin or compliance officer you want to receive alerts. For my rule, I will send alerts to the Admin account.
m. Next you can either Send alert every time or Send alert when the volume matches a threshold. We will accept the default of Send alert every time. This will allow for more granular testing to start.
n. For Use email incident reports to notify you when a policy match occurs and turn it to On. Then click Add or remove people and add the admin or compliance officer you want to receive alerts. I will send notifications to the Admin account.
o. For the rest of the options, leave them at the defaults and click Save.
p. Click Save and then click Next.
If you want to test overrides, take a look at the following section. Otherwise, proceed to Part 3 of this blog series or any other part you wish to explore.
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.