Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Data Loss Protection (DLP) section of this blog series is aimed at Security and Compliance officers who need to prevent data from being emailed to users in untrusted domains.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Data Loss Prevention for Endpoints with a Sensitivity Label.
We will only step through a basic DLP case (see the Use Case section) with an Endpoint Device, specifically copying to a clipboard, printing, and copying to a USB device.
For the purpose of this document, an Endpoint Device is either a Windows 10 or Window 11 device AND it is a physical device, not a virtual device.
This document does not cover any other aspect of Microsoft E5 Compliance, including:
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
We will prevent a user on a Windows 10 or Windows 11 device from being able to
The data we will be blocking will be our “HR Data” SIT created in part 1a of this series. This is blocking is done to prevent accidental leakage of data or purposeful removal or theft of company data.
N/A
Verify that your Endpoint Device has been onboarded
b. Method #2: Go to Compliance.microsoft.com -> Settings -> Device onboarding -> Devices
c. In the Customize advanced DLP rules, click Create Rule
d. Name your Rule and give it a description.
i. Example = Name – Endpoint DLP (Label) Rule
ii. Example = Description – Endpoint DLP (Label) Rule
e. Under Conditions, click Add Condition and select Add -> Sensitivity labels and select your Label. I am selecting the Sensitivity Label “Default” that I created in part 2c of this blog series.
f. On the right-hand side you will see a drop down. Leave this at the default of Any of these.
g. Do NOT add a second Condition for this test, but you can add multiple Conditions for your own testing later-on.
h. Do not added an Exception. Again, you can do this for your own testing at a later time.
i. Under Actions, select Add an Action -> Audit or restrict activities on devices.
j. Change all activities from Audit to Block. We will only be testing Copy to Clipboard, Copy to USB removable media, and Print. However, this will allow you to a) be sure that those 3 scenarios are blocked along with everything else, and b) it will allow you to test other Endpoint DLP options on your own later-on.
k. Now go to User Notifications. Here you will set up the alerts to be sent to your administrator or compliance officer.
i. Select On.
ii. Select Customize the notification. This will alert the users that they have violated the DLP policy. If desired, create a custom title and content.
l. Leave the rest of the options in the Rules pane with their defaults. We will not need them for the next parts of our testing. Click Save and then click Next.
a. I will be using a file called “Default Label.docx”.
a. I will be using a file called “Default Label.docx”.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.