Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Data Loss Protection (DLP) section of this blog series is aimed at Security and Compliance officers who need to prevent data from being sent via Teams chats to untrusted users.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the configuration of Teams Data Protection Loss (DLP).
It is presumed that you already have a Sensitive Information Type that you want to use in your DLP policy. For the purposes of this policy, I will use the data from the Exact Data Match I created in part 1a of this blog series.
This document will only be dealing with SIT data being shared through the Teams Chat. It will not be dealing with Files being shared either through Teams Chat or shared Teams sites. That will be covered in a future blog entry.
This document does not cover any other aspect of Microsoft E5 Compliance, including:
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
This file will not be covering the sharing of files through Teams or through Teams chat.
If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.
Your company does not want Sensitive data to be shared between users, by accident or on purpose.
There are no extra definitions for this part of the blog series.
c. In the Customize advanced DLP rules, click Create Rule
d. Name your Rule and give it a description.
i. Example = Name – Teams Chat DLP Rule
ii. Example = Description – Teams Chat DLP Rule
e. Under Conditions, click Add Condition and select Add -> Sensitive info types and select your SIT or Exact Data Match. I am selecting the SIT labeled “HR Data”. Let us place the confidence of this SIT to High Confidence.
f. On the right-hand side you will see a drop down. Leave this at the default of Any of these.
g. Do not add a second Condition for this test, but you can add multiple Conditions for your own testing later-on.
h. Do not add an Exception. Again, you can do this for your own testing at a later time.
i. Under Actions, select Add an Action -> Restrict Access or Encrypt the content in Microsoft 365 location.
i. Select Block users and then select Block Everyone.
Note – If you have access to an external Exchange account for testing, feel free to select Block only people outside your organization.
j. Now go to User Notifications. Here you will set up the alerts to be sent to your administrator or compliance officer.
i. Select On.
ii. Select Notify users in Office 365 service with a policy tip. This will alert the users that they have violated the DLP policy. Here is what I am placing in my policy tip – “Teams Chat DLP violation. Please stop sharing sensitive data.”
k. Leave the rest of the settings at their defaults. Click Save and then click Next.
You have now completed your testing of using DLP to block Teams Chats with sensitive data.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.