Forum Discussion
DLP in Office Excel and Word?
What I would like to do:
- User Creates Document in Excel/Word
- At document save, DLP scans run using rules created in O365 Security and compliance center
- warning user letting them know document contains PII, such as social security numbers or whatever
- document and record somewhere for reporting
Is this currently possible with O365? The only articles i can seem to find mention only mail flow DLP.
We have O365 E3 licenses at the moment.
Anyone?
Thanks
6 Replies
Should be possible, however I'm having a hard time making either DLP policy tips or the AIP automatic labeling happen in desktop apps. Granted I'm on FR for deferred channel on this machine, so it might be that the relevant controls are simply not into my Office version. Although I have the same experience on the laptop with Current channel...
Anyway, if the document is saved to SPO/ODFB, it should be processed (after some delay) and tagged for PII violations.
Thank you, but for this user group, a pop up in the Document I believe would be more benificial. It needs to just be noted so they are reminded to save to the secure location and not elsewhere.
Hello,
You require O365 E5 to use the automatic labelling feature of Azure Information Protection. Also you be using the professional version of Word/Excel.
This sounds like https://www.microsoft.com/en-us/cloud-platform/azure-information-protection, which has an Automated data classification option that can https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-classification patterns like social security numbers and https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-protection can be applied with Azure RMS or a Do not forward option for Outlook email messages.
This does come at an extra https://www.microsoft.com/en-us/cloud-platform/azure-information-protection-features.
Cian this appears to be what I am looking for. We have a Hybrid environmanet though, only exchange is currently in the Microsoft cloud. Would this require Azure AD as well?
Have a look at this first - https://support.office.com/en-US/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e, which discusses the built-in DLP options in Office 365 and covers different uses like:
Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.
For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.
This can also work with Office programs monitoring and protecting sensitive information. You can create and manage DLP policies on the Data loss prevention page in the Office 365 Security & Compliance Center. A DLP policy can find and protect sensitive information across Office 365, whether that information is located in Exchange Online, SharePoint Online, or OneDrive for Business. You can easily choose to protect all sites or mailboxes, or just specific ones.
That overview page has lots more details including actions such as Restrict access to the content, User notifications and user overrides and Incident reports.
Now Azure Information Protection is a paid add-on with two versions P1 and P2, only the P2 version comes with automated classification, labelling, and protection. This is bundled with Enterprise Mobility + Security (EMS) - the E3 version has AIP P1 while EMS E5 comes with AIP P2.
Have a look at https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection to get a better sense of how it works through labels, classification and optionally protection. Some Office 365 licences also come with https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms, which is the protection technology used by Azure Information Protection. Here are details about the https://docs.microsoft.com/en-us/information-protection/rms-client/aip-client used to classify and protect documents and emails, or use a Rights Management service to protect data.
Azure Information Protection https://docs.microsoft.com/en-us/information-protection/get-started/requirements Azure AD. Azure Rights Management service from Azure Information Protection with on-premises servers is supported per this https://docs.microsoft.com/en-us/information-protection/get-started/requirements-servers.
