O365 DLP Policy Setup

%3CLINGO-SUB%20id%3D%22lingo-sub-2566344%22%20slang%3D%22en-US%22%3EO365%20DLP%20Policy%20Setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2566344%22%20slang%3D%22en-US%22%3E%3CP%3EI%20setup%20a%20custom%20DLP%20policy%20for%20US%20PII%20data%20that%20generates%20incident%20reports%20if%20a%20sensitive%20information%20was%20present%20in%20the%20email.%20Is%20there%20a%20configuration%20where%20if%20an%20email%20is%20encrypted%20as%20an%20exception%20to%20the%20rule%2C%20it%20will%20not%20trigger%20the%20report.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20idea%20is%20if%20an%20email%20message%20is%20encrypted%2C%20it%20will%20not%20generate%20an%20incident%20report.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECurrent%20setup%3A%3C%2FP%3E%3CP%3ERule%20consists%20of%3C%2FP%3E%3CP%3E%26nbsp%3Bif%20message%20contains%20sensitive%20information%20and%20shared%20outside%20organization%3C%2FP%3E%3CP%3Eexcept%20if%20message%20type%20is%20encrypted%3C%2FP%3E%3CP%3Estop%20processing%20additional%20dlp%20policies%20and%20rules%20if%20there's%20a%20match%20for%20this%20rule.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kengab_0-1626793248934.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297073iC381E4A153B39B78%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22kengab_0-1626793248934.png%22%20alt%3D%22kengab_0-1626793248934.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%20it%20appears%20the%20exception%20is%20not%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20Testing%20the%20%22Encrypt%20only%22%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EKennie%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2566344%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2827303%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20DLP%20Policy%20Setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2827303%22%20slang%3D%22en-US%22%3EI'm%20in%20the%20exact%20same%20spot%20and%20confirm%20the%20rule%20exception%20is%20not%20working%20in%20my%20environment%2C%20either.%20Setting%20the%20%22message%20type%20is%22%20to%20another%20option%20(tested%20with%20meeting%20invites)%20does%20work%2C%20so%20the%20rule%20logic%20itself%20operates%2C%20it%20just%20doesn't%20detect%20encrypted%20messages%20as%20one%20would%20expect.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2967014%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20DLP%20Policy%20Setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2967014%22%20slang%3D%22en-US%22%3EUpvote%2C%20sames%3C%2FLINGO-BODY%3E
Senior Member

I setup a custom DLP policy for US PII data that generates incident reports if a sensitive information was present in the email. Is there a configuration where if an email is encrypted as an exception to the rule, it will not trigger the report. 

The idea is if an email message is encrypted, it will not generate an incident report.


Current setup:

Rule consists of

 if message contains sensitive information and shared outside organization

except if message type is encrypted

stop processing additional dlp policies and rules if there's a match for this rule.

kengab_0-1626793248934.png

But it appears the exception is not working.

 

Note: Testing the "Encrypt only" feature.

 

Thanks,

Kennie

 

 

5 Replies
I'm in the exact same spot and confirm the rule exception is not working in my environment, either. Setting the "message type is" to another option (tested with meeting invites) does work, so the rule logic itself operates, it just doesn't detect encrypted messages as one would expect.
Upvote, sames

@kengab try setting Message Type is: Permission Controlled - that did the trick on my setup.

jrodriguezAP_0-1637099161141.png

 

I tried that. Didn’t work. What did work is creating a blank rule at position zero which identifies encrypted messages and does nothing to them. The “except” for encrypted or protected messages doesn’t work.
Ah, gotcha. can't say i tested the except within a rule. I designed my policies similar to how you're describing: i have a first-order policy with however many rules in there as positive finds, bypassing any other DLP if triggered, then actual DLP handling in a separate policy afterwards.

Out of curiosity, are you using DLP controls via Labels or Outlook Message Encryption (say a Transport rule, for example)? I'm stuck with the latter until I can migrate us to Labels, and i suspect that's part of the issue with detecting protected messages.