Oct 24 2018 08:07 AM
Hi everyone!
I now have access to the new sensitivity labels in the Security & Compliance center and wanted to create a DLP policy with a condition based on a label I published. According to this article the new sensitivity labels should allow me to do so. Unfortunately I only see my retention labels and sensitivity types as the available options in the conditions. Am I missing something?
Oct 25 2018 01:59 AM
SolutionIf you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...
Oct 25 2018 06:56 AM
Hello @Vasil Michev!
Thanks for your reply! Last week I tried applying a DLP policy with one of the conditions being based on a retention label I had published a while back and I'm constantly running into errors (I've attached a screenshot) I've opened a support ticket (#11831531) within the Office 365 Admin Portal and so far they have not been very helpful in resolving the issue. The error message I am still getting today the following:
Request: /api/policy Status code: 500 Exception: Microsoft.Exchange.PswsClient.PswsException Diagnostic information: {Version:16.00.2656.007,Environment:EUSPROD,DeploymentId:b9d1eaec988246bd97ea05edb88f7c8e,InstanceId:WebRole_IN_0,SID:f4012950-8573-4128-8553-41d89b932b35,CID:6bc2a99c-b028-4eba-9ab2-d5362587c12f} Time: 2018-10-25T13:46:36.3441684Z
Are you able to apply a DLP policy for content with a retention label?
Thanks,
Francis
Oct 26 2018 02:41 AM
I seem to be getting errors too:
The label name 'Disposition' provided in label parameter of content conatains sensitive information predicate does not exist.
Guess it's either still rolling out or there is some issue on the backend.
Oct 26 2018 09:47 AM
Oct 29 2018 06:28 AM
After I opened a Github issue regarding the clarity of the article (sensitivity vs. retention labels with DLP) Microsoft updated the article with this:
Note that you can currently use only a retention label as a condition, not a sensitivity label. We're currently working on support for using a sensitivity label in this condition.
Can't wait to have support for sensitivity labels in DLP policies!
Francis
Oct 30 2018 06:21 AM
Oct 30 2018 06:23 AM
Mar 07 2019 03:05 AM - edited Mar 07 2019 03:47 AM
related question : how do we Monitor/report on Sensitivity labels?
Hi Everyone.
I've been trying to figure out what options i have for monitoring the content that has been labelled using the sensitivity labels.
It appears that the Label activity explorer in SCC (e5 required) reports on Retention labels.
I thought that I may be able to review based on DLP policy matches.. i.e. if DLP finds content labelled with a sensitivity label it will show up in one of the DLP reports.
Anyone direct me in relation to how we should be monitoring activity in relation to sensitivity labels?
Cheers.
Colm
Update : It appears that we can monitor the sensitivity labels via an activity report/explorer (preview) in the AIP portal (see attached)
reference : https://www.youtube.com/watch?v=UI0p9xqMNfI&feature=youtu.be
Jul 18 2019 02:00 PM
@Francis Ouellet We've been able to make this work by looking at the document properties that the sensitivity labels create. For docs in SharePoint/OneDrive, you have to set up some mapping behind the scenes so you can reference the property - we mapped it to a field called "SensitivityAlias," then set up a condition:
Document property is:
SensitivityAlias = (label value you're looking for)
It works for us for DLP policies applied to SharePoint, and for direct links to docs attached to emails. It does NOT work for copies of docs attached to emails, since it can't see that mapped property - for that, we set up an Exchange transport rule to look for the property value and we mimic the same logic there. Hope that helps!
Dec 11 2019 05:03 AM - edited Dec 11 2019 05:04 AM
It still doesn't seem to create DLP policies applied to Sensitivity Labels. I wonder why is that and it doesn't really make any sense why you only can apply DLP policies to Retention labels.
Anyone heard about this changing even though the docs.microsoft.com article says "it's coming".
Dec 11 2019 10:42 AM
Oct 25 2018 01:59 AM
SolutionIf you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...