Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

DLP with the new sensitivity labels

Copper Contributor

Hi everyone!

 

I now have access to the new sensitivity labels in the Security & Compliance center and wanted to create a DLP policy with a condition based on a label I published. According to this article the new sensitivity labels should allow me to do so. Unfortunately I only see my retention labels and sensitivity types as the available options in the conditions. Am I missing something?

11 Replies
best response confirmed by Francis Ouellet (Copper Contributor)
Solution

If you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...

Hello @Vasil Michev

 

Thanks for your reply! Last week I tried applying a DLP policy with one of the conditions being based on a retention label I had published a while back and I'm constantly running into errors (I've attached a screenshot) I've opened a support ticket (#11831531) within the Office 365 Admin Portal and so far they have not been very helpful in resolving the issue. The error message I am still getting today the following:

 

Request: /api/policy Status code: 500 Exception: Microsoft.Exchange.PswsClient.PswsException Diagnostic information: {Version:16.00.2656.007,Environment:EUSPROD,DeploymentId:b9d1eaec988246bd97ea05edb88f7c8e,InstanceId:WebRole_IN_0,SID:f4012950-8573-4128-8553-41d89b932b35,CID:6bc2a99c-b028-4eba-9ab2-d5362587c12f} Time: 2018-10-25T13:46:36.3441684Z

 

Are you able to apply a DLP policy for content with a retention label?

 

Thanks,

Francis

I seem to be getting errors too:

 

The label name 'Disposition' provided in label parameter of content conatains sensitive information predicate does not exist.

 

Guess it's either still rolling out or there is some issue on the backend.

Ok great, then it's not just me! Thanks for checking it out!

After I opened a Github issue regarding the clarity of the article (sensitivity vs. retention labels with DLP) Microsoft updated the article with this:

 

Note that you can currently use only a retention label as a condition, not a sensitivity label. We're currently working on support for using a sensitivity label in this condition.

Can't wait to have support for sensitivity labels in DLP policies!

 

Francis

Hi Francis,

Any update on this? I've the same problems on all my tenants and even the demo tenants from MS give this error. To bad I've a presentation this Friday how to use DLP. Will do with screenshots then.
Unfortunately, no. The tickets I opened with Office 365 support is still open and not much is happening. I suggest you do the same for each tenant you have (I've opened 3) as it might start showing up on someone's radar...

related question : how do we Monitor/report on Sensitivity labels?

Hi Everyone.

I've been trying to figure out what options i have for monitoring the content that has been labelled using the sensitivity labels.

It appears that the Label activity explorer in SCC (e5 required) reports on Retention labels.

I thought that I may be able to review based on DLP policy matches.. i.e. if DLP finds content labelled with a sensitivity label it will show up in one of the DLP reports.

Anyone direct me in relation to how we should be monitoring activity in relation to sensitivity labels?

Cheers. 

Colm

 

Update : It appears that we can monitor the sensitivity labels via an activity report/explorer (preview) in the AIP portal  (see attached)

reference : https://www.youtube.com/watch?v=UI0p9xqMNfI&feature=youtu.be

 

@Francis Ouellet We've been able to make this work by looking at the document properties that the sensitivity labels create. For docs in SharePoint/OneDrive, you have to set up some mapping behind the scenes so you can reference the property - we mapped it to a field called "SensitivityAlias," then set up a condition: 

 

Document property is: 

SensitivityAlias = (label value you're looking for)

 

It works for us for DLP policies applied to SharePoint, and for direct links to docs attached to emails. It does NOT work for copies of docs attached to emails, since it can't see that mapped property - for that, we set up an Exchange transport rule to look for the property value and we mimic the same logic there. Hope that helps!

It still doesn't seem to create DLP policies applied to Sensitivity Labels. I wonder why is that and it doesn't really make any sense why you only can apply DLP policies to Retention labels.

 

Anyone heard about this changing even though the docs.microsoft.com article says "it's coming".

1 best response

Accepted Solutions
best response confirmed by Francis Ouellet (Copper Contributor)
Solution

If you look at the pictures, you will see that this applies only to retention labels. Using DLP policies is basically a way to make sure that both retention and protection will apply, with the retention already enforced via a label, and the protection action enforced via the DLP policy. In the future perhaps...

View solution in original post