SOLVED

Testing O365 DLP Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-308623%22%20slang%3D%22en-US%22%3ETesting%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308623%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20testing%20a%20DLP%20Policy%20for%20emails%20and%20have%20enabled%20%22%3CSPAN%20class%3D%22labelText%20ng-binding%22%3EI'd%20like%20to%20test%20it%20out%20first%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22checkboxOption%20ng-binding%22%3Eand%20have%20the%20following%20checked%3A%20%22%3CSTRONG%3EShow%20policy%20tips%20while%20in%20test%20mode%22%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22checkboxOption%20ng-binding%22%3EI%20want%20to%20know%20if%20the%20Override%20option%20will%20display%20during%20the%20testing%3F%20Or%20will%20it%20only%20show%20up%20when%20I%20turn%20on%20the%20policy%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22checkboxOption%20ng-binding%22%3EAs%20well%2C%20I%20just%20want%20to%20be%20sure%20that%20when%20I%20have%20the%20following%20enabled%2C%20that%20the%20emails%20will%20still%20get%20sent%20out%20as%20long%20as%20the%20user%20overrides%20and%20provide%20a%20reason%2C%20see%20attached.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-314593%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-314593%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Chris%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20a%20few%20things%20about%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20not%20enabled%20External%20Sharing%20on%20our%20tenant%2C%20because%20we%20don't%20have%20a%20policy%20in%20place%20for%20that%20at%20the%20moment%20(that's%20a%20different%20journey%20altogether).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20the%20files%20that%20are%20triggering%20the%20DLP%2C%20it's%20coming%20from%20our%20Professional%20Services%20department%20who%20regularly%20correspond%20with%20clients....%20Which%20I'm%20thinking%20the%20better%20option%20in%20this%20case%2C%20and%20given%20the%20situation%20of%20external%20sharing%20being%20disabled%2C%20is%20probably%20to%20create%20a%20separate%20DLP%20Policy%20rule%20for%20them%20that%20will%20allow%20them%20to%20send%20attachments%20-%20probably%20but%20adding%20an%20exception%20on%20the%20file%20types%20being%20sent%2C%20and%2For%20increase%20the%20min%20count%3F%26nbsp%3B%20The%20problem%20is%2C%20we%20still%20want%20to%20be%20able%20to%20track%20those%20emails%20with%20the%20attachments%2C%20is%20there%20anyway%20to%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20another%20issue%20we're%20having%20are%20the%20GoToMeetings%20invites%20are%20triggering%20the%20DLP%20as%20well.%26nbsp%3B%20The%20only%20content%20in%20those%20emails%20are%20the%20phone%20numbers%20which%20are%20triggering%20them%20-%20ie%2C%20false%20positives.%26nbsp%3B%20In%20these%20cases%2C%20again%2C%20users%20are%20not%20given%20a%20prompt%20to%20override%20them%20and%20report%20them%20as%20false%20positives.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313078%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313078%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15378%22%20target%3D%22_blank%22%3E%40Suolon%20Hu%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20see%20here%20about%20DLP%20Policies%20and%20attachments%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fuse-transport-rules-to-inspect-message-attachments-exchange-2013-help%23data-loss-prevention-policies-and-attachment-transport-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fuse-transport-rules-to-inspect-message-attachments-exchange-2013-help%23data-loss-prevention-policies-and-attachment-transport-rules%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20recommend%20that%20if%20the%20attachment%20is%20triggering%20the%20policy%20then%20it%20contains%20sensitive%20data%20which%20you%20would%20not%20likely%20want%20to%20transmit%20over%20email.%20If%20it%20is%20like%20an%20excel%2C%20word%2C%20pdf%20file%20then%20I%20would%20recommend%20the%20user%20sharing%20them%20with%20the%20recipient%20from%20OneDrive%2C%20over%20Microsoft%20Teams%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313069%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313069%22%20slang%3D%22en-US%22%3EHi.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20I've%20turned%20on%20DLP%20policies%2C%20but%20now%20since%20of%20the%20users%20emails%20are%20being%20blocked%20without%20Outlook%20allowing%20them%20to%20override%20it%20when%20their%20email%20contains%20an%20attachment%20that%20would%20trigger%20the%20DLP%20policy.%20How%20can%20use%20be%20able%20to%20override%20it%20off%20their%20email%20contains%20file%20attachments%3F%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309042%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309042%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Suolon%2C%3CBR%20%2F%3E%3CBR%20%2F%3ENot%20a%20problem%20-%20can%20understand%20the%20anxieties%20if%20you%20haven't%20done%20if%20before.%20They%20should%20not%20be%20blocked%20from%20sending%20out%20the%20emails%20unless%20you%20choose%20to%20block%20them.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20find%20out%20more%20about%20the%20encryption%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Femail-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Femail-encryption%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20the%20recipient%20experience%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.peters.com%2Foffice-365-message-encryption-ome%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.peters.com%2Foffice-365-message-encryption-ome%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EEncryption%20is%20designed%20for%20automated%20encryption%20of%20sensitive%20data%3B%20for%20example%20school%20or%20patient%20PII%20data.%20Most%20organisation's%20I%20have%20worked%20with%20tend%20to%20block%20as%20they%20don't%20want%20this%20information%20going%20out%20over%20email%20and%20prefer%20a%20different%20sharing%20forum%20such%20as%20Microsoft%20Teams%20(I.e.%20guest%20access)%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309039%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309039%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Chris%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20responding%20to%20my%20post.%26nbsp%3B%20I'm%20just%20checking%20out%20your%20two%20links%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20created%205%20DLP%20policies%20for%20our%20tenant%2C%20all%20which%20are%20in%20test%20mode%20with%20Policy%20Tips%2C%20but%20during%20the%20test%20I%20don't%20see%20anywhere%20to%20override%20and%20it%20wasn't%20clear%20in%20the%20setup%20if%20we%20would%20see%20the%20override.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20just%20worried%20that%20once%20I%20turn%20on%20the%20DLP%2C%20that%20the%20users%20will%20be%20blocked%20from%20sending%20out%20the%20emails%2C%20even%20if%20I%20do%20have%20the%20Override%20feature%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20have%20one%20other%20question.%26nbsp%3B%20In%20the%20DLP%20setting%2C%20I%20see%20that%20we%20can%20either%20Block%20the%20email%20from%20being%20sent%2C%20or%20Encrypt%20the%20email%20before%20sending%2C%20I%20would%20like%20to%20know%20what%20the%20experience%20is%20for%20the%20recipient%20when%20they%20get%20the%20encrypted%20email%20-%20how%20would%20they%20open%20and%20view%20the%20email%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308743%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308743%22%20slang%3D%22en-US%22%3EHi%20Suolon%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20that%20is%20correct%2C%20and%20is%20confirmed%20in%20the%20following%20article%20which%20should%20also%20provide%20some%20guidance%20and%20what%20to%20expect%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-test-tune-dlp-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-test-tune-dlp-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20also%20a%20string%20I%20would%20recommend%20here%20on%20the%20Community%20which%20also%20discusses%20setting%20up%20notifications%20for%20overrides%20and%20actions%20to%20take%20when%20users%20have%20performed%20an%20override%20of%20the%20DLP%20policy%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FOverrides-and-false-positives-in-DLP-policy-end-user-experience%2Ftd-p%2F202790%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FOverrides-and-false-positives-in-DLP-policy-end-user-experience%2Ftd-p%2F202790%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20I%20have%20answered%20your%20question.%20If%20I%20have%2C%20please%20like%20and%20set%20as%20the%20solution.%20If%20not%2C%20please%20let%20me%20know%20what%20more%20I%20can%20do%20to%20help.%20Thanks%20for%20raising%20this%20to%20the%20Tech%20Community.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790208%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20O365%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790208%22%20slang%3D%22en-US%22%3EIt's%20not%20working%20for%20me%20in%20SCC.%20It's%20worked%20in%20AIP%20so%20I%20thought%20I%20will%20%22move%20on%22%20and%20migrate%20to%20SCC%2C%20how%20wrong%20I%20was.%20One%20test%20policy%20never%20worked%2C%20so%20I%20deleted%20it%2C%20now%20it's%20in%20%22deletion%20state%22%20for%20over%20two%20weeks%20-%20ok%2C%20not%20a%20problem%2C%20quick%20google%20search%20and%20there%20is%20a%20PS%20command%20but%20recently%20Microsoft%20removed%20-ForceDeletion%20switch%20(on%20purpose%3F)%20so%20I%20can't%20force%20delete%20the%20policy%20in%20Powershell%20and%20it%20clutters%20my%20dashboard%20which%20I%20hate%20btw.%20So%20I%20created%20two%20more%20test%20policies%20and%20the%20mail%20tips%20are%20not%20working%2C%20I%20tried%20everything%20without%20any%20success.%20The%20admin%20experience%20in%20O365%20%2F%20Azure%20is%20very%20poor%20for%20me.%20And%20the%20whole%20configuration%20is%20not%20a%20single%20pane%20of%20glass%20at%20all.%20Azure%20here%2C%20old%20exchange%20admin%20there%2C%20new%20admin%20centre%20everywhere%20and%20the%20newest%20admin%20preview%20in%20between.%20Total%20mess%2C%20I'm%20sorry%20to%20say%20that...%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I'm testing a DLP Policy for emails and have enabled "I'd like to test it out first"

and have the following checked: "Show policy tips while in test mode"

 

I want to know if the Override option will display during the testing? Or will it only show up when I turn on the policy?

 

As well, I just want to be sure that when I have the following enabled, that the emails will still get sent out as long as the user overrides and provide a reason, see attached.

7 Replies
Hi Suolon,

Yes, that is correct, and is confirmed in the following article which should also provide some guidance and what to expect

https://docs.microsoft.com/en-us/office365/securitycompliance/create-test-tune-dlp-policy

There is also a string I would recommend here on the Community which also discusses setting up notifications for overrides and actions to take when users have performed an override of the DLP policy

https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/Overrides-and-false-positives-in-...

Hope I have answered your question. If I have, please like and set as the solution. If not, please let me know what more I can do to help. Thanks for raising this to the Tech Community.

Best, Chris

Hi Chris,

 

Thanks again for responding to my post.  I'm just checking out your two links now.

 

I have already created 5 DLP policies for our tenant, all which are in test mode with Policy Tips, but during the test I don't see anywhere to override and it wasn't clear in the setup if we would see the override.

 

I'm just worried that once I turn on the DLP, that the users will be blocked from sending out the emails, even if I do have the Override feature turned on.

 

I do have one other question.  In the DLP setting, I see that we can either Block the email from being sent, or Encrypt the email before sending, I would like to know what the experience is for the recipient when they get the encrypted email - how would they open and view the email?

best response confirmed by Suolon Hu (Occasional Contributor)
Solution

Hi Suolon,

Not a problem - can understand the anxieties if you haven't done if before. They should not be blocked from sending out the emails unless you choose to block them. 

You can find out more about the encryption here

https://docs.microsoft.com/en-us/office365/securitycompliance/email-encryption

And the recipient experience here

https://www.peters.com/office-365-message-encryption-ome/

Encryption is designed for automated encryption of sensitive data; for example school or patient PII data. Most organisation's I have worked with tend to block as they don't want this information going out over email and prefer a different sharing forum such as Microsoft Teams (I.e. guest access)

Best, Chris

Hi.

So I've turned on DLP policies, but now since of the users emails are being blocked without Outlook allowing them to override it when their email contains an attachment that would trigger the DLP policy. How can use be able to override it off their email contains file attachments??

Hi @Suolon Hu

 

Please see here about DLP Policies and attachments

 

https://docs.microsoft.com/en-us/exchange/use-transport-rules-to-inspect-message-attachments-exchang...

 

I would recommend that if the attachment is triggering the policy then it contains sensitive data which you would not likely want to transmit over email. If it is like an excel, word, pdf file then I would recommend the user sharing them with the recipient from OneDrive, over Microsoft Teams etc.

 

Best, Chris

Hi Chris,

 

So a few things about that.

 

We did not enabled External Sharing on our tenant, because we don't have a policy in place for that at the moment (that's a different journey altogether).

 

As for the files that are triggering the DLP, it's coming from our Professional Services department who regularly correspond with clients.... Which I'm thinking the better option in this case, and given the situation of external sharing being disabled, is probably to create a separate DLP Policy rule for them that will allow them to send attachments - probably but adding an exception on the file types being sent, and/or increase the min count?  The problem is, we still want to be able to track those emails with the attachments, is there anyway to do that?

 

Also, another issue we're having are the GoToMeetings invites are triggering the DLP as well.  The only content in those emails are the phone numbers which are triggering them - ie, false positives.  In these cases, again, users are not given a prompt to override them and report them as false positives.

 

 

It's not working for me in SCC. It's worked in AIP so I thought I will "move on" and migrate to SCC, how wrong I was. One test policy never worked, so I deleted it, now it's in "deletion state" for over two weeks - ok, not a problem, quick google search and there is a PS command but recently Microsoft removed -ForceDeletion switch (on purpose?) so I can't force delete the policy in Powershell and it clutters my dashboard which I hate btw. So I created two more test policies and the mail tips are not working, I tried everything without any success. The admin experience in O365 / Azure is very poor for me. And the whole configuration is not a single pane of glass at all. Azure here, old exchange admin there, new admin centre everywhere and the newest admin preview in between. Total mess, I'm sorry to say that...