Data loss prevention with Microsoft Purview

Scope of Concern

PowerShell Alternative

DLP policies can be managed and configured by PowerShell with the Exchange Online PowerShell V2 Module, which you can install and import with the commands:

Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement

Afterward, the commands

Connect-IPPSSession -UserPrincipalNamechristian@schulenburg.co
Get-DlpCompliancePolicy
Get-DlpComplianceRule
New-DlpCompliancePolicy
New-DlpComplianceRule

let you connect to Microsoft Online and use the DLP commands, gives you all the policy information at a glance, reveals more about the existing rules, and creates new policies and rules. For more commands that let you manage DLP policies with PowerShell, see Table 2.

Table 2

PowerShell for DLP Policies

Cmdlet	Function
`Get-DlpCompliancePolicy`	Displays information about existing data loss prevention policies
`Get-DlpPolicyTemplate`	Displays existing DLP policy templates in an Exchange organization
`Get-DlpDetailReport`	Lists details of DLP rule matches for Exchange Online, SharePoint Online, and OneDrive for Business for the last 30 days
`Get-DlpDetectionReport`	Displays a summary of DLP rule matches for Exchange Online, SharePoint Online, and OneDrive for Business for the last 30 days
`New-DlpCompliancePolicy`	Creates a DLP policy in an Exchange organization
`Remove-DlpCompliancePolicy`	Removes an existing DLP policy
`Remove-DlpComplianceRule`	Removes an existing DLP rule
`Set-DlpPolicy`	Modifies a DLP policy in an organization

Creating Exceptions

Not every email with confidential information should be blocked outright. Employees have several ways to send messages or store data. For example, you can define a policy for the locations stating to whom they apply or do not apply. The filters have a different effect depending on the location: Exchange uses distribution groups to control adding and blocking, whereas SharePoint uses sites to differentiate.

Exceptions can also be created directly in a rule. Note that each location can offer different exceptions. If multiple locations are selected, only exceptions that apply to all locations can be configured. For example, the recipient, file extensions, and document name can be selected here. Once you have selected all locations for monitoring, don't be surprised to see the option to add exceptions grayed out.

If you do not have an exception from the outset, you can configure an override for the end user. To do so, enable the Allow overrides from M365 services item in the rule settings. Optionally, a business justification can be requested in the process. A policy can be overridden if an employee has reported it as a false positive. Overriding is done from the policy tip client-side.

An option in Outlook and Teams lets you bypass the policy when composing a message. In the window, you specify the reason for overriding to enable sending, which means that users in Exchange, SharePoint, OneDrive, and Teams can override DLP policies, if needed. The Compliance Manager is, of course, informed about the exception in the Justification text in the status report. DLP policies provide a sufficient choice of exceptions for senior management or specialist departments that have to work with sensitive data all the time so that they are not hindered in their daily tasks.

Conclusions

DLP policies provide a quick way to check the daily flood of data from various Microsoft services for compliance with on-board tools. On the positive side, the variety of locations that can be included in a single policy makes the setup fast and clear-cut.

Infos