SC-400 Microsoft Information Protection Administrator – Creating and Configuring Data Loss Prevention Policies Part 2
I now like to demonstrate the process of creating data loss prevention policies and configuring them for Exchange SharePoint teams. OneDrive, all that fun stuff. All right, so we’re going to start here on Portal Microsoft. com. We’re going to click the Show All lip symbol and we’re going to click the compliance blade and that’s going to bring us into the compliance center. Granted you can also type Compliance Microsoft. com as a URL. It’ll take you straight to this area.
Now once we get there we’re going to go to the data loss prevention blade here and from there we can go and we can create policies. All right, so I have a default policy there and just some test policies which I’m not going to get into what that is at the moment, but I’m going to click on create a Policy. Okay? So from there we have these different policy templates that are available to us for creating a custom policy. All right. Now these policy templates that are available are going to involve a bunch of sensitivity labels that come in from the information protection side of our Microsoft 365 environment. So we have some existing ones we can use or we can also create from a custom one. We can create a custom sensitivity label and go there.
But let’s take a look at some of what we’ve got. We’ve got financial templates for sensitivity, searching for sensitive information, we’ve got medical and health sensitive information and then privacy. I’m going to focus on privacy and I’m going to go down and select the US Patriot Act. Now the US Patriot Act sensitivity label is going to include the following things. It’s going to be looking for information being shared that’s going to contain those items that you see, their credit card numbers, us bank account numbers, us individual tax ID numbers, and then of course Social Security numbers. So that’s what we’re going to be looking for in this. At that point I’m going to click Next and I can give it a name. It will just give it a default name if you go with the template, which I’m just going to leave it as a default name. All right, so I’m going to click Next.
All right, so here’s where things get interesting. This is where I can specify where I want to tie my data loss prevention policies. So we’ll start with Exchange. Your Exchange email. Now by default you’re going to notice that it’s going to say, it’s going to be looking in all areas of exchange involving all your groups. So any type of group, distribution group, any type of group that’s associated with email, it’s going to be searching in all of the user’s email and this is also include all users as well, not just groups, not just users that are part of groups, but all users. Okay, now if you want to include specific groups that you want it to look, you can click Choose Distribution Group and it will be looking specifically for users that are part of those groups. Okay? Now on the flip side of that, you can also go with exclude distribution group. Now the thing you want to remember here, you take an exam, this is something that’s very important is that inclusions will be overwritten by exclusions. In other words, exclusions will override inclusions. In other words, if I have a user who’s a member of a group called Sales, and I include the Sales group here, and then I do an exclusion on a group called Marketing, and I have a user that’s a member of both groups, okay?
The exclusion will override the inclusion. So if you had a user who is a member of both groups, this user would be excluded from this policy rule that we’re configuring here. Okay? So just be advised and that’s going to be the case for all of these things. All of these items that you see here. Exclusions will always override inclusions. Okay? So for SharePoint, if I want to use SharePoint, I can go in here. If I want to set this policy to work on SharePoint, I can go right here. I can click on choose sites and I can specify specific SharePoint sites maybe that I want to select. Okay? So in my case, I’ve got a few different ones I could go with. I’ll go with one called Project One, and that’s a SharePoint site. Maybe I want that to apply to it.
You could choose other sites as well. And then of course, if you wanted to maybe just choose all sites, you could choose all sites if you want. Okay, okay. So from there I have OneDrive accounts. I can select OneDrive here and choose specific account or distribution groups I want to apply there as well as exclusions. I could do team chat messages. OneDrive and Teams kind of go well, actually I should say OneDrive, teams and SharePoint can all kind of go hand in hand together because in Microsoft teams, you can share files directly with the help of OneDrive, as well as they can be shared directly on SharePoint.
So these three things here can tie together ultimately. But Microsoft’s main game plan with sharing data is they want users to share data through their OneDrive account being their cloud storage. So if you got a group of users that are utilizing their OneDrive, and you want to kind of police the data that’s inside their OneDrive account, if they’re trying to share data with other people, whether it be on a SharePoint site or whether it be through a team’s message, then one drive, you can configure the groups right here. You could also exclude as well if you want.
All right, so basically by leaving this set to on, this policy is going to apply to OneDrive accounts. Currently, it’s going to apply to all. Okay, SharePoint is going to apply just to that one SharePoint site and then you have teams chat and channel messages. All right. So from there you can specify a particular group. Maybe this is going to apply to let’s go with the Project One group. I have a group called Project One. Maybe it’s a group of users that are working on a project together and I want to apply this to that location. All right. I’m not excluding anything there because I could say support all and then exclude certain ones. That’s the difference. That’s the reason why this is grayed out and that is grayed out. You could set this to all and then exclude specific sites or exclude specific teams if you wanted to over here.
And so that’s kind of the logic there on why it is grayed out like it is. Okay, now, right now I’m not really getting into cloud app security and on premise repositories at the moment. But just so you know, you can tie this in regards to what is known as cloud app security, which is Microsoft’s Big, what’s known as a cloud access security broker. It’s something that monitors all the websites and things people go to in regards to your cloud service, different places they visit that can all be tied to this as well. You could have a restriction, for example, if you worked with cloud app security, you could have a restriction on Dropbox, for example. If somebody was trying to share something through Dropbox, this policy could be applied to them as well. And then also of course on prem. So with our on premise service we have Microsoft 365 apps, the Office 365 apps on premise. And you’re using something like Windows Ten, Windows Eleven, you have something called Whip, Windows Information Protection that is built into Windows Ten, Windows Eleven, and basically it can monitor on premise stuff as well. You can specify certain paths that you want it to focus on, but not getting into a lot of those two things at the moment.
I’m going to turn those off because we’re really kind of focusing on these cloud service options at the moment. But I’m going to go ahead and click Next, all right. And then from there it says review and customize the default settings. So this is going to let me by selecting that, it’s going to let me select and customize these settings if I wanted to and adjust some settings. Essentially you can do that through advanced as well. But to be honest with you, you’re not really going to see a whole lot of extra through advanced. This method just kind of puts it into an easier read format through the wizard on the screen. But I’ll also let you know that you can always go back and view the advanced options after the wizard has created the policy. So we’re going to go through the wizard first here.
We’re going to go ahead and click Next. It says, okay, the info that you’re looking for is this content right here. I could edit that right now if I wanted to and add more content. That’s one of the things advanced to let you do as well. You can go in and edit and maybe specify more sensitive info types that you want. Okay? All right. And so if I click edit, you’ll notice that I can adjust that information, right? So I say I can adjust the credit card number, us account, bank account number, tax, ID number. So what does all this mean? Well, Microsoft has an algorithm that utilizes regex, regular expression, or sometimes this is pronounced regex, it’s tomato, tomato, however you like to say it. But this is just how confident the algorithm is that it’s discovered this information inside of a document.
So if it sees a credit card number, what it thinks is a credit card number, high confidence means it’s got to be very confident for it to find it. You’ve got medium confidence and there’s also even a low confidence level. Okay. And then instance count is going to involve how many instances that it is going to find. Now in sensitive infotypes, when it comes to detecting sensitive infotypes in a document, it will have two different sets of rules, one to nine and then 10 to infinity essentially. And then one to nine will be flagged with a lower alert level than the ten plus basically. So what you’re looking at here, the default policy is just letting us see the one to nine configuration of this, but we can decide what is going to be flagged as considered a low alert level or a mid alert level or a high alert level.
But to do that you’re going to do that outside the screen. You’re going to actually do that through the advanced options. Okay, so we’ll look at editing an existing policy coming up and you’ll see where I’m going with that. All right? So from there I can say detect when this content is shared from Microsoft 365 with people outside my organization or only with people inside my organization. Okay. So I’m going to go ahead and focus on outside. That’s going to be the scarier of the two that we would want to focus on. But keep in mind you can create policies that are going to be applied to when people are trying to share things within the organization as well. Okay, you don’t want, again, somebody in the finance department sharing payroll information with somebody in the sales department. Oops, I didn’t mean to share this document with you, you’re in the sales department, that sort of thing. You don’t want that.
So you also could create another policy for inside, but we’re going to focus on outside the organization. We’ll click next. So then from there you have protection actions. So the first protection action says when content matches the policy condition, show policy tips to users and send them an email notification. So one of the great things about DLP is that it can educate users. They’re going to get a TIFF, a message that can pop up, that can say, hey, you’re not really supposed to be sharing this. You can also customize what that’s going to say if you want. So I’ve got or customize the text as well as who it’s going to go to. So I have one option here that says notify the user who sent, shared or last modified the content. So it’s going to notify the user. I can say notify if you want, you can customize. So I can say notify these people. The person who sent, shared or modified the content, the owner of the SharePoint site, OneDrive site, the owner of the SharePoint or OneDrive content.
So one is a SharePoint site, OneDrive account, the other says owner of the SharePoint OneDrive content. Sometimes people see those, they think they’re the same thing. But if you look at the wording, you’ll see it’s not send the email to these additional people. So if I wanted, I could add something there and I could say, okay, we’ll go ahead and email this additional person as well. Okay? And of course it would send it to that other person. If you want to customize the email text, you can customize the email subject. You can customize the policy tip. And again, a policy tip is going to be a little box that will pop up on the screen whenever they’re doing it. So if you’re working in Microsoft Word, for example, you’re using Windows Ten, windows Eleven, whatever. These policies will filter down through what’s called Windows Information Protection when the machine is linked to the cloud. And from there these policies will come down. The users will get these little pop up messages. That’s what this policy tip is all about. So I can customize that if I want. Same thing with Exchange online. You’re using email, you’re using SharePoint at the top of the screen you’ll get these little pop up messages that warn you.
And that’s what a policy tip is going to do. Detect when a specific amount of sensitivity is being shared. At least ten or more instances of the same info type. Okay? So the thing to understand here is a lot of times when people read that, they’re thinking it’s only going to do something if there’s at least ten instances. So you’d have to live like ten instances of credit card number, Social Security number, or whatever. No, even if there’s just one instance, it’s still going to take action. But what this is going to do is it’s going to go and it’s going to do the following. You see these checkboxes right here? Send incident reports and emails. So it’s going to generate what’s called an incident report. All right? They tell you here by default, you and your global admin will automatically receive the email. Incident reports are supported only for activity in Exchange, SharePoint One driving teams, which is exactly what we’re focused on right now. But you can also choose what’s going to be involved in the report.
So it says all incident reports include information about the item that was matched, where the match occurred, and the rules and policies it triggered. So you can also include the following information the name of the person who last modified content type sensitive content, the rules and severity level. Okay, so this is where if you wanted you could even say, well, one to nine, it’s going to flag it as a low level, but ten plus it’s going to flag it as a high level. You could even have another set of policies that go with a mid range. But again, to do this you’ll have to look at the advanced view of this. So the content that matched the rule, including the surrounding text. So you’re going to get to see some of the content that was involved and the item containing the content, the rule match.
So this is what an incident report is. So as you can see, you can configure that a little bit. Send alerts. If any of the DLP rules match, you can have an alert. You can even customize the alert. Right now I have this email that’s going to get the alert, but I can also add other people send alert every time an activity matches the rule. So this is the default. So again, even if one instance of something is detected, you can still, if you wanted, you could still have alerts sent and you have instances more than or equal to. So a certain amount you can make it a volume in megabytes. You can say during the last 60 minutes if you want. And this could be flagged for all users or an individual user that maybe you’re wanting to monitor with this. Okay, all right. Or an individual user that you’re wanting to deal with this alert on, I should say. All right, so those are your different options. Most of these are pretty self explanatory if you kind of just look through them. But I’ll save that. And then down here I have restrict access or encrypt the content in the Microsoft 365 locations. So the other thing here we can do is we have rights management with Microsoft 365 which can implement encryption if we want.
So we can select that option and we can have encryption activated as part of the deal here. So I’m going to click next and then from there it says restrict access or encrypt the content in the Microsoft 365 locations. So currently it says block users from accessing shared, SharePoint OneDrive and teams content. By default, users are blocked from sending teams chats channel messages that contain the type of content you’re protecting. So if it’s by default, if you want to know what the defaults are here, it’s that they’re just restricted. They’re not going to be able to share that information. But notice your two options. You’ve got block everyone only the content owner last modifier and site admin will continue to have access. Or block only people outside your organization. Users inside your organization will continue to have access. So that is the default. And that’s based on what we chose earlier when we specified if this policy was going to be for the inside people or the outside people.
Okay, don’t forget too that you have these nice little letter I symbols. You can always hover over those and they give you a little bit more information on the options that are available. So then you’ve got let people who see the tip override the policy. So this is going to be in an instance where maybe I want to allow somebody to override it for one reason or the other one being maybe there’s a Social Security number that’s discovered, but it’s not actually a Social Security number, it’s some other number that doesn’t even matter. Then maybe I’m going to allow people to override it. So when they get that little tip, they’ll have an option that will let them override it. Okay? You can require a business justification to override, which basically means that a user can type in a little box, they can specify what their reason is, and that information will be sent to an admin override the rule automatically if they report it as a false positive.
So that’s another thing they can do. You can require justification to do that. If you don’t require justification, they just got to click the button to say, hey, this is a false positive, this is not actually a Social Security number or whatever. All right, now if your company implements cloud app security, which I’m not really getting into at the moment, but if your company implements cloud app security, you can also restrict the third party apps and things as well.
Like I was talking about how you could restrict dropbox earlier if you want. If your company is using cloud app security as what’s called a cloud access security broker, you can use third party with this as well, which is really cool. All right, so looking at the next thing I’ve got, decide whether you want to turn the policy on right now or test it out. So you can test this out if you want. Have it search for like a Social Security number or something like that. I can say turn it on right away or keep it off and then I could turn it on later if I want, but I’m going to say turn it on right away. Okay. At that point we’re going to click next, and then we’re going to click to submit. Okay? So once the policy is done, you’re just going to click done here. And I’ve now officially created my US Patriot Act policy. You’ll notice that that is at the bottom here.
And so if I want to take precedence over the others, I can say move to the top. And it’s now going to be taking precedence over the other policies. But I also want to show you, though, that you can click on the policy and it’ll give you a quick summary. So if you have a bunch of policies that are created and you’re trying to remember, what did I implement in each one of the policies, you can quickly see right here that I get a nice little description and I get the locations that is applied, and that there are two different sets of policies here. Now, we didn’t actually see the two different sets earlier. That’s done in the advanced settings where you can configure those. We just did the wizard. But in the advanced settings, you can manipulate those different settings. So in this next little segment, I’ll show you how you can jump in and edit the advanced settings.
Now that we’ve created a policy in the Data Loss Prevention Area of Compliance Center, I want to take a look at the advanced settings that we can configure within that policy. Now, we could have changed these advanced settings when we were creating the policy, but I wanted to demonstrate doing this after the policy is already created. Okay, so what I’m going to now do is I’m going to highlight this policy, and I’m going to click Edit Policy. All right? Notice it brings us in here, and at that point, we can edit some of the settings. You’ll notice that changing the name is grayed out. Won’t let us do that here, but I’m going to go ahead and click Next, and I can alter the locations that this policy is going to be applied to if I want. So I could disable some of these areas, change some of the inclusions or exclusions if I wanted to. But that’s not really why I’m here. I’m really here to look at the advanced DLP rules. So we’re going to click Next, all right?
And now, when we created the initial policy, unless you chose to edit the advanced rules, you didn’t probably notice that you even had two different sets of rules. It let us configure the low rule that it was building, but it didn’t let us mess with what was called the High Volume Content Rule. So we had a low volume content that it created, but didn’t let us manage the high. So inside the advanced DLP rule area of our Data Loss Revenue Policies, we have the ability to look at these rules and see the more advanced settings. So I’m going to go right here. Under low volume of content detected. US. Patriot act. And I’m going to click this little pencil symbol here, which is going to let us edit this rule. Okay? So if we scroll down, we can see. Now a lot of this stuff is stuff we have seen before. So I’m not going to go through and explain every little intricate thing unless it’s something we haven’t seen. Like you’ve seen this. I went through it in the previous section.
But you’ll notice that what is considered this rule is supposed to be for low volume. So it’s one instance to nine instances. Now watch what happens if I cancel this and I edit the high volume. You’ll notice that it’s set to ten to any so this is ten and over instances, all right? And most of the settings are pretty much the same. But let’s go back to Low and let’s analyze the settings that are implemented, and then we’ll come back to the High and analyze those. So this is the low set of rules, low Volume Count rule. And we’ve got one to nine instances. And so it’s looking for any of these items credit card numbers, US. Bank account numbers, tax ID numbers, Social Security numbers. We could add additional things here if we want, which is kind of cool, I can go and add additional sensitive info types if I want. So if I want to scroll down and let’s pick something else, maybe if I wanted to add, let’s say how about a UK driver’s license number, I could, I could add that as an additional item to this. Set the confidence level one to any and again, remember that these levels are based on an algorithm Microsoft has. All right? And maybe I change my mind. I’m just going to delete that.
So this is called the US. Patriot act policy. But I could add additional things there if I wanted to. If I want to add a policy and then remove it, or add a group of policies and remove them, I can just by clicking little trash can. If I wanted to get rid of the Social Security number option, I could choose that. Okay? So from there I can also create a whole group of conditions. Instead of adding an additional condition here, under this group, I could create another group of rules. But I’m not going to do that. So I’m just going to click the little, click the trash can. It’ll remove that.
So on top of it matching these rules, it’s also going to be looking for a user. It’s going to be looking to see if a user is trying to share this content with somebody outside the organization. So right here, this rule is only going to apply if somebody is trying to share this data outside the organization. Which means if you wanted, you could create a whole other rule just for inside the organization. So you don’t actually have to create a whole new policy that’s going to be applied to people within the organization. You can edit this existing policy and add a new rule. But we’re focused on people outside the organization here’s where you can set exceptions.
So I could say add an exception, accept if the content contains some information, or accept if the content is shared from Microsoft 365. I could select, you know, accept that the content contains a sensitive info type if I wanted. Maybe if it contained. Let’s find something real quick here. Maybe a certain IP address was involved there. So you can add if an IP address was involved there, I could specify if there’s an IP address associated with this document, then don’t apply to that particular rule. All right. And that’s just one example. Obviously, IP address may not be the best way to look at this. If we scroll down and look at some of these others we’ve got passport number, for example, maybe if there’s a passport involved in the same document as something that’s shared up here, then maybe I would not apply this policy to that document. Right? So this is what an exception is all about, right? Remember, this is going to an exceptional overrule, a condition that’s matched up here. So if I applied this exception, then at that point it would not apply to the document or whatever it is that somebody’s sharing.
It could be a team channel message or something like that. It would not take effect. This would not take effect. Okay. All right, so that is what your exceptions are. You can also set exceptions involving the Microsoft 365 only with people inside my organization or with people outside my organization. You could then put these two together if you wanted to. So set an exception if somebody’s sharing it outside my organization, but if it had the passport as an example.
Okay? All right, so basically you can have a rule built here in advanced DLP policies that essentially does not apply if these two conditions are met. So even if it does discover these things here, it would not apply if these conditions were met. So you can configure those any way you want. Okay? Then it says use actions to protect content when the conditions are met. All right? So if I wanted to, I could choose restrict access or encrypt the content in the Microsoft location. And we’ve seen these options before, all right, in the previous section. So block users from accessing. So I’m not going to explain all that again, we’ve seen it. Okay, but reading through that, those messages, if you look at those like in your own environment, block users from accessing shared, shared data through SharePoint OneDrive teams content, block everyone, or block only the people outside the organization. So we’ve seen those before. That was done through the wizard earlier. And then if I want to have a user notified, I have a user notification, use notifications to inform users and help educate. We’ve seen this before, we’ve seen the email notifications, we’ve seen the custom messages before. Okay, allow overrides, we’ve seen all that. Now this is something we did not see when we built the initial policy. You can have a severity level assigned to this.
So when it generates a log entry or an alert, it will specify severity. Notice that this one says low, okay? And then if we go over here to the high volume count, we scroll down and look at that one, you will notice it is high. Which also means if we wanted to build a whole other set of rules, we could have a medium listed there, a medium level, all right? And so from there you can have an alert sent to an admin. You can send the alert. We’ve seen this all before. All of this stuff is stuff we’ve seen previously. Use email incident reports, so you have incident report generated. We’ve seen that before and we’ve seen these options here before as well. So all incident reports, including information about the item that was matched, where the match occurred, and the rules and policies that triggered. So you can also include the following all these checkboxes so these are all things we’ve seen I explained them in the last segment. Okay, so then I’ve also got something, and this is something we haven’t seen. If there’s a match for this rule, stop processing additional DLP policies and rules.
Okay, so interestingly enough, when you set up an advanced policy like this, you have this option that says if there’s a match for this rule, stop processing additional. So if you have other policies, let’s say you’ve got, like, 20 other policies, normally what would happen is it would match these rules and apply these rules, and it would continue applying any other rules from any other set of policies. But by checking this box, you’re telling it to just stop processing additional policies at that point. And you’re also able to set the order that you want this policy to be in. So if I want to set it to priority zero, it’s going to be set to the highest level of priority.
Now, notice when I tried to do that, I got this little message right here. It says, stop processing additional DLP policies and rules if the rule matches is only supported for Exchange location. Okay? Now, this is something to watch out for on the exam right here. If you’re taking the exam, you want to watch out for this, because this feature is only for the Exchange location. If you got other policies or other locations that you’re applying this with, if you go back to the location screen over here, you can’t have anything else selected except Exchange. So this is only if you’re applying this to Exchange, just remember, that is something to remember for the exam as well. You cannot have this one applied if it is anything other than Exchange.
So I’m going to turn that off, and then I’m going to hit save. All right? And again, if I wanted to create a whole other rule, medium volume and all that, and go through and apply these one by one, I could I could set up a whole other rule. So the thing to understand about data loss prevention policies is data loss prevention policies are made up of rules. Okay? You have multiple rules that can be part of one policy. Rules are made up of conditions and actions that are going to be performed. So those are the three things to keep in mind. A policy is made up of rules. Rules are made up of conditions and actions that are going to be performed when these conditions are met. Okay? All right. So at that point, I’ve now officially looked at the advanced settings of the policy. I could resubmit it if I edited anything, and I’ve now managed my custom settings or custom advanced settings for DLP.
One of the things that people wonder about data loss prevention is what are the default policies that are in place when you set up your office subscription. So I want to take a look at that with you guys. Now here we are on portal Microsoft. com. We’re going to click Show All and we’re going to go to the Compliance Center. So we’re going to click the Compliance blade that’s going to bring us into the Compliance Center. We’re going to click Data Loss Prevention, then we’re going to click the Policies menu option.
And right there, you’ll see the Default office 365 data Loss prevention policy. So we’re going to click on that and then we’re going to click to edit the policy. Once we’re inside this policy, we’re going to go ahead and click Next. And this default policy is pretty simple. It applies to exchange, SharePoint and OneDrive. Okay. And that includes all exchange groups, SharePoint sites, OneDrive group accounts, all that. So we’re going to go ahead and click Next there. And you’ll notice that there are two rules here and the first one says items containing one to nine credit card numbers shared externally. So it’s a real simple policy. It’s just looking for credit card numbers. If you edit that, you’ll see that that’s the only sensitivity type that it’s looking for.
Of course you can go through an ad and edit things if you want to change these defaults if you want. But you have the one to nine there and that is set to a low severity level. And then you have the ten plus, which is if you scroll down, you’ll notice that that is set also to a low severity level. So unlike a lot of times when you go through and you create a new custom policy or something, it doesn’t set it to high, it’s just a low severity level, okay? But it does have ten plus and you can adjust these settings as well. So ultimately the only thing that it’s really focused on when it comes to data loss prevention policies within a tenant for default settings is the credit card numbers. All in all though, it’s the same types of stuff that you’ve already seen with data loss prevention policies.