Posey's Tips & Tricks
Restricting Sensitive Data in Microsoft 365
Microsoft 365's built-in Data Loss Prevention tools make it easier for IT teams to safeguard sensitive data and prevent misuse across email, SharePoint, OneDrive and more.
In any organization, the IT department must take steps to ensure that sensitive data is not mishandled. In some organizations, there can be severe regulatory penalties for the mishandling of sensitive data. However, the way that this data is handled should be a concern, even for smaller organizations that are not regulated. Imagine the damage that could be done for instance, if employees were to handle such data through email. Data could become compromised simply because an employee decides to check their email from an infected personal device. Similarly, there is always a risk that an employee might try to steal data through exfiltration.
Fortunately, Microsoft 365 contains a Data Loss Prevention, or DLP feature that is designed to prevent this sort of thing from happening. Better still, it is relatively easy to create DLP policies that can be used to protect your organization.
So with that said, let's work through the process of applying a DLP policy to a Microsoft 365 application with the goal of preventing sensitive information from being improperly used. In order to do so, you will need Microsoft 365 Compliance Admin rights or something similar. Your organization will also need to have access to Microsoft Purview Data Loss Prevention.
To get started, open Microsoft Purview and then click Data Loss Prevention, as shown in Figure 1. This will cause the browser to open the Data Loss Prevention dashboard. Now, click on the Policies tab and then click on the Create Policy button. This will take you to the interface, shown in Figure 2, which walks you through the process of creating a DLP template.
[Click on image for larger view.]??
Figure 1.
Open Microsoft Purview and click the Data Loss Prevention tile.
[Click on image for larger view.]??
Figure 2. This is the interface used to create a DLP policy.
As you can see in the figure above, the Create Policy wizard offers several categories of templates. For the purposes of this article, choose the Custom option and then click on Custom Policy (found within the Regulations column), and then click Next.
At this point, you will be taken to a screen that asks you to name the policy that you are creating. I recommend using a descriptive name and also entering a detailed description in the space provided. The reason for this is that over time, you can accumulate a significant number of DLP policies, and it is helpful to be able to use the policy description to determine why a policy was created. Once you have entered a policy name, click Next to move on to the next screen.
The next screen that you will be taken to is the Admin Units screen, which lets you choose the Admin units that you want to assign to the policy. Admin units are optional, but since they require an E5 license and they aren‘t supported for all locations, it's best to just click Next unless you have a compelling reason to use admin units.
Now, you will be taken to the Locations screen. Here you will need to choose which Microsoft 365 applications the policy will be applied to. As an example, you can apply a DLP policy to Exchange mailboxes, SharePoint sites, and OneDrive accounts. You can also apply the policy to devices, instances and on premises repositories. You can use the Edit links found on this screen if you need to apply the policy at a more granular level. As an example, you might wish to apply a policy to a specific SharePoint site as opposed to applying the policy to all SharePoint sites.
Click Next and you will be taken to the Define Policy Settings screen. Make sure that the Create or Customize Advanced DLP Rules option is selected and then click Next. ?This will take you to the Create Rule screen.
Enter a name for the rule that you are creating and then click Add Condition. When prompted, choose the Content Contains option and then click Add and choose the Sensitive Info Types option. Select the types of sensitive information that you want to scan for, and then click Add. You can see what this looks like in
Figure 3
.
[Click on image for larger view.]??
Figure 3. You can add various types of sensitive information to the policy.
Click Save, followed by Next. You will now be taken to the Policy Mode screen. Here you can choose to enable or to disable the policy. There is also a simulation option that you can use to test the policy. As a best practice, it's a good idea to run policies in simulation mode until you have confirmed that the policies are behaving as expected. Click Next, followed by Submit to create the policy.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.