When we look at Data Loss Prevention in Office 365, either in Exchange Online, or in SharePoint Online (included here is OneDrive), people will often think it is only to be used for sensitive data. And in their mind, sensitive data is personally identifiable information, financial information like credit card number or even medical information. However, sensitive data can be so much more. Let’s take SonyGate a few years ago. I bet that their definition of sensitive information goes far beyond that.
Microsoft has done a stellar job in extending their definition of sensitive information with everything they can identify for a large number of people. But what about corporate sensitive data? Legal documents, contracts? How about we start protecting those? And that is exactly what we are going to do in this post. We are going to create a DLP policy to protect contracts. In SharePoint Online there are few ways you can identify a document to be a contract. You can use content types, metadata, etc. I am a huge fan of content types so I am going to use that.
Ok, I am not going to explain how you add a content type to a document library. If you need help for that, there are tons of good videos and blog posts that will explain it in detail. So fast forward to the part where I added the content type to a document library and I upload a document.
Ok. DLP in SharePoint Online can use a search query to activate the DLP rule. Few opening remarks with this though, adding a search query to a DLP rule can’t be done by the user interface. You need to use PowerShell for this. Additionally, any changes you want to make to the DLP rules can’t be done through the user interface. Again, this needs to be done through PowerShell. Before we start however we need to make sure we have a search query we can use in the rules. To do this I am going to create a new mapping between a managed property and a crawled property in SharePoint Online Search. Go to Office 365 > Admin > SharePoint Online > Search > Manage Search Schema. I mapped ows_ContentType to RefinableString01 and added an alias ContentTypeAlias. Trigger a crawl or be patient until the crawl has picked up your document and test it out through a search in SharePoint Online.
This search shows me all the documents with the content type contract.
Success. Now I can create my DLP policy. Like I said before since this functionality is not available through the user interface you need to feel comfortable using PowerShell and understand how a DLP policy and rule is created.
Step 1: Connect to Security and Compliance with PowerShell
$myCredentials = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $myCredentials -Authentication Basic -AllowRedirection
Step 2: Create a DLP Policy. This policy will only apply to SharePoint and OneDrive. If you want to include Exchange you can do that by adding -ExchangeLocation parameter. Check the documentation for more details.
New-DlpCompliancePolicy -Name Contract_policy -SharePointLocation All -OneDriveLocation All -Mode Enable
Step 3: Add a DLP rule to the policy. DLP rules are the brains of the organization so you want to stop and think what you are trying to achieve. DLP is an ideal way to educate people about data security. DLP rules allow you the present a policy tip to the end user explaining what he is trying to do might be in violation of a specific policy. DLP rules should protect data, but there might be a reason why you need to “break” the rule. People should be able to do this, but they need to provide a justification. The last configuration I want to set, I want this rule to apply to sharing with external people. I have no problem with contracts being shared internally. So when you are done, this is what you get. And of course, we use our search term and the content identification to be protected.
New-DlpComplianceRule -Name Contract_content -Policy Contract_policy -AccessScope NotInOrganization -BlockAccess $true -BlockAccessScope PerUser -ContentPropertyContainsWords “ContentTypeAlias:Contract” -Disabled $false -NotifyAllowOverride “WithJustification” -NotifyPolicyTipCustomText “This is a Contoso Contract! Treat as Confidential” -NotifyUser “Owner”
One the DLP is activated and had time to put its rules on the document, this is what the end-user will see when he tries to share a document with an external user that has the content type contract.