With the release of the Security and Compliance Center within Office 365 you are now able to manage complex features that have been missing for some time. One of these core features is Data Loss Prevention. Data Loss Prevention within Office 365 allows you to define polices that will capture and perform actions on content that meets some rules, along with providing notifications to the end user that the content has violated some rule.

In this post, we will walk through creating Data Loss Prevention policies using the new wizard recently updated in Office 365.

To access the Security & Compliance center, navigate to the Office 365 Administration Center. Once there expand the Admin Centers blade and choose Security & Compliance.

This will open the Security & Compliance center within a new tab of your browser. Once it is loaded expand the Data loss prevention blade and then select Policy.

Once the Policy page has loaded, if you already have policies they will be displayed in the view. If not it will be blank, allowing you to create new policies as needed. To create a policy, click the “+ Create Policy” button which will cause the wizard to appear from the right of the browser over the top of the current page.

A DLP Policy is made up a Sensitive Type, Locations of Content and specific Policy Settings. To choose the Sensitive Type, select the category from the displayed panel and then choose the actual type.

Once the Sensitive Type is selected, the details of the chosen option will be displayed. For example, the U.S. State Breach Notification Laws, is a combination of Credit Card Number, U.S. Bank Account Number, U.S. Driver’s License Number and U.S. Social Security Number (SSN). Once selected you can name the policy and then move on to the location options.

Currently Data Loss Prevention supports specific locations, you cannot simply just choose any location at all. The default option that is selected is: All locations in Office 365. Includes content in Exchange email and OneDrive and SharePoint documents. You can however select specific locations, turning them on or off, and then specifying SharePoint Sites or OneDrive Accounts to include.

To add a SharePoint Site or a OneDrive location, simply click the Choose sites or Choose accounts, add in the URL needed and then add it to the list, you can then add more as needed. As note the URLs needed for SharePoint Sites need to be the site collection URL, so https://name.domain.com, whereas OneDrive sites need to be https://name-my.sharepoint.com/personal/username.

Next you need to specify either to use simple settings, or advanced settings. Simple settings allow you to modify the sensitive types, and then when they should be detected.

All settings can be modified from the rule screen, from Conditions, Actions, User Notifications, User Overrides and Incident Reports. As an example, for the selected sensitive types each metric that is defined by default can be changed as needed.

Once the settings have been completed as needed the entire rule can be saved, and then it can then either be tested or applied and made live.

 

As you can see creating Data Loss Prevention rules are fairly straight forward to utilize and create. The process under the covers will then use SharePoint search to scan content, and apply the rules as needed.

The end user experience simply modifies the display of the files to utilize a new icon and then based on the rules either disable access or allow with policy tips to explain to the end user what should be done.

To learn more about Data Loss Prevention in Office 365 or SharePoint 2016 On-Premises use the following articles:

  • http://sharepointpromag.com/sharepoint/data-loss-prevention-sharepoint-premises-and-online
  • https://blogs.office.com/2017/01/09/unifying-data-loss-prevention-in-office-365/
  • https://support.office.com/en-us/article/View-the-reports-for-data-loss-prevention-41eb4324-c513-4fa5-91c8-8fbd8aaba83b