Introduction

In today’s digital landscape, protecting sensitive information is crucial for businesses of all sizes. Data Loss Prevention (DLP) policies help safeguard your organization’s data by identifying, monitoring, and protecting sensitive information. While basic DLP policies are straightforward and easy to implement, advanced DLP policies provide more granular control and flexibility.

In this guide, we’ll explore how to create advanced DLP policies using PowerShell. We’ll wrap policy creation in helper functions, which are often part of larger scripts that set up labels, sensitive information types (SITs), and DLP policies. Advanced settings, including JSON structures, are typically dynamic in the code, but we’ll write them out explicitly here to help you understand the examples.

Prerequisites

Before we begin, ensure you have the necessary permissions to create and manage DLP policies in the Microsoft Purview compliance portal. You will need to be assigned to one of the following role groups:

Compliance administrator
Compliance data administrator
Information Protection administrator
Security administrator

Connecting to Microsoft Purview Compliance PowerShell

First, connect to the Microsoft Purview compliance PowerShell:

# Connect to Microsoft Purview compliance PowerShell
Connect-IPPSSession

Helper Functions for DLP Policies

Function to Set Up Sensitive Information Types (SIT)

This function sets up Sensitive Information Types (SIT) using an XML file:

# Function to set up Sensitive Information Types (SIT)
function Initialize-SIT {
    param (
        [string]$FilePath
    )
    $xmlContent = Get-Content -Path $FilePath -Encoding Unicode -ReadCount 0
    $byteArray = [System.Text.Encoding]::Unicode.GetBytes($xmlContent)
    New-DlpSensitiveInformationTypeRulePackage -FileData $byteArray | out-null
    Write-Host "Sensitive Information Types (SIT) set up." -ForegroundColor Green
}

Function to Create DLP Policies

This function creates DLP policies for different workloads:

# Function to create DLP policies
function New-DlpPolicies {
    param (
        [string]$PolicyName,
        [string]$Workload,
        [string]$Comment,
        [string]$M365GroupName = "",
        [string]$SharePointUrl = ""
    )
    
    try {
        $mode = "TestWithoutNotifications"
        $scope = "All"

        switch ($Workload) {
            "Exchange" {
                if ($M365GroupName) {
                    $policy = New-DlpCompliancePolicy -Name $PolicyName -ExchangeLocation All -ExchangeSenderMemberOf $M365GroupName -Comment $Comment -Mode $mode
                } else {
                    $policy = New-DlpCompliancePolicy -Name $PolicyName -ExchangeLocation All -Comment $Comment -Mode $mode
                }
            }
            "ODB/SP" {
                if ($M365GroupName -and $SharePointUrl) {
                    $policy = New-DlpCompliancePolicy -Name $PolicyName -SharePointLocation $SharePointUrl -OneDriveLocation "All" -OneDriveSharedByMemberOf $M365GroupName -Comment $Comment -Mode $mode
                } else {
                    $policy = New-DlpCompliancePolicy -Name $PolicyName -SharePointLocation "All" -OneDriveLocation "All" -Comment $Comment -Mode $mode
                }
            }
            "Teams" {
                $policy = New-DlpCompliancePolicy -Name $PolicyName -TeamsLocation $scope -Comment $Comment -Mode $mode
            }
            "Endpoint" {
                $policy = New-DlpCompliancePolicy -Name $PolicyName -EndpointDlpLocation $scope -Comment $Comment -Mode $mode
            }
            default {
                throw "Unsupported workload: $Workload"
            }
        }
        Write-Host "DLP policy created for $($Workload): $PolicyName" -ForegroundColor Green
        return $policy
    }
    catch {
        Write-Error $_.Exception.Message
    }
}

Function to Create DLP Rules

This function creates DLP rules for different services:

# Function to create DLP rules
function New-DlpRules {
    param (
        [string]$Policy,
        [string]$RuleName,
        [string]$AdvancedRule,
        [string]$Scope,  # "Internal" or "External"
        [string]$Service = "Other"  # Default to "Other"
    )
    try {
        New-DlpComplianceRule -Name $RuleName -Policy $Policy -AdvancedRule $AdvancedRule -NotifyUser "LastModifier" -NotifyAllowOverride "FalsePositive, WithJustification" -NotifyPolicyTipCustomText "Sensitive information detected. Please make sure you follow the organisation guidelines for sharing information." -NotifyUserType "PolicyTip" -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess:$true -BlockAccessScope All | Out-Null
        Write-Host "DLP rule created: $RuleName" -ForegroundColor Green
    }
    catch {
        Write-Error "Failed to create DLP rule: $_"
    }
}

Creating Advanced DLP Policies

Example 1: Shared Passwords - Teams

Policy Creation

To create a DLP policy for detecting shared passwords in Teams, use the New-DlpCompliancePolicy cmdlet. This policy will block access without override and notify users to follow internal password sharing policies.

# Create Password policy for Teams
$PassTeamsPolicyName = "Pilot | Password | Teams | All"
$PassTeamsPolicyDesc = "Detect password shared internally using Teams. Follow internal policy for password sharing."
$PassTeamsPolicy = New-DlpPolicies -PolicyName $PassTeamsPolicyName -Workload "Teams" -Comment $PassTeamsPolicyDesc

Rule Creation

Next, create a rule for the policy using the New-DlpComplianceRule cmdlet. This rule will block access to content containing shared passwords.

# JSON example for internal rule
$InternalString = @'
{
  "Version": "1.0",
  "Condition": {
    "Operator": "And",
    "SubConditions": [
      {
        "ConditionName": "ContentContainsSensitiveInformation",
        "Value": [
          {
            "Groups": [
              {
                "Name": "Standard",
                "Operator": "Or",
                "Sensitivetypes": [
                  {
                    "Name": "Shared password (EN/SV)",
                    "Id": "282af704-4061-4460-bad2-38fdad4b0743",
                    "Mincount": 1,
                    "Maxcount": -1,
                    "Confidencelevel": "Medium",
                    "Minconfidence": 85,
                    "Maxconfidence": 100
                  }
                ]
              }
            ],
            "Operator": "And"
          }
        ]
      },
      {
        "ConditionName": "AccessScope",
        "Value": "InOrganization"
      }
    ]
  },
  "Actions": [
    {
      "ActionType": "BlockAccess",
      "BlockAccessScope": "All",
      "NotifyUser": "LastModifier",
      "NotifyPolicyTipCustomText": "Sensitive information detected. Please follow the internal policy for password sharing."
    }
  ]
}
'@

# Create internal rule for Password policy
New-DlpRules -Policy $PassTeamsPolicy -RuleName "Pilot | Password | Teams | Internal | Any | Block" -AdvancedRule $InternalString -NotifyUser "LastModifier" -NotifyPolicyTipCustomText "Sensitive information detected. Please follow the internal policy for password sharing." -BlockAccess $true -BlockAccessScope "All"

Example 2: Encrypted Labels - SharePoint and OneDrive

Policy Creation

To create a DLP policy for detecting encrypted labels in SharePoint and OneDrive, use the New-DlpCompliancePolicy cmdlet. This policy will block access with override.

# Create Encrypted Labels policy for SharePoint and OneDrive
$LabelsPolicyName = "Pilot | Encrypted labels | SP/ODB | All"
$LabelsPolicyDesc = "Detect encrypted labels shared in SharePoint and OneDrive."
$LabelsPolicy = New-DlpPolicies -PolicyName $LabelsPolicyName -Workload "ODB/SP" -Comment $LabelsPolicyDesc

Rule Creation

Next, create a rule for the policy using the New-DlpComplianceRule cmdlet. This rule will block access to content containing encrypted labels and allow override.

# JSON example for external rule using multiple labels
$ExternalString = @'
{
  "Version": "1.0",
  "Condition": {
    "Operator": "And",
    "SubConditions": [
      {
        "ConditionName": "ContentContainsSensitiveInformation",
        "Value": [
          {
            "Groups": [
              {
                "Name": "Standard",
                "Operator": "Or",
                "Labels": [
                  {
                    "Name": "contoso-confidential-encrypted-full",
                    "Type": "Sensitivity"
                  },
                  {
                    "Name": "contoso-confidential-encrypted-edit",
                    "Type": "Sensitivity"
                  },
                  {
                    "Name": "contoso-confidential-encrypted-view",
                    "Type": "Sensitivity"
                  },
                  {
                    "Name": "contoso-strictly-confidential-encrypted-full",
                    "Type": "Sensitivity"
                  },
                  {
                    "Name": "contoso-strictly-confidential-encrypted-view",
                    "Type": "Sensitivity"
                  }
                ]
              }
            ],
            "Operator": "And"
          }
        ]
      },
      {
        "ConditionName": "AccessScope",
        "Value": "NotInOrganization"
      }
    ]
  },
  "Actions": [
    {
      "ActionType": "BlockAccess",
      "BlockAccessScope": "All",
      "NotifyUser": "LastModifier",
      "NotifyAllowOverride": "FalsePositive, WithJustification",
      "NotifyPolicyTipCustomText": "Sensitive information detected. Please make sure you follow the organisation guidelines for sharing information."
    }
  ]
}
'@

# Create external rule for encrypted labels policy
New-DlpRules -Policy $LabelsPolicy -RuleName "Pilot | Encrypted labels | SP/ODB | External | Block" -AdvancedRule $ExternalString -NotifyUser "LastModifier" -NotifyAllowOverride "FalsePositive, WithJustification" -NotifyPolicyTipCustomText "Sensitive information detected. Please make sure you follow the organisation guidelines for sharing information." -BlockAccess $true -BlockAccessScope "All"

Example 3: Sensitive IT Data - Exchange Online

Policy Creation

To create a DLP policy for detecting sensitive IT data in Exchange Online, use the New-DlpCompliancePolicy cmdlet. This policy will monitor content without blocking or policy tips.

# Create Sensitive IT policy for Exchange Online
$ITPolicyName = "Pilot | Sensitive IT | Exchange | All"
$ITPolicyDesc = "Detect sensitive IT data shared externally using Exchange Online."
$ITPolicy = New-DlpPolicies -PolicyName $ITPolicyName -Workload "Exchange" -Comment $ITPolicyDesc

Rule Creation

Next, create a rule for the policy using the New-DlpComplianceRule cmdlet. This rule will monitor content containing sensitive IT data.

# JSON example for external rule using trainable classifier
$ExternalString = @'
{
  "Version": "1.0",
  "Condition": {
    "Operator": "And",
    "SubConditions": [
      {
        "ConditionName": "ContentContainsSensitiveInformation",
        "Value": [
          {
            "Groups": [
              {
                "Name": "Standard",
                "Operator": "Or",
                "Sensitivetypes": [
                  {
                    "Name": "IT",
                    "Id": "77a140be-c29f-4155-9dc4-c3e247e47560",
                    "Classifiertype": "MLModel"
                  }
                ]
              }
            ],
            "Operator": "And"
          }
        ]
      },
      {
        "ConditionName": "AccessScope",
        "Value": "NotInOrganization"
      }
    ]
  },
  "Actions": [
    {
      "ActionType": "Monitor"
    }
  ]
}
'@

# Create external rule for IT policy
New-DlpRules -Policy $ITPolicy -RuleName "Pilot | Sensitive IT | Exchange | External | Monitor" -AdvancedRule $ExternalString -BlockAccess $false

Wrapping up

Creating advanced DLP policies with PowerShell allows you to automate and streamline your data protection efforts, ensuring sensitive information is safeguarded across your organization. By following the steps outlined in this guide, you can create and manage advanced DLP policies efficiently.

Advanced policies provide the granular control needed to handle complex data protection scenarios, making them essential tools for compliance administrators and IT professionals.

Thank you for reading!
/Simon