Tutorial / Cram Notes
Data Loss Prevention (DLP) is a crucial aspect of a Microsoft Information Protection Administrator’s role, primarily focusing on identifying, monitoring, and automatically protecting sensitive information across various Microsoft services.
Understanding DLP Permissions
Before configuring DLP policies, it is essential to understand the permissions required to manage DLP in the Microsoft 365 compliance center. Users must be assigned appropriate roles to create, manage, and monitor DLP policies.
- Global Administrator: Full access to all administrative features, including the ability to manage DLP policies.
- Compliance Administrator: Can manage compliance features within the Microsoft 365 compliance center, including DLP.
- Compliance Data Administrator: Can manage compliance data, but this role doesn’t provide access to manage DLP.
- DLP Compliance Management: This role group specifically gives permissions to manage DLP policies.
To configure permissions, navigate to the Microsoft 365 compliance center and manage role groups by adding or removing users from these roles as necessary.
Configuring DLP Policies
DLP policies can be configured to protect sensitive information in Microsoft 365 services like Exchange Online, SharePoint Online, and OneDrive for Business. Here’s how:
- Create a DLP policy:
- Go to the Microsoft 365 compliance center.
- Navigate to ‘Policies’ > ‘DLP’.
- Click on ‘Create a policy’ and choose a template or create a custom policy.
- Define what to protect:
- Set conditions for the content that you want to protect. This can include sensitive information types like credit card numbers, social security numbers, or custom sensitive information types.
- Choose where to apply the policy:
- You can apply the policy to locations such as Exchange email, SharePoint sites, and OneDrive accounts.
- Decide if you want to test the policy with or without policy tips:
- Policy tips warn users when they’re about to violate a policy. You can test your policy without enforcing actions, with or without policy tips.
- Set actions:
- If sensitive information is shared inappropriately, you can block access to content or notify users and admins with an email.
- Finalize the policy:
- Review your settings and turn on the policy.
Examples of DLP Permissions Configuration
| Role | Can Create DLP Policies | Can Edit DLP Policies | Can View DLP Reports | Can Delete DLP Policies |
|---|---|---|---|---|
| Global Administrator | Yes | Yes | Yes | Yes |
| Compliance Administrator | Yes | Yes | Yes | Yes |
| Compliance Data Administrator | No | No | Yes | No |
| DLP Compliance Management | Yes | Yes | Yes | Yes |
Monitoring and Enforcing DLP Policies
After configuring DLP policies, it is also important to:
- Monitor policy matches: Use the DLP reports in the compliance center to monitor what information is being detected by your policies.
- Investigate incidents: When a policy match occurs, you can investigate the incident in the compliance center.
- Manage false positives/negatives: Adjust the policy or its conditions if you notice a significant number of false positives or negatives in your reports.
Examples of DLP Policy Actions
| Condition | Action | Example |
|---|---|---|
| Credit card number detected | Block content from being shared | A user tries to send an email outside the organization with a credit card number which gets blocked. |
| Sensitive information shared publicly | Email notification to administrator | An admin gets notified if an employee uploads a document with PII on a public SharePoint site. |
In conclusion, effectively configuring permissions for DLP in Microsoft 365 requires understanding the different roles and their capabilities, establishing clear policies based on sensitive information types, and regularly monitoring and adjusting these policies for optimal data protection. By following these guidelines, a Microsoft Information Protection Administrator can ensure that their organization’s sensitive data is properly shielded from potential data breaches and compliance risks.
Practice Test with Explanation
True or False: Data Loss Prevention (DLP) policies apply to content at rest, in use, and in motion.
- True
True
DLP policies in Microsoft 365 protect sensitive information across different states including when data is at rest (in storage), in use (being processed), and in motion (being transmitted).
Which of the following can be a location for DLP policy enforcement? (Select all that apply)
- A. Microsoft Teams chat messages
- B. Windows 10 endpoint devices
- C. Personal Gmail accounts
- D. SharePoint Online sites
A, B, D
DLP policies can be applied to Microsoft Teams chat messages, Windows 10 endpoint devices, and SharePoint Online sites. Personal Gmail accounts are not controlled by Microsoft DLP.
True or False: You must have global administrator privileges to configure permissions for DLP.
- False
False
To configure permissions for DLP, you don’t need global administrator privileges. You can have roles such as Compliance Administrator or Data Loss Prevention Compliance Management.
Which role is specifically responsible for managing DLP in Microsoft 365?
- A. Compliance Administrator
- B. Global Administrator
- C. SharePoint Administrator
- D. DLP Compliance Manager
D
While several roles can manage DLP settings to some extent, the DLP Compliance Manager is specifically tailored to include permissions for managing DLP policies in Microsoft
True or False: DLP permissions can be configured at the policy level.
- False
False
DLP permissions are not configured at the individual policy level. Permissions are managed through roles within the Microsoft 365 compliance center, not at the policy level.
Who has the ability to override a DLP policy?
- A. Any user with the link to the content
- B. Users with Override permissions
- C. Only the global administrator
- D. All users by default
B
Only users with Override permissions, which are configured within the DLP policy settings, have the ability to override a DLP policy.
True or False: You can create custom sensitive information types for use in DLP policies.
- True
True
In Microsoft 365, administrators have the ability to create custom sensitive information types that can be used in DLP policies to better match an organization’s specific data protection needs.
Which of the following actions can be taken by a DLP policy? (Single select)
- A. Automatically encrypt sensitive content
- B. Disable user accounts
- C. Create new content
- D. Expand storage capacity
A
A DLP policy can automatically encrypt sensitive content that matches policy rules, protecting it from unauthorized access.
True or False: DLP policies in Microsoft 365 can prevent the sharing of sensitive information on third-party applications.
- True
True
DLP policies in Microsoft 365 can extend to certain third-party applications and services to prevent the accidental sharing of sensitive information if integration and monitoring are supported.
In what scenario would you set permissions for a DLP policy? (Single select)
- A. To restrict who can create or modify DLP policies
- B. To determine which external domains can receive sensitive data
- C. To enable DLP policy tips for end-users
- D. To allocate storage for DLP reports
A
Permissions for a DLP policy are set to control which users within the organization are allowed to create or modify DLP policies.
True or False: All DLP actions are logged and can be reviewed in the audit log.
- True
True
DLP actions are logged and these logs can be audited within the compliance center to track actions taken on sensitive data under the organization’s DLP policies.
The DLP Compliance Manager can manage:
- A. Only policies they have created.
- B. Policies across the whole organization.
- C. Only endpoint DLP policies.
- D. Only Exchange email DLP policies.
B
The role of a DLP Compliance Manager includes permissions to manage DLP policies across the whole organization, rather than being restricted to policies they have created or to specific types of DLP policies.
Interview Questions
What is DLP (Data Loss Prevention), and how does it work?
DLP is a solution designed to help prevent data leaks or exfiltration. It works by identifying, monitoring, and protecting sensitive data across an organization’s network, including data at rest, data in use, and data in transit.
What are the different roles involved in managing DLP policies?
There are three roles involved in managing DLP policies the DLP super user, the DLP administrator, and the DLP author.
What is a DLP super user, and what is their role?
A DLP super user is a user with unrestricted access to all DLP functionality. Their role is to manage the DLP service, configure its settings, and manage DLP policies across the organization.
What is a DLP administrator, and what is their role?
A DLP administrator is responsible for managing and implementing DLP policies. Their role is to create, test, and implement DLP policies, monitor DLP reports, and analyze DLP incidents.
What is a DLP author, and what is their role?
A DLP author is responsible for creating DLP policies, which define what actions the DLP service should take when it identifies sensitive information. Their role is to create policies based on the organization’s regulatory requirements and best practices.
What are the different levels of permission that can be assigned to DLP roles?
The different levels of permission that can be assigned to DLP roles are none, view-only, author, and administrator.
What is the None permission level, and what access does it provide?
The None permission level provides no access to DLP functionality.
What is the View-only permission level, and what access does it provide?
The View-only permission level provides read-only access to DLP policies and reports.
What is the Author permission level, and what access does it provide?
The Author permission level allows the user to create and edit DLP policies, but not to manage DLP settings or perform administrative functions.
What is the Administrator permission level, and what access does it provide?
The Administrator permission level provides full access to DLP functionality, including the ability to create and manage policies, configure DLP settings, and perform administrative functions.
How can permissions for DLP roles be configured across different admin centers?
Permissions for DLP roles can be configured across different admin centers by assigning permissions in the Microsoft 365 compliance center and in the Microsoft 365 admin center.
What is the difference between the Microsoft 365 compliance center and the Microsoft 365 admin center?
The Microsoft 365 compliance center is designed for compliance-related tasks, such as managing DLP policies, reviewing compliance reports, and managing eDiscovery. The Microsoft 365 admin center is designed for tasks related to managing users, groups, and resources.
How can DLP policies be tested before they are implemented?
DLP policies can be tested before they are implemented by configuring the policies in test mode, which allows you to see how the policies will behave without actually enforcing them.
How can DLP incidents be tracked and managed?
DLP incidents can be tracked and managed through the DLP reports in the Microsoft 365 compliance center. These reports provide information on the incidents, including the number of incidents, the type of data involved, and the actions taken to address the incidents.
This blog post on configuring permissions for DLP is really helpful. Thanks!
I’m having trouble figuring out how to assign permissions to a DLP policy. Can anyone help?
When dealing with DLP policies, is it better to use built-in templates or create custom ones?
How do I check if my DLP policies are working correctly?
Can someone explain the difference between ‘Audit’ and ‘Enforce’ modes in DLP?
Great post, very informative.
I’m confused about how exceptions work in DLP policies. Any advice?
Why isn’t my DLP policy applying to OneDrive files?