You can create DLP policies for SharePoint sites, OneDrive, and Microsoft Teams in the same way you can create custom policies for Exchange Online. As shown in the following screenshot, you can select the appropriate option from the Choose locations to apply the policy page, depending on your requirements:
Figure 7.19 – Choosing a Microsoft 365 SaaS application
So far, we have covered the recommend data loss prevention policy solutions for an organization, configuring data loss prevention for policy precedence, and configuring policies for Exchange Online, SharePoint Sites, OneDrive, and Microsoft Teams. In the next section, we will look at integrating Microsoft Defender for Cloud Apps with information protection and configuring policies with Microsoft Defender for Cloud Apps.
Integrating Information Protection with, and configuring policies in Microsoft Defender for Cloud Apps
It is possible to use DLP policies for non-Microsoft cloud apps as part of the Microsoft 365 DLP suite of features. This feature is traditionally used to monitor and detect situations where sensitive data is being used or shared via non-Microsoft cloud applications.
There are two ways in which you can create DLP policies for non-Microsoft cloud applications:
- Create file policies in the cloud app security portal.
- Create DLP policies in the Microsoft 365 Compliance Center and select Microsoft Defender for Cloud Apps as the location.
You can control actions with file policies when executing them in Microsoft Defender for Cloud Apps and a policy match is made. However, you can gain even more control over non-Microsoft cloud apps with DLP policies.
Before creating file policies, you will potentially need to activate file monitoring from within Microsoft Defender for Cloud Apps. Perform the following steps to enable Microsoft Defender for Cloud Apps to see files in the SaaS apps:
- Go to the Cloud App Security portal at https://portal.cloudappsecurity.com.
- Click on the Settings cog in the top-right corner of the portal.
Figure 7.20 – Settings within the Microsoft Defender for Cloud Apps portal
3. Navigate to the Information Protection section and select the Files option.
Figure 7.21 – Information Protection settings
4. To enable file monitoring, ensure that the Enable file monitoring option is checked and click on Save.
Figure 7.22 – Enable file monitoring option
Once this setting has been configured, you can create file policies in Microsoft Defender for Cloud Apps. To utilize all the features of the Compliance Center to monitor non-Microsoft cloud applications, you must connect these applications to Microsoft Defender for Cloud Apps. Only then will they be available to you in the Microsoft Defender for Cloud Apps location of your DLP policies. You must complete this requirement to finish integrating Microsoft Defender for Cloud Apps into data loss prevention.
The policy will apply to all connected applications if you do not specifically select an instance for the policy. You can restrict non-Microsoft applications when you are creating a DLP policy by choosing Restrict Third-Party Apps. This allows you to select from various actions for every supported non-Microsoft cloud application. Different actions depend on the cloud app API.
In this section, you will learn about how to apply DLP policies to non-Microsoft applications and how to enable file monitoring in Microsoft Defender for Cloud Apps. In the next section, we will configure file policies in Microsoft Defender for Cloud Apps.
Leave a Reply