In this chapter, we will continue to explore configuring Information Protection within Microsoft 365. There will be an exercise where you will need access to Microsoft 365 with Global Administration rights. If you have followed the exercises in the previous chapter, you should now have the relevant trial licenses. However, if you have not created this for Microsoft 365 yet, please follow the instructions in Chapter 1, Preparing for Your Microsoft Exam and SC-400 Exam Objectives.
Configuring data loss prevention for policy precedence
When data loss prevention policies and rules contained within a policy are processed, that process is referred to as policy precedence. The order in which the rule is evaluated can be manually configured, with the lowest priority number being processed first. The default rule is that the first rule is configured as priority 0, while the one after that is configured as priority 1; this continues in sequence.
Although only one DLP policy is enforced, all potential policy matches are in the logs, and you can also see this information in reports.
Specific condition matches can have configured actions that contradict each other. An example of this is that you can configure a DLP policy that blocks personal data from being shared externally, without an override allowed. You can then have another policy for financial data, which does allow end users to perform overrides. In this scenario, if only the final matching policy is applied rather than the priority of a policy, then the user could potentially hide personal data within an email that also has financial data in it and choose the override encoded into a financial data policy block action. In this case, however, the personal data policy will have a higher priority, so it will be applied instead.
Now, let’s look at how we can change the priority rule to give a different policy a higher precedence.
Amending rule priority
In the financial data example we provided earlier, the priority was ordered so that the rule for a high volume of matches was given priority below the rule that had a lower number of matches. Although a high number of matches is more restrictive, a user can still potentially choose the override option that is enabled in the low matches’ rule.
Both actions are logged in this scenario, but it could potentially be a long time until an admin checks logs and takes the required action.
The following steps outline how to change the order in which the DLP rules within a policy are given priority. To make these changes, you will need the DLP Compliance Management role:
- From within Microsoft 365 Compliance Center, navigate to Policies.
Figure 7.1 – Policies
2. From within the Policies section, navigate to Data and then click on Data loss prevention.
Figure 7.2 – Data loss prevention option
3. Select the Policies tab, highlight the policy you want to amend, and then click on the edit button (which looks like a pencil).
Figure 7.3 – Editing the DLP policy
4. Click on Next two times to navigate to the Customize Advanced DLP Rules section.
Figure 7.4 – Customize advanced DLP rules
5. Click on Edit behind the low volume rule you wish to change:
Figure 7.5 – Editing the Low volume rule
6. Click on the drop-down list in Additional Options and select the new priority for this policy. For the highest priority, select 0.
Figure 7.6 – Changing rule priority
The preceding instructions show how to make the changes from within the Microsoft 365 Compliance Center. However, you can make these changes via PowerShell as well. The following cmdlet can be run within PowerShell to change the priority of the Low Volume of Financial Data DLP rule to the highest value:
Set-DLPComplianceRule -Identity “Low Volume of Financial Data” -Priority 0
With that, we have changed the rule’s priority. In the next section, we will look at changing the policy’s priority.
Leave a Reply