Everything You Need To Know About Data Loss Prevention In Microsoft 365 | Peter Rising MVP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello there and welcome along to the channel once again it's so good to see you again and I'm really excited that this is the final video in the ms102 study series that we've been going through in the last few weeks on the channel our final subject today is DLP or data loss prevention before we get into it a quick bit of housekeeping if you've not already done so please subscribe to the channel uh it's so important it helps me to grow please also like the video as well that helps me to reach more people and for YouTube to distribute the video around to to more individuals to so we can help them learn which is what the aim of the channel is to learn share and repeat so uh grateful for your support please do uh keep on liking commenting sharing all that good stuff but let's get into it let's get into our final Topic in this series DLP come up [Music] well folks we are almost at the end of the study guide for ms102 the last section we have to cover is implementing Microsoft purview data loss prevention or DLP for short we have got three bullet points to go through in this final section we need to cover implementing DLP for workloads such as email and teams and SharePoint etc etc Implement endpoint DLP which is a whole separate thing in and of itself and respond and review DLP alerts events and reports we should be able to cover all this in one video I'm thinking let's wrap this up so let's dive straight in and we need to be back in our old favorite the Microsoft purview compliance portal at compliance.microsoft.com make sure you're logged in as ever with the appropriate admin credentials compliance administrator for example here I'm in as a global administrator in the real world you would certainly not be suggested to do that Global admin is uh very very specific in terms of its use but anyway let's take a look at what DLP is all about and we can navigate to the solution on the left hand Solutions bar under data loss prevention we have a few sections here we can take a look at the overview page first of all and here we have a couple of informational points at the top it's telling us similar to what we saw in sensitivity labels that if your role group permissions are restricted to a specific set of users or groups you'll only be able to view data for those users or groups so you can view those rule groups there and learn more about those rule group permissions we also have the option here to protect even more sensitive information on Windows endpoint devices by turning on Advanced classification which allows your endpoint DLP policies to detect named entities and exact data match classifiers in files on users devices so we've looked at exact data match in previous videos very briefly albeit and I do intend to do a bit more of a deep dive on exact data match in a future video very soon hopefully because it's a very fascinating subject and very very useful so I'm going to go ahead and turn that on because that is a really good setting to to have on and there we go nice and simple you can now create or update endpoint DLP policies to detect named entities and exact data match classifiers in files on the on those devices there we go and you can go right into the settings and that takes you to the endpoint DLP settings we'll come back to that because that's skipping ahead so back to that overview screen what have we got on this section first well we've got these these tiles here and we can see how we can look to protect sensitive info within our tenant and we've got some insights here and it's showing us that there are 118 unprotected documents in SharePoint and OneDrive that contains sensitive Financial Healthcare human resource IP and Trade Secrets or account info the recommended action for that is to detect these type of documents and notify you when it's shared with people outside your org so you can take action right from here you can get started and if you click on that it's gonna give you some quick actions to set up default DLP policies which is pretty awesome absolutely awesome so what this is going to do is create the selected policies for medical health care information policies financial information policies HR information policies so let's actually do that let's go ahead and set up those default DLP policies this is great this is taking a lot of the work away for us which is a wonderful thing because let's face it admins security admins compliance admins we've all got a ton of stuff to do right we uh we need to save ourselves time wherever this is possible now we'll take a look and see what that's created for us in a moment what we can also do from this point is that we can actually go ahead and view the detected documents which is awesome we can we can see here to explore a particular category we can click on it and see all the matching documents and files and locations so all medical terms and conditions all full names US driver's license and we can uh we can go ahead and click on those to to see um the details by clicking on the three dots there the ellipses we can view the details and it takes us into content Explorer which is a feature Within compliance Center itself further up into the content Explorer and here it takes us right into that sensitive information type we can drill down we can see in the OneDrive and SharePoint sections here we've got matching items so let's take a look uh we can expand these out and we can see exactly what is matching what these documents are and what we need to to take care of when the offending fold is there I can see that I've got some content in the folder called ms-500 which is uh all the content for a book that I've been writing on the now almost defunct ms500 exam guide now that has been repurposed as a general admin guide as a result of that happening but anyway um very very useful so you can drill down a bit further all the documents and you can see the sensitive information types that are matching you can see trainable classifiers that are matching as well superb let's go back to DLP where were we we were in the overview screen so this is absolutely fantastic um we can stay informed about DLP we can follow setup guides redox get all the latest news we can see the top activity detected there is none at the moment we can look at our device health overview and view affected devices that may be not quite up to date or fully protected that relates to endpoint DLP of course we have adaptive protection which is a very very new feature of Microsoft purview and DLP which allows you to automatically mitigate potential risks and it combines data loss prevention and Insider risk and management capabilities to help minimize risky activity early so lots of cool stuff and we're going to turn that on I will turn that on because it's something I will want to do a video of in more depth at uh later time so let's get that turned on extend protection to Auto labeling so what it's telling us here is we have already policies protecting sensitive info in email extend that protection quickly by setting up Auto labeling policies that apply a sensitivity label to email matching those same conditions as your DLP policies if we click on get started there we go it's telling us that the policies below which it is set up for us are protecting emails so select one to set up an auto labeling policy that automatically applies a sensitivity label to the email that matches the same condition so we've got default customer account info M365 policy default Finance info protection policy HR Healthcare IP and Trade Secrets let's select the finance one and right from in here we can create that auto labeling policy we can give it a name we can choose the sensitivity level that we want to apply automatically you'll remember these from the last video or the general personal confidential ones that we set up and we can choose our label confidential for example and run the policy and simulation mode uh was probably where I would suggest starting don't turn it on right away or you can leave it off we've got a little note here since encryption is turned on a large amount of content might be automatically encrypted so be mindful of that as we said in the last video I'll not see that through I don't want to do that right now so we'll uh so we'll cancel out of that and we'll get back on on topic but that's a quick view of the overview screen uh adaptive protection turned on very quickly there we can go to that straight away now and that's going to take you into Insider risk management but again we don't want to do that just now it's basically linked DLP to Insider risk management there so there we go overview screen so now let's go into policies and as you can see we have some DLP policies here already we have got default policy for devices we've got default DLP policy for teams and much like sensitivity levels we have an order of priority this is the order in which the DLP policies will be processed so this order matters but as you will see as we go through the DLP policies you can affect that by turning off processing further DLP policies under certain conditions now a key thing to be aware of here when you select these Auto create DLP policies as we have just done it sets them to on be very very very careful of that this is not something I would recommend doing in the real world I would go through and if I were using this method to create the policies it's a good way of getting some good policies in place but I don't want them to be on right away so I'm going to first go in I'm going to change that immediately so I'll select the first one the default policy for devices and I am going to edit the policy um there we go now once a policy has been created you cannot change the name of the policy so it's done all this for us it's created a name of default policy for devices it's given us a lovely long description uh much more diligent than I am as you will uh know by now I normally just put test in there all or nothing at all but this is how a description should be this policy detects the presence of credit card numbers in files and devices brilliant stuff this is what we want so we can change that description here but we can't change the name so this is what you'll see by the way when you create a new DRP policy so the experience is the same if you edit it it goes through that creation wizard once again now much like sensitivity labels you can also use admin units which I'll remind you is still a preview feature a reminder that admin units is a feature that allows you to create units of our administrators that have responsibility for certain groups of users within the organization and it's probably most appropriately configured in situations in large organizations that have multi-geo presence throughout the world or due to uh regulatory reasons where certain um teams or departments in an organization need to be segregated so we're not going to configure this admin units is something we can look at in another video at some point locations where is the policy going to be applied now this one is a devices policy so it's going to apply to devices so there we go we've got devices selected we have no other um location selection checked here but you can see that we could have chosen exchange email SharePoint sites OneDrive accounts teams chat and channel messages uh Defender for cloud apps on-premises repositories and power bi we don't want to change any of that let's go next here we have the rules for DLP now when you create a policy from scratch you can create it with the the default rule configuration or you can customize Advanced DLP rules and in this situation what we have here is we have a low volume of content match and high volume of content match rules which we can edit both now let's take a little quick look at and we can toggle these on and off as we need to but let's take a look at editing these rules here we'll start with a low volume one and the low volume one will most typically have the the less restrictive or less aggressive settings in place so what this is going to do this rule is matched if one to nine credit card numbers are detected in a file when a user performs certain device related activities when detected within a 24-hour period the activity is only audited and not blocked and admins will not receive alerts so we're basically looking for those matches one to nine instances and it's a less aggressive action in the conditions which we can see here in the conditions we can see that we are looking for a sensitive info type of the type of credit card number we're setting that to be a high confidence level that that is what um the match is going to be and the instance count matches what we have above in the description one to nine and then under actions we have audit or restrict activities and here we can see that under service domain and browser activities it will detect when protected files are blocked or allowed to be uploaded to a cloud service domains based on allow block cloud service demands list in endpoint DLP settings now what you will note as you become more familiar with DLP is that the actions and selections that you see in these Advanced DLP rules will change depending on the location type you have selected for the policy so as we have a device based endpoint DLP type policy here the rules reflect the fact that this relates to devices and you'll see where these settings are configured more broadly and a few moments in this video when we look at that at those core settings for endpoint DLP so there we go and then we've got audit only but we could be more aggressive we could block with override or we could just block file activities for all apps so here we have uh the option to do or do not restrict file activity we could apply restrictions to specific activity so we've got some choices here in terms of what happens when there are certain matched activities like copying to a clipboard copy to a removable USB device and network share printing activity and so on and so on and we have the option here and these are all set to audit only because this is the low volume of match content less aggressive but we could make that selection change to block with override or just block I'll explain block with override shortly as we as we go forward as well so there we go um final activities for apps in restricted app groups this is a preview feature so restrictions enforced for apps in restricted app groups which we'll see how you configure in the in the core settings shortly we'll override any restrictions you can figure it in the file activities for all apps above so this is an override setting to that so you could add a restricted app Group into here if you saw a wish but uh will not do that and then we have restricted app activity so this detects when apps that are on the restricted apps list defined in the endpoint DLP settings which again we're going to get to um and again we have that set to audit only we can add further actions here so we can choose to tweak this policy by restricting access or encrypting the content in in Microsoft 365 locations or further audit activities so we can we can change these policies that have been set up for us now earlier on we'll see that we did not have user notifications set up that was clear in the description for this rule so this is where you control that user overrides as well now what we mean by overrides is when a rule is applied as part of a DLP policy match you can choose whether you want the user to have the ability to override that policy if you want to give them that feature that capability uh if you trust the users basically to have the awareness and the confidence in them that they can make that decision so that's a very important thing to consider in terms of setting up your DLP policies and rules if you do want to allow those overwrites from the users then another thing you can do is require a business justification to overwrite so they can override but before they can proceed they will be required to enter a justification which is then audited and then you can view that justification in the activity Explorer we then can configure some settings for incident reports so we can choose the severity level in admin alerts and reports so this is a low volume of content match so we have low but we can choose medium and high as well you'll remember that at the top the description showed us that admins are not going to be alerted when there's a rule match so that is toggle to off and then there's some additional options there if there's a match for this rule stop processing additional DLP policies and rules and that's what I was alluding to in the order of priority and why it matters so if this rule is matched to a user then you can choose to stop processing further rules in the list order and you can then choose to change the priority level of this particular rule so this is number one uh we could move that up the list to be zero and the more you have obviously the more you'll have to select there so that is fine and then if you've made any changes you can click save we've not made any changes there so we'll click cancel let's briefly go through and look at some of the differences in the high volume rules now this one the high volume is matched if 10 or more credit cards are detected in a file when a user performs certain device related activities when detected within that 24 hour period the activity is uh only audited not blocked but in this case admins will be alerted in email so again it's not going too aggressive we're not um we're not blocking we're just auditing again but we're going to alert the uh the admins on this occasion so we'll see some differences here we'll see instance count of 10 to any uh here we've got audit only again similar principles is this high volume one is actually not as aggressive as I thought it was going to be I thought it would have a bit more uh difference in it but we've got the alert to admins uh selected for this one which is basically the only difference what I really wanted to get to here though you'll remember that these policies were and rules were created automatically for us I don't want this turned on right away um I never do that with DLP always keep it off until you're ready or more appropriately what you should do is you should test it out first and if anything test it out first but don't show those policy tips in test mode just yet because policy tips are visual cues that the users will see in their applications on their devices which show them when there's been a policy match and gives them actions that they can take such as overriding and providing a justification but from an admin point of view you may want to just test it out first to basically see what would happen when there's a policy match so you'll be able to order that activity and make sure that that the policies are and rules are doing what you expect them and want them to do and if they're not you can tweak them then when you're happy what you can do is you can tick this one and show the policy tips and Target the policy to not everyone have a proof of concept group have a pilot group of users who are going to test it out for you and who you can educate so this gives you the control in terms of rolling out DLP in the most successful way testing testing and educating users and then and only then expanding it out and turning it on completely so that's a big big flaw to watch out for um in terms of creating those policies automatically definitely definitely watch out for that so I'm going to submit those changes and it's going to change those settings for me and in a moment when it has finished we should see yeah it's updated I don't want to do any of the related tasks uh now we've got we've got even more DLP policies now I did wonder when we went in there why I only saw two because I thought I'd created a lot more for me but now I can see that the other ones have also been created so I just needed to be a bit more patient but now you'll see that I have got this one set to test with notifications um so there we go so let's take a little bit of a look at one more let's look at this default DLP policy for teams um and and see how that differs because this is targeting um service settings rather than device settings so if we go into this one we shall see some different some different things okay so if we edit again we go through the same thing and we can see that this policy detects when the sensitive info below is shared in teams messages and after turning it on you'll be able to monitor alerts to help you decide whether to refine the policy further by adding policy tips to educate users or protection actions to control sharing okay so next admin units we're not interested in that just at the moment now as you can see here we have teams chat and channel messages selected as the only workload here so there we go now you can mix and match you can have different services and locations within the same policy but um I I quite like having these separated out as much as possible it just makes things uh easy to manage but there are some awareness pieces that you need to consider in relation to things like teams and OneDrive and SharePoint and exchange email for that matter in terms of where things are stored now first and foremost before I even get to that there are some license considerations as well now to be able to successfully use DLP with teams chat and channel messages you need to have an E5 license that is not true of many of these other services you can do DLP for exchange email and SharePoint sites and OneDrive accounts with um with the E3 a license subscription uh you don't need that E5 now you do need E5 for the team's chat and channel messages you do need it for some other selections as well I believe it may be the case for devices as well and um probably for Defender for cloud apps but I'll put some linkage in the description for some of the DLP licensing permutations for you to take a look at but those are things to watch out for also if you're wanting to um take account of protecting content relating to teams you'll notice that this is just for chat and channel messages it does not account for files that are stored within teams now if you want to protect that content you need to select SharePoint sites to to cover that um so there are also situations where um you might have files that are shared within those chats as well and that content would be stored in the individual's OneDrive account also so again there are various permutations in terms of what you need to consider you basically to to cover yourself you need a good diligent set of DLP policies that is going to take care of all of these locations you need DLP for all of these to make sure that you are fully protected for all of those scenarios really the core DLP policies that any organizations need to begin with are these top uh four you need exchange email SharePoint sites OneDrive accounts and team and chat and channel messages you probably do need devices as well uh endpoint DLP has been around a while now but it's it has its challenges shall we say it's um it's not the easiest to configure and get right and get it to do what you wanted to do I think it's got a ways to go uh but it's good it's a starting point um but just be aware that it's it has its difficulties um but but these last three these are the these are the real um Niche ones if you like or these last four even in many ways so um again you can filter down uh who you want to include or exclude in any of these locations so and always do that always begin with a smaller group a pilot group a proof of concept groups so um choose who you want to include or exclude as needed let's take a look at the advanced DLP rules in this case we have uh only the one recommended rule for teams here we haven't split it into low and high volume of content the conditions here content contains any of a particular sensitive information types so that's U.S bank account numbers us UK passport numbers credit card numbers Social Security numbers EU debit card number Etc and we want to send an alert to an administrator so let's just have a look and see how that differs slightly from a endpoint DLP type of policy again and when we go into the edit rule we can see the name which we cannot change the description monitor for those card details um with a rule to alert the administrator we get a look at the uh the the content contains matches here and there's a lot in here we've got U.S bank account number US UK passport number with the and you can add here as well you can add sensitive information types more into there that you want if you want to you can add trainable classifiers as well uh absolutely fantastic so we've got confidence levels in here we've got some set to medium confidence some set to high confidence instance count here because we've only got one rule we don't have a low volume and a higher volume this is instant count of one to any to count uh all the matches we can add further conditions in here as well uh we can add content contains um and then we can add more so we can we can do that so we'll just get rid of that we can add uses risk level for adaptive protection we can put in content is shared from Microsoft 365 recipient demand sender demand sender recipient lots of good stuff we can add to this if we need to user notifications again we've got those off here but we could toggle those to on um so we can switch those on and off and as you can see when we expand that toggle switch we get some other options there we we can choose to notify users in Office 365 or the policy tip we can then customize that policy tip text if we want to so I'll not change that we can select the user overrides as well but we we need that user notification on I believe in order to to uh to configure that yeah that one Grays that out so yeah and here's where you would put those settings into place so allow the overrides from M365 Services you can require a business justification to override um you can also override the rule automatically if the users report it as a false positive and just remember that this all gets audited it's all good stuff I'm not going to change these uh here I'm just going to demonstrate that you can incident reports use this severity level in admin alerts and reports so you can choose low medium or high we have the send an alert to admins when a real match occurs setting toggle to on here and it's automatically added in my user here because I've created the policy we can add or remove groups here and then we can control uh how the alerts behave we can send an alert every time or we can send an alert when the volume of matched activities which is a threshold so we've got this one set to instances more than or equal to 10 matched activities during the last 60 Minutes for all users or you can set that to a single user so you can get very granular here in terms of what you want to have in your DLP policy rules we can also use email incident reports to notify you when a policy match occurs now here you have to be very very careful what you select here so you can send notifications to these people now site admin is automatically included but you can also add or remove other people here as needed now all incident reports include information about the item that was matched where the match occurred and the rules and policies are triggered so you can also include more information in the report such as the name of the person who last modified the content the types of sensitive content that match the rule the rules severity level the content that matched the rule including the surrounding content and the item containing the content that match the rule now these last two here be very very careful about that because bear in mind that anyone who's going to get these notifications is going to be able to view this content now that means as an example and I actually had this happened I heard a story of this happening at a customer that I visited some years ago where um the CEO had sent out an email with his banking details and was confident doing so rightly or wrongly but the the CSO had I found out that DLP was set up and and these were ticked and in going in and and seeing these incident reports um those selected to receive them could see the CEO's banking details which uh is is not on basically so be very very careful with these settings think about who you want to be able to see these notifications so lots to consider so that's just to illustrate what you can do with those email incident reports I'll toggle those off again and we're not going to make any changes but that just gives you an idea of those rules the policy mode again no I please don't do that to me I want to test it out first and I want to submit and change that and we are all good to go amazing right there we go done and done okay next let's have a quick look at the endpoint DLP course settings and then we'll come back and look at alerts activity Explorer so endpoint DLP settings uh these settings apply to all existing and new DLP policies that protect content on endpoint Windows and Mac devices and support for some of these settings differ between Windows and Mac devices so learn about the differences yes please we will have that link to share with you so there's a lot of drop downs in here that you can configure in relation to your endpoint DLP settings let's go through them and see what they do first of all advanced classification scanning and protection when turned on this setting allows the Microsoft 365 cloud-based data classification service to scan items classify them and return the results to the local device this means that you can take advantage of classification features such as exact data match and named entities within your DLP policies so we I've got that one toggled on already we can uh modify the allocated bandwidth limits as well sending content from the local device to the cloud services for scanning and classification can utilize a large portion of network bandwidth should this be a concern you can set a per device limit for how much bandwidth can be used within a 24 hour period if this limit is exceeded dlsp stops sending content to the cloud and data classification will continue locally on the device if bandwidth utilization isn't a concern you don't have to set a limit so very handy feature one that should be very carefully considered next file path exclusions for Windows so files in these windows device locations will not be monitored by your policies you can add in the file path exclusions nice and simple so there may be situations where you want to exclude things in the DLP policies the same for Mac you can do exactly the same for Mac to exclude certain file paths if required next setting set up evidence collection for final activities on devices setting up an online storage will let you store and collect original files as evidences when any rule matches for configured file activities learn more about setting up the storage yes please we'll have that link for you as well we can toggle this setting on and set the evidence cache on a device you can set the the cash here for 60 days 30 days or seven days we can go ahead and add our storage here we can put in our name and our URL to our valid storage very nice okay so make sure to check out that link about setting up storage Network share coverage and exclusions you can extend endpoint DLP coverage to network shares and mapped network drives let's have that link yes please again let's toggle that on files in these Network shares won't be monitored by your policies so we can add in a network share path exclusion as needed yes that's fine I'm happy with that restricted apps and app groups here you can control the level of access that specific apps have to the sensitive content detected in your DLP policies so create groups of apps to enforce different access restrictions for each group or add apps individually to one list to apply the same restrictions learn more yes please okay restricted app groups there and restricted apps below so you can add an app Group you can add your group name your description enter the app name and the executable name you can also quarantine files that are blocked from accessing apps in the group so um say for apps similar principle and we've got some example ones here that are already added in so we've got uh restricted apps Notepad plus plus and the executable name we have atom as well you can see how it works pretty simple Auto quarantine settings edit these settings to specify a location on users devices where files should be quarantined if they are blocked from accessing an unallowed app that has the auto quarantine option selected you can also replace the block file with a custom text file to let users know why the file was blocked and where it was moved to so the auto quarantine status is on and we can edit these settings here so we can toggle it on or off and we can uh have we can enter the path to a folder where the files will be quarantined and the past of the folder where the files will be quarantined for Mac OS and you can also choose to replace the file with a text file that contains the following text so really cool stuff then you get some information on what that does so when the blocked file is moved to the quarantine folder this text file will be added to location where the block file was previously stored it'll have the same name as the block file enter text letting users know why the file was blocked and where it was moved to cool stuff unallowed Bluetooth apps so here we can add or edit on allowed Bluetooth apps so you can toggle this on or off we can add the app and the executable name so one of policies copy or move unallowed bluetooth app setting is selected and uses attempt to use these Bluetooth apps to copy or move protected files from a Windows device to another location the activity will be blocked or blocked but users can override the Restriction all activity is audited and available to review in activity Explorer very nice browser and domain restrictions to sensitive data so here you can restrict sensitive files that match your policies from being shared with unallowed browsers and service domains so firstly unallowed browsers will be blocked from accessing files protected by your policies when blocked users will be prompted to access the files using Microsoft Edge where they'll be able to interact with the content but be prevented from uploading to unallowed service domains so users who have important note here users who have the Microsoft purview extension installed on their devices will not be blocked when using Chrome even if Chrome is listed as an unallowed browser so always watch out for these little informational alerts there so we can add or edit on allowed browsers and we can see here we have some in the list already who knew there were so many browsers actually the obvious ones are towards the top of the list but there you go nice stuff indeed we have service demands as well and this one is set to off but you can set it to allow or block instead so here we can control whether sensitive files protected by your policies can be uploaded to specific service Cloud demands from Microsoft Edge or Google Chrome provided the Microsoft purview extension is installed on their devices let's just have that link so you can choose block to prevent certain domains from accessing these files or allow to specify save domains so here we can add a cloud service domain into the list there we go next we have sensitive service domain groups so you can configure the groups of service domains that contain sensitive data so similar principle but just add groups of domains there instead of individual domains additional settings for endpoint DLP okay business justifications for policy tips you can control how users interact with the business justification option in policytip notifications that appear on the devices this option appears when users perform an activity that's protected by the block with overwrite setting and DLP policy so you have some settings here to show the default options and a custom text box you can only show the default options or only show the custom text box you've got some options there in terms of how you can control those settings you can also customize the options in the drop down menu so here we have four different five different options that you can that you can control there should you uh should you have that that feature enabled always order the file activity for device as well that that would seem to be a very sensible one to have on so by default when devices are onboarded activity for office PDF and CSV file is automatically audited and available for review in the activity Explorer so turn this off if you want this activity to be audited only when on-boarded devices are included in an active policy so you've got some good controls there in terms of how that is going to be audited so file activity will always be audited for onboarded devices regardless of whether they are included in an active policy printer groups printing okay so these can be used in your endpoint DLP policies to apply different restrictions to a specific group of printers so we can create a group name there and we can add a printer um and I couldn't even begin to test this right now because I don't have any printing but uh in prints these days are probably probably way more people than I realize I'm probably being very uh anti-printer there in my attitude so shame on me but let's move on because I hate printers removable USB device groups so here removable USB device groups can be used in your endpoint DLP policies to apply different restrictions to a specific group of USB devices so again you can create similar to The Printers really group names and add removable USB device and so on Network share groups similar principle you can create the network share groups there and then finally and then finally the last setting here an endpoint DLP is VPN settings so when setting up endpoint DLP policies you can apply different restrictions to activity performed when users are connected to your organization using the vpns that are included here so you can add or edit a VPN address if you're using a VPN in your organization so there we go when configuring the policy to restrict activity unit devices you can control what happens to each activity performed when users are connected two-year-old by using the vpns that you add here so there we go so lots and lots of settings you can configure in the core endpoint DLP settings here and you should carefully consider these how they are set up before you create and deploy any DLP policies that are targeted towards endpoint devices there we go so that we've been through overview we've been through policies we've looked at endpoint DLP settings let's take a look at alerts and activity Explorer now I'm not going to see any alerts in here just at the moment because this is a very very new uh clean demo tenant and we've just set up those DLP policies uh I'm trying to think if I may have another talent I can show you I may have a look in a moment but uh any alerts that you have will be displayed in here and you can filter by time range and user and a lot of status um but um there's no one else to show here you will have to turn on alerts for your DLP policies to view the alerts here and you can learn how to turn on the alerts if you haven't right here and the capabilities of the alerts dashboard let's let's have those lovely links to uh to help you and we'll include those in the video description okay what have we got up here as well uh did you know you can now manage your DLP alerts in the Microsoft 365 Defender portal and alerts are automatically combined into incidents which provide a comprehensive view into potential policy violations and advanced tools for investigation remediation so you can learn more about the incidents from here or indeed go to the incidents page that it's referring to I think we're probably going to get a similar experience from the activity Explorer so here I mean activity Explorer is by no means um limited to DLP in the broader sense I mean in this instance it is because it's under DLP so we're going to see only DLP specific activity Explorer content in here but if you go further up uh under data classification you you would see all activity Explorer um alerts as it happens we don't have any because of the nature of this tenant but again you would be able to review activity related to content that contains sensitive info or has labels applied such as what labels would change files are modified and more and it's modified across exchange SharePoint OneDrive and endpoint devices support for more locations coming very soon so I've quickly switched over to another tenant which is a little bit more advanced uh in terms of what you can see under data loss prevention in the activity Explorer here we can see a bit more content we can see that a label was changed or a label applied this was actually me in the previous video I think the other day on the sensitive information uh or rather sensitivity levels that we that we could so any DLP related activity would appear in here as well uh under alerts there was no alerts to show in this one either but I did get a little bit further in terms of being able to show you some of the usual behavior and this can again vary depending on your policy settings that the users will encounter so I opened a Word document and I put in my credit card and National Insurance number details I will blur these out but even if I did not remember to do so they are fake numbers so they're not going to be of any use to anyone uh it didn't detect it didn't bring up a policy tip in word online but what uh I did see is that when I tried sending a message uh with my credit card details in uh we got a result we had a a message was flagged here what can I do so your message was flagged due to an organization policy credit card number uh here's what you can do if you think the message was flagged in error you can report it to your admin reporting will not unflag the message so you can report or or not depending on what you want to do as a user this is why it's important to train the users for What to Expect When You're deploying DLP they're going to get different experiences different capabilities across teams across devices across other services in M365 and the um and things like their documents in OneDrive and SharePoint and so on email is another good example it can be explained it can be deployed to exchange online so I composed a new email here which I started typing out and as I typed in my credit card number into the email you can say I've already got a few uh tips here I'm getting the following recipient is outside your organization I can see that it's encouraging me to send during work hours because I'm recording this on a weekend here's the policy tip though your message conflicts with a policy in your organization show the details okay the recipient isn't authorized to receive this type of information so I can remove the recipient or I can view details about the information that appears sensitive so I can learn more that and it shows me the message appears to contain sensitive information type of credit card number again I have the option to report the policy that this has triggered on this tenant is not giving me an override option so on that policy I obviously don't have that configured but what it's saying here the recipient isn't authorized to receive this information so remove the recipient what that probably means is that the policy rule that is matched here is set to trigger when such content is sent outside the organization so if I remove the recipient what I will probably find in the the warning goes away so um I'm trying to think which Talent am I on uh who could I send a message to who was on the same 10 and do I still have James Smith yes I do there we go we've got James who is in the same tenant as me and because that rule only applies to external there we go the policy rule does not come up so there you go you can see the power of DLP and what on the various permutations and why it's very important to take your time get it right um crawl then walk then run have a good diligent testing period proof of concept pilot group and in that pilot involve helpful users across the organization but also and I always say this in any situation like this involve the more challenging users as well the ones who are going to ask the awkward questions the ones who are going to criticize any change or be fearful of change and on day one of something being launched into production if it isn't quite right they're going to be having a big smile on their face saying I Told You So this isn't as good as the old way of doing things so these are the things you need to consider when you're thinking about your DLP deployments so lots to think about DLP is amazing it's very powerful but it's got to be done right or you can get into all sorts of problems okay let's start winding up and that's it folks we're done we're all done with ms102 I'm so so thrilled uh at the response to this series and really happy that we've got all the videos done and you should now all be in great shape to learn all about uh Ms 102 and uh know more about M365 in general from the very beginning and Azure ad lots of good content that we've covered I may do a final debrief on this because I think there are one or two final considerations that I'd like to share with you in terms of study prep and so on and so forth but I'd love to know your thoughts on the series as well um I've had some wonderful comments in each video so far and people reaching out to me on LinkedIn and Twitter seeing how much they've enjoyed and it and how much it has has helped them on their Journey so thank you so much for that your support really means a great deal to me but um what's next well there's more content to come don't worry there's the beauty of this Platformers as it's ever growing and ever giving so there's always plenty to share there's always new features changes there's more exam guides we can do as well I need to get back to e-discovery I've had a lot of you asking me when I'm going to get back to my e-discovery series and I wanted to get this one done before we got back to e-discovery so look out for that it'll be coming very very soon so nothing's going to change there's going to be more videos coming uh and I'm so so enjoying this journey with you and uh talking to those of you who've reached out so thank you once again reach out to me on Twitter the link is down there uh please do not forget to like share and subscribe uh to the channel thank you so much and I'm gonna leave it there stop talking because I talk too much and uh we'll see you all on the next video coming real soon take care bye now thank you

Info

Channel: Peter Rising MVP

Views: 9,180

Rating: undefined out of 5

Keywords: Data Loss Prevention, M365, Microsoft 365, Azure AD, Azure Active Directory, DLP, Purview, Microsoft Purview, Security, Cybersecurity, PRV&x%, data, loss, orevention, data loss prevention in cyber security, data loss prevention tools, data loss prevention (dlp), data loss prevention software, data loss prevention explained, data loss prevention interview questions, data loss prevention tutorial, data loss prevention policies, data loss prevention analyst, data loss prevention شرح

Id: 5zQ-MOXjCcA

Channel Id: undefined

Length: 58min 18sec (3498 seconds)

Published: Sat May 20 2023