Data Loss Prevention: Resolve Issues That Affect DLP Policy tips

By Ashwin Venugopal -

 







Introduction

If you experience a problem concerning Microsoft Purview Data Loss Prevention (DLP) policy tips, initiate an automated diagnostic for DLP policy tips within the Microsoft 365 admin center. The diagnostic evaluates the configuration of DLP policies and rules for policy tips, highlights any issue found, and provides recommendations for solutions. 

Run Diagnostic For DLP Policy Tips

To run the diagnostic:
  1. Select "Run Tests: DLP policy tips" button to open the diagnostic in the Microsoft 365 admin center.
  2. Enter the below information-
    • User Principal Name (UPN) or email address of the user.
    • DLP rule name or GUID.
    • Outlook or OWA (Outlook on the web)

      3. Go for Run Tests button.

DLP Policies in Exchange Online

DLP policies are where DLP policy tip settings are set up. Due to the deprecation of old Exchange Online Data Loss Prevention policies in the Exchange admin center, it is recommended to move any DLP polices you generated in Exchange Online to the Microsoft Purview compliance portal. You may observe unexpected outcomes for policies that haven't been transferred, including the policy tips not being displayed. 

Policy Configuration Errors

Although user notifications are used to establish the policy, the policy's current state differs from the rule's settings. Use two or more rules that detect the same sensitive data categories with the same instance count value and confidence level may also result in a policy configuration error. Such a configuration is troublesome and superfluous. It is necessary to follow only one rule.

Policy Configurations Not Supported in Outlook 2013 and Later Versions

  • Not all policy conditions are met- This situation generally arises when an external sharing condition that is set up in a policy causes policy tips to not function as intended in Microsoft OneDrive for work or education and SharePoint in Microsoft 365. 

  • MailTips aren't enabled (Outlook 2013 and later version clients only)- For Outlook 2013 and later version clients, MailTips should be enabled. In order to do that, first ensure that policy tips are enabled. Follow these steps to do this-
    • In Outlook, select File > Options > Mail.
    • Scroll to the MailTips section, and then select MailTips Options.
    • In the Select MailTips to be displayed selection dialog box, make sure that the policy tip notification option is selected. 
    • Under the MailTip bar display options, make sure that the Display automatically when MailTips apply option is selected.
    • Select Ok two times to close File window.
    • Restart Outlook.

  • GetDLPPolicyTip call not found in Fiddler trace- If DLP policy tips don't work as expected, use a Fiddler trace to troubleshoot DLP policy tips. 
    • Collect the Fiddler trace file when you reproduce the issue.
    • In the POST request, check the DetectedClassificationIds value. If the value field isn't empty, this means that the DLP policy matches the policy rule. 

If you don't find the GetDLPPolicyTip call, and if the DetectedClassificationIds value field is empty in the response, then-

  1. Check whether the DLP policy is enabled and configured correctly.
  2. Check whether your user enter the correct sensitive information and valid recipients or senders to trigger the policy.

  • Client doesn't support MailTips- There are several Outlook client licenses that don't support policy tips. Outlook license requirements for Exchange features lists the Outlook client licenses that support DLP policy tips.  

  • File-system configuration not supported- No policy tip is displayed if the following conditions are true-
    • You're running Outlook 2013 or later version clients on Windows 7.
    • You try to attach a file that's formatted as Adobe PDF version 10 or later versions to an email message that should trigger a DLP policy tip.

  • Invalid test data- Sensitive information type entity descriptions indicate that the test data being utilized is invalid for evaluating the DLP policy rule's instance count and confidence level. Verify the validity of the test data you use. 

Conclusion

The issues that affect DLP policy tips are resolved via above steps.



Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more