| lab | ||||
|---|---|---|---|---|
|
If you are being provided with a tenant as a part of an instructor-led training delivery, please note that the tenant is made available for the purpose of supporting the hands-on labs in the instructor-led training.
Tenants should not be shared or used for purposes outside of hands-on labs. The tenant used in this course is a trial tenant and cannot be used or accessed after the class is over and are not eligible for extension.
Tenants must not be converted to a paid subscription. Tenants obtained as a part of this course remain the property of Microsoft Corporation and we reserve the right to obtain access and repossess at any time.
You are Joni Sherman, the newly hired Compliance Administrator for Contoso Ltd. tasked to configure the company's Microsoft 365 tenant for data loss prevention. Contoso Ltd. is a company that offers driving instruction in the United States, and you need to make sure that sensitive customer information does not leave the organization.
In this exercise, you will create a Data Loss Prevention policy in the Microsoft Purview portal to protect sensitive data from being shared by users. The DLP Policy that you create will inform your users if they want to share content that contains Credit Card information and allow them to provide a justification for sending this information. The policy will be implemented in test mode because you do not want the block action to affect your users yet.
-
Log into Client 1 VM (LON-CL1) as the lon-cl1\admin account.
-
In Microsoft Edge, navigate to
https://compliance.microsoft.comand log into the Microsoft Purview portal as Joni Sherman. sign in as JoniS@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider). Joni's password should be provided by your lab hosting provider. -
If the Stay signed in? dialog box appears, select the Don’t show this again checkbox and then select No.
-
In the Microsoft Purview portal, in the left navigation pane, expand Data loss prevention then select Policies.
-
On the Policies page select +Create policy to start the wizard for creating a new data loss prevention policy.
-
On the Start with a template or create a custom policy page, scroll down and select Custom under Categories and Custom policy under Templates. By default, both options should already be selected , select Next.
-
On the Name your DLP policy page enter:
- Name: Credit Card DLP Policy
- Description: Protect credit card numbers from being shared
-
Select Next.
-
On the Assign admin units page select Next.
-
On the Choose locations to apply the policy page, enable the Teams chat and channel messages option only and select Next.
-
On the Define policy settings page, select Create or customize advanced DLP rules and select Next.
-
On the Customize advanced DLP rules page, select + Create rule.
-
On the Create rule flyout page, type Credit card information in the Name field.
-
Under Conditions, select + Add Condition and then select Content contains from the dropdown menu.
-
In the new Content contains area, select Add and select Sensitive info types from the dropdown menu.
-
On the Sensitive info types page, select Credit Card Number and select Add.
-
On the Create rule page, select + Add condition and select Content is shared from Microsoft 365 from the dropdown menu.
-
In the new Content is shared from Microsoft 365 section, select the only with people inside my organization option.
-
On the Create rule page, select + Add an action. Under Use actions to protect content when the conditions are met. expand Restrict access or encrypt the content in Microsoft 365 locations and select Block everyone.
-
On the Create rule page, in the User notifications section, select the switch to On to enable user notifications.
-
Select the check box to enable Notify users in Office 365 service with a policy tip.
-
Under User overrides select the checkbox to Allow overrides from M365 services. Allows users in Exchange, SharePoint, OneDrive and Teams to override policy restrictions.
-
Check the checkbox to Require a business justification to override.
-
In the Incident reports section, in the Use this severity level in admin alerts and reports dropdown, select Low.
-
On the Create rule page select Save then select Next.
-
On the Policy mode page select Run the policy in simulation mode and select Show policy tips while in simulation mode.
-
On the Review and finish page review your settings then select Submit
-
On the New policy created page select Done.
You have now created a DLP policy that scans Credit Card numbers in Microsoft Teams chats and channels and allows users to provide a business justification to override the policy.
In this task, you will modify the existing DLP policy you created in the previous step to also scan e-mails for Credit Card information and inform users if they want to share this content in an e-mail.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account, and you should be logged into Microsoft 365 as Joni Sherman.
-
In Microsoft Edge, the Microsoft Purview portal tab should still be open. If so, select it and proceed to the next step. If you closed it, then in a new tab, navigate to
https://compliance.microsoft.com. -
In the Microsoft Purview portal, in the left navigation pane, expand Data loss prevention then select Policies.
-
On the Policies page select the checkbox next to the recently created Credit Card DLP Policy and then select Edit policy (pencil icon) to open the policy wizard.
-
On the Name your DLP policy page, select Next.
-
On the Assign admin units page select Next.
-
On the Choose locations to apply the policy page, enable the Exchange email option and then select Next until you reach the Review and finish page.
-
Select Submit to apply the change you made to the policy.
-
Once the policy is updated select Done.
You have now modified an existing DLP policy and changed the locations it scans for content.
In this task, you use PowerShell to create a DLP policy to protect the Contoso EmployeeIDs and prevent them from being shared in Exchange. Users will be informed that they are attempting to share sensitive data and are blocked from sending the e-mail if it includes Contoso EmployeeIDs.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account.
-
In the start menu, select Windows PowerShell.
-
In the PowerShell window, enter
Connect-IPPSSessionand then sign in as Joni Sherman JoniS@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider). Joni's password should be provided by your lab hosting provider.
-
Enter the following command into PowerShell to create a DLP policy that scans all Exchange mailboxes:
New-DlpCompliancePolicy -Name "EmployeeID DLP Policy" -Comment "This policy blocks sharing of Employee IDs" -ExchangeLocation All
-
Enter the following command into PowerShell to add a DLP rule to the DLP policy you created in the previous step:
New-DlpComplianceRule -Name "EmployeeID DLP rule" -Policy "EmployeeID DLP Policy" -BlockAccess $true -ContentContainsSensitiveInformation @{Name="Contoso Employee IDs"}
-
Use the following command to review the EmployeeID DLP rule:
Get-DLPComplianceRule -Identity "EmployeeID DLP rule"
You have now created a DLP Policy that scans Contoso EmployeeIDs in Exchange by using PowerShell.
In this task you'll test the DLP policy that was created in the previous task.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account and logged into Microsoft 365 as Joni Sherman.
-
Open a Microsoft Edge browser window and navigate to
https://outlook.office.com/ -
Select the New mail button on the top left to compose a new email message.
-
In the To field, enter Megan and select Megan Bowen's email address.
-
In the subject field enter Help with employee information.
-
In the body of the email enter:
Please help me with the start dates for the following employees: ABC123456 DEF678901 GHI234567 Thank you, Joni Sherman -
Select the Send button in the upper right of the message window to send the email.
-
You should receive a message that the email was undeliverable and blocked by a DLP policy.
You have successfully tested your DLP policy.
In this task, you will activate the credit card information DLP policy you created in test mode so it enforces its protective actions.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account, and you should be logged into Microsoft 365 as Joni Sherman.
-
In Microsoft Edge, the Microsoft Purview portal tab should still be open. If so, select it and proceed to the next step. If you closed it, then in a new tab, navigate to
https://compliance.microsoft.com. -
In the Microsoft Purview portal, in the left navigation pane, expand Data loss prevention then select Policies.
-
On the Policies page select the checkbox next to Credit Card DLP Policy and select Edit policy (pencil) to open the policy wizard.
-
Select Next until you reach the Policy mode page and select Turn the policy on immediately.
-
On the Review and finish select Submit.
-
On the Policy updated page select Done.
You have successfully activated the DLP Policy. If the policy detects an attempt to share credit card information, it will now block the attempt and allow the users to provide a business justification to override the block action.
After creating two DLP policies, you want to make sure that the more restrictive policy is processed at a higher priority than the less restrictive policy. For this reason, you want to move the EmployeeID DLP Policy into the higher priority.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account, and you should be logged into Microsoft 365 as Joni Sherman.
-
In Microsoft Edge, the Microsoft Purview portal tab should still be open. If so, select it and proceed to the next step. If you closed it, then in a new tab, navigate to
https://compliance.microsoft.com. -
In the Microsoft Purview portal, in the left navigation pane, expand Data loss prevention then select Policies.
-
On the Policies select the three vertical dots next to the EmployeeID DLP Policy to open the Actions selection and select Move to top.
-
In the Data loss prevention window, select Refresh and review the priority in the Order column of the policy table.
You successfully modified the priority of your DLP policies. If both policies match the same content the action of the higher priority policy will be enforced.
You want to use file policies in Microsoft 365 Defender to protect files in your OneDrive and SharePoint Online locations. Before you can create a file policy, you need to enable file monitoring so Microsoft 365 Defender can scan files in your organization.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account.
-
In Microsoft Edge, the Microsoft Purview portal tab should still be open. Select the Profile picture of Joni Sherman in the top right and select Sign out, then close the browser.
-
Open Microsoft Edge and navigate to
https://security.microsoft.comand log into the Microsoft 365 Defender portal as MOD Administrator admin@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider). Admin's password should be provided by your lab hosting provider. -
On the left navigation pane, expand System then select Settings.
-
On the Settings page select Cloud Apps.
-
In the left pane within the Cloud apps window, scroll down to the Information Protection section, then select Files.
-
Select the Enable file monitoring checkbox then select Save if it is not already marked.
You successfully enabled file monitoring in Microsoft 365 Defender and can now scan files for sensitive content using file policies.
In this task, you want to create a file policy in Microsoft 365 Defender to scan files in OneDrive and SharePoint Online and automatically quarantine files containing credit card information if they are shared.
-
You should still be logged into Client 1 VM (LON-CL1) as the lon-cl1\admin account.
-
In Microsoft Edge, the Microsoft Defender for Cloud Apps portal tab should still be open. Select the Profile picture of the MOD Admin in the top right and select Sign out next to the cogwheel, then close the browser.
-
Open Microsoft Edge and navigate to
https://security.microsoft.comand log into the Microsoft 365 Defender portal as Joni Sherman JoniS@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider). Joni Sherman's password should be provided by your lab hosting provider. -
In the Microsoft 365 Defender portal, in the left navigation, scroll down to the Cloud apps section, then select Files.
-
On the Files page select + New policy from search.
-
On the Create file policy page, leave the Policy template selection as No template.
-
Enter this information on the Create file policy page
- Policy name: Credit Card Information for files
- Description: Protect credit card numbers from being shared in files
-
Keep the Policy Severity on Low (one lighted icon) and make sure the Category is set to DLP. For a file policy, this should be the default.
-
In the Files matching all of the following area, expand the dropdown menu Public (Internet), External, Public and add Internal.
-
In the Inspection method dropdown menu, select Data Classification Service.
-
In the Choose inspection type... dropdown menu, select Sensitive information type....
-
On the Select a sensitive information type dialog, select Credit Card Number, then select Done in the upper right corner.
-
Under Alerts, check the Create an alert for each matching file checkbox and review your options. Keep the settings as the default by selecting Save as default settings.
-
In the Governance actions section, expand Microsoft OneDrive for Business and select Put in user quarantine.
-
In the Governance actions section, expand Microsoft SharePoint Online and select the checkbox for Put in user quarantine.
-
Select Create at the bottom of the page.
You have now created a file policy that will continuously scan files saved in OneDrive and SharePoint for credit card information and quarantine them if they are shared inside your organization.
Your company uses Power Automate flows to share data between SharePoint Online and Salesforce. In this task, you will create a DLP policy for Power Platform that allows your existing flows to keep working but prevents the creation of flows that will share data between SharePoint Online and Apps defined as non-business.
-
Log into Client 2 VM (LON-CL1) as the lon-cl2\admin account.
-
In Microsoft Edge, navigate to
https://admin.powerplatform.microsoft.comand log into the Power Platform admin center as MOD Administrator admin@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider). Admin's password should be provided by your lab hosting provider. -
In the Power Platform admin center, in the left navigation pane, select the drop-down for Policies and then select Data policies.
-
On the Data policies page, select + New Policy.
-
On the Name your policy page, enter Tenant-wide SharePoint Policy, then select Next.
-
On the Non-business|Default tab on the Assign connectors page, select SharePoint and Salesforce, then select Move to Business at the top of the page.
-
In the Assign connectors page, select the Business tab to make sure both SharePoint and Salesforce now appear then select Next.
-
On the Custom connector patterns page select Next.
-
On the Define scope page, select Add all environments then select Next.
-
On the Review and create policy page review your policy settings then select Create policy.
You have now created a Power Platform DLP policy that prevents users from creating flows involving a SharePoint Online Connector and any connector that is not Salesforce.