Issues Checking Multiple Defender DLP Policies

[skirkpatrickms]

🐛 Summary

A tenant with 2 DLP policies was tested. The DLP policies are set for 1 for Teams and 1 for devices. The Teams policy is checking for PII, credit cards, and UK passports. The Device policy only checks for credit cards. The output of the script states that the requirement for PII is met, but not all policies are checking for PII. The script needs to be modified to iterate through the policies and provide the correct output for policies that do not meet the requirement.

[ethanb-cisa]

Thanks for reporting this. We will look into it how to fix.

[schrolla]

Need to verify if the assumption that all policies are active and the result is the aggregated logical AND of all those policies or not.

[skirkpatrickms]

Data Loss Prevention policy reference - Microsoft Purview (compliance) | Microsoft Learn<https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide#the-priority-by-which-rules-are-processed> All the rules are active and they are processed in priority order. If the data is not stopped by the highest priority policy then it moves to the next and so on.

[tkol2022]

Reviewed 12/14

@schrolla @buidav Please review and close if this is OBE. If it is still valid, please check to ensure the size and priority labels are accurate.

[schrolla]

While the DLP capability allows for processing and evaluating multiple policies in the specified order, the baseline states that "a custom policy" shall be configured. So the requirement being assessed is that a single custom policy contains one or more rules with ALL sensitive info types present. The bug stated above, as I understand it, and please correct me if I'm wrong, is that the test scenario splits the sensitive info types across two different policies. In the case above, I'd evaluate the assessment result as a fail on MS.DEFENDER.4.1v1 as neither has a set of rules that contain the 3 minimum info types (SSN, PII, TIN).
The Defender code was updated for the upcoming release which improved the evaluation logic. I ran a test by creating two custom policies as described above: 1 targeting Teams with SSN, CC, and Passport and a second targeting Devices with only CC. Neither policy included ITIN and these were the only two policies set to On. I ran the test in a G5 tenant. The result was a fail, as expected since no policy contains the required ITIN (which is identified as the missing type in the fail report details for MS.DEFENDER.4.1v1). Also note, that since no single custom policy meets 4.1 the ancillary baselines for MS.DEFENDER.4.2-4.4 also fail since they check additional settings associated with the required info type rules.

As such, I believe the upcoming release addresses this issue by resolving the false positive and that this item can be closed.