Summary – Implementing Microsoft Purview Information Protection and Data Lifecycle Management

In this chapter, you learned about some of the important compliance tasks that many organizations face, such as content classification and retention. You learned about the foundational technical concepts around sensitive information types. SITs are used to classify content and can be used in the Microsoft Purview solutions including labeling and retention.

In the next chapter, you’ll apply the SIT knowledge learned here to another compliance concept: data loss prevention.

Exam Readiness Drill – Chapter Review Questions
Benchmark Score: 75%
Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed
You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the start of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:
https://packt.link/MS102E1_CH10. Or, you can scan the following QR code:

Figure 10.57 – QR code that opens Chapter Review Questions for logged-in users

Once you login, you’ll see a page similar to what is shown in Figure 10.58:

Figure 10.58 – Chapter Review Questions for Chapter 10

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill

For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1
The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2
The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3
The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip
You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing
Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 10.2 – Sample timing practice drills on the online platform

Note
The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

Summary – Implementing Microsoft Purview data loss prevention (DLP)

In this chapter, you learned about the capabilities of Microsoft DLP. Building on the knowledge you previously gained about classifiers such as sensitive information types, DLP policies can be used to detect sensitive information as it moves throughout your organization.

DLP policies can target workloads such as Exchange Online or SharePoint as well as endpoint devices such as on-premises file servers and client computers. Each layer helps provide additional protection against data leakage and compromise.

You also learned about the alerting and troubleshooting tools available in the platform, including the DLP Alerts dashboard and the Microsoft 365 DefenderIncidents dashboard, and the capabilities of incident management to further remediate issues with users and data.

Exam Readiness Drill – Chapter Review Questions

Benchmark Score: 75%

Apart from a solid understanding of key concepts, being able to think quickly under time pressure is a skill that will help you ace your certification exam. That’s why, working on these skills early on in your learning journey is key.

Chapter review questions are designed to improve your test-taking skills progressively with each chapter you learn and review your understanding of key concepts in the chapter at the same time. You’ll find these at the end of each chapter.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to thestart of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

To open the Chapter Review Questions for this chapter, click the following link:

https://packt.link/MS102E1_CH11. Or, you can scan the following QR code:

Figure 11.40 – QR code that opens Chapter Review Questions for logged-in users Once you login, you’ll see a page similar to what is shown in Figure 11.41:

Figure 11.41 – Chapter Review Questions for Chapter 11

Once ready, start the following practice drills, re-attempting the quiz multiple times:

Exam Readiness Drill

For the first 3 attempts, don’t worry about the time limit.

ATTEMPT 1

The first time, aim for at least 40%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix your learning gaps.

ATTEMPT 2

The second time, aim for at least 60%. Look at the answers you got wrong and read the relevant sections in the chapter again to fix any remaining learning gaps.

ATTEMPT 3

The third time, aim for at least 75%. Once you score 75% or more, you start working on your timing.

Tip You may take more than 3 attempts to reach 75%. That’s okay. Just review the relevant sections in the chapter till you get there.

Working On Timing

Target: Your aim is to keep the score the same while trying to answer these questions as quickly as possible. Here’s an example of how your next attempts should look like:

Table 11.1 – Sample timing practice drills on the online platform

Note The time limits shown in the above table are just examples. Set your own time limits with each attempt based on the time limit of the quiz on the website.

With each new attempt, your score should stay above 75% while your time taken to complete should decrease. Repeat as many attempts as you want till you feel confident dealing with the time pressure.

Teamwork habits– Monitoring Microsoft 365 Tenant Health

Viva Insights Teamwork habits, part of the premium Viva Insights experience, allows managers to gain additional recommendations for managing people. Teamwork habits helps managers identify regular after-hours work, meeting overload conditions, and a lack of dedicated focus time.

Managers can set up their teams by manually adding users, though they can use the suggested list if the manager property has been configured in Active Directory or Azure Active Directory:

Figure 2.25 – Confirming team members

Three additional core features of Teamwork habits are as follows:

  • Scheduling recurring 1:1 time with managed employees
  • Gathering quiet hours impact to determine how work habits impact employees outside of their configured working hours
  • Shared plans for no-meeting days and shared focus times

Organizations that have the Teamwork habits tools available can improve their employees’ well-being and work-life balance. The Teamwork habits feature requires a separate Microsoft Viva Insights license.

Organization trends

The Organization trends tab shows business leader and manager insights to help understand how to effectively manage your teams, such as identifying work patterns:

Figure 2.26 – Organization trends

Organization trend data is privacy-oriented, requiring a minimum of 10 people (including the manager) to be in the management chain, either directly or indirectly. In addition, access to organization trends requires granting access to manager insights through the Viva setup.

Advanced insights

Microsoft Viva Advanced Insights is a reporting tool that provides research-based behavioral insights into organizational work patterns, such as hybrid work, work-life balance, and employee well-being.

The Advanced Insights reporting tool comes with several built-in templates and analysis tools to help organizations understand everything, from meeting effectiveness to employee performance trends correlated to manager 1:1 meetings:

Figure 2.27 – Viva Insights manager coaching report

With large organizational changes such as hybrid and remote work scenarios, it can be important to understand how those work patterns affect performance, including interesting data points such as how much time is spent during meetings multitasking, or how much work is getting done outside normal business hours:

Figure 2.28 – Advanced insights working hours details

The Advanced Insights Power BI report templates provide an analysis of employee engagement and work patterns. Here are the reports:

  • Business resilience: Overall business report highlighting performance and employee well-being
  • Hybrid workforce experience: This report highlights how different work modes (onsite, hybrid, and remote) affect workers
  • Manager effectiveness: This report provides insight into patterns for people managers
  • Meeting effectiveness: This report captures and displays information on meeting statistics such as how many meetings happen at short notice or how much multitasking occurs during meetings
  • Ways of working: This data helps answer questions such as, “Are employees receiving enough 1:1 coaching time?” and “Who generates the most work by organizing meetings?”
  • Wellbeing – balance and flexibility: This reporting data is used to identify whether employees have enough time to focus on core priorities and balance that with breaks and time away from work

For more information on the advanced insights templates and their reporting capabilities, see https://learn.microsoft.com/en-us/viva/insights/advanced/analyst/templates/introduction-to-templates.

Creating a sublabel– Implementing Microsoft Purview Information Protection and Data Lifecycle Management

Sublabels function almost exactly like sensitivity labels—you can think of them as higher up the hierarchy to give you more specificity when categorizing data. For example, in Figure 10.43, you can see that Anyone (unrestricted) and All Employees (unrestricted) are configured as sublabels of the General label:

Figure 10.43 – Sublabel example

There may be instances when you have a broad category for labeling content but want to use an additional method or level of classification. This is where sublabels can be helpful.

There are a few important points to consider when using sublabels:

• A sublabel inherits its color settings from its parent.
• When a label has sublabels configured, the parent label can’t be used to classify content—only the sublabel can be used.

Note
If a label has sublabels, it’s important that the parent label not be used as a default label.
To create a sublabel, follow these steps:

  1. In the Microsoft Purview compliance portal (https://compliance.microsoft.com), expand Information protection, and select Labels.
  2. Locate the label that will be the parent label and select it.
  3. Click Create sublabel, as shown in Figure 10.44:

Figure 10.44 – Creating a sublabel

  1. On the Name and tooltip page as shown in Figure 10.45, enter values for Name, Display name, and Description for users. Note that the Label color choice is non-selectable. If a label color has already been chosen for the parent, this sublabel will inherit that color.

Figure 10.45 – Reviewing name and tooltip settings

  1. Click Next to continue configuring the label. The remaining steps are the same as configuring a standalone or parent label. Refer to the previous section for details and options.

Now that you’ve successfully configured labels, let’s briefly look at configuring label policies.

Implementing sensitivity label policies

Label policies are the configuration objects that are used to either assign labels to content or make them available for users to apply. Sensitivity labels can be applied in a number of ways:

• Label policies (client-side labeling):

Manual labels (with M365 E3, E5, G3, G5, F1, or F3 licensing)

Default labels (with M365 E3, E5, G3, G5, F1, or F3 licensing)

Recommended labels (with M365 E5 or G5 licensing)

• Auto-labeling (service-side labeling):

Available only to M365 E5 or G5 licensing

The automatic label application options can be confusing, since there are two types of label policies that appear at first glance to do the same thing. Let’s dig into each of them now.

Label policies– Implementing Microsoft Purview Information Protection and Data Lifecycle Management

Label policies are on the client side and work inside applications such as Outlook and Word and in the web user interfaces for SharePoint, OneDrive for Business, and Power BI. Label policies can be made available to users via administrative units or to individual users and groups. Additionally, label policies can be made mandatory—that is, users are required to choose from the published labels to apply to content in the Office apps, documents, meetings, and Power BI content.

The wizard to publish label policies can be activated after a label has been created, or separately.

In the following example, you’ll look at creating a label policy for an existing label:

  1. In the Microsoft Purview compliance portal (https://compliance.microsoft.com), expand Information protection and select Label policies.
  2. Click Publish label, as shown in Figure 10.46:

Figure 10.46 – Publishing a label

  1. On the Labels to publish page, as shown in Figure 10.47, click Choose sensitivity labels to publish and then select the labels to publish from the list. Click Add to add the labels to the list of labels that will be published as part of the policy. Click Next to continue.

Figure 10.47 – Selecting labels to publish

  1. On the Admin units page, choose which administrative units to use for scoping the policy. By default, the entire tenant is selected. Click Next.
  2. On the Users and groups page, select which users or groups will receive the label policy. By default, all users and groups are included. Click Next.
  3. On the Settings page, choose the appropriate settings to apply to this policy. You can choose from Users must provide a justification to remove a label or lower its classification, Require users to apply a label to their emails and documents, Require users to apply a label to their Power BI content, and Provide users with a link to a custom help page. Click Next.

The Users must provide a justification to remove a label or lower its classification option has no additional configuration options, but users will have to enter classification text (which will be logged) when changing the label. Lowering a classification corresponds to its priority on the Label policies page.

The Provide users with a link to a custom help page option has only a single configuration field—a URL—which must be specified on this page.

Figure 10.48 – Configuring policy settings

  1. On the Documents page, if you want to specify a default label, select it from the list of labels. The default label will be applied to the label automatically, though the user can select a different label from their available labels if the sensitivity of the content warrants a change. Click Next.
  2. On the Emails page, select Default label (you can choose Same as document) to choose the same label as you selected on the Documents page or one of the other available labels. It’s recommended to choose the Same as document label to help users avoid confusion and ensure consistency. If you selected Require users to apply a label to their emails and documents on the Settings page, you can choose Require users to apply a label to their emails on this page. You can also choose the Email inherits highest priority label from attachments option if you want an attachment’s assigned label to be able to potentially override an email label’s priority.

Figure 10.49 – Configuring email settings

  1. Click Next.
  2. If your organization requires labeling of all items (including calendar items), you have options for managing label application on the Apply a default label to meetings and calendar events page. You can choose a default label as well as the Require users to apply a label to their meetings and calendar events option (if the Require… checkbox was selected on the Settings page). If you don’t have a reason to require labeling of calendar invitations, leave the setting cleared. Click Next.
  3. On the Power BI page, you can choose a default label that will be applied to Power BI content. Organizations that have mandatory classification requirements should configure this option to help ensure compliance. For the exercise, select one of the labels that you have configured and click Next.
  4. On the Name page, enter a Name value for the label policy. Click Next.
  5. On the Finish page (depicted in Figure 10.50), review the settings and click Edit to change them if necessary, or click Submit to finish creating the policy.

Figure 10.50 – Reviewing the final settings

After you’ve configured the label publishing policy, the labels will show up for use in application and user interfaces.

Exchange Online, SharePoint Online, OneDrive for Business, and Teams – Implementing Microsoft Purview data loss prevention (DLP)-1

DLP policies are used in the following contexts for core Microsoft 365 workloads:

• Exchange Online: Apply controls or restrictions to messages as they are sent or received by individuals in the organization.

• SharePoint Online and OneDrive for Business: Restrict sensitive content as it is added to a sharing invitation.

• Teams: Restrict sensitive content as it is entered into a chat or channel message.

• Devices: Protect content on endpoint devices. This option requires additional configuration.

• On-premises file servers: Protect content in connected on-premises repositories. This option requires additional configuration.

To configure a workload DLP policy, follow these steps:

  1. Navigate to the Microsoft Purview compliance portal (https://compliance.microsoft. com).
  2. Under Solutions, expand Data loss prevention and then select Policies.
  3. Click Create policy. See Figure 11.1:

Figure 11.1 – Microsoft Purview compliance policies page

  1. Choose whether to use one of the built-in templates or to create a new custom policy.

Built-in templates are broken into categories such as Enhanced (various international legislation, finance, or privacy regulations, which utilize trainable classifiers to extend detection capabilities), Financial (international financial data types), Medical and health (healthcare legislation, terms, and personal information), and Privacy (international privacy regulations or legislation). You can only choose one template; if you want to include more than one template data type, you’ll need to select Custom and add the sensitive information types or other classifiers manually.

  1. Click Next when the policy type has been selected. See Figure 11.2:

Figure 11.2 – Selecting a template or policy type

  1. On the Name page, enter a value to identify your policy. Click Next.
  2. On the Admin units page, as shown in Figure 11.3, choose whether the DLP policy will apply to the whole organization or only to members of a particular administrative unit.

Figure 11.3 – Assigning an administrative unit

Click Next when you’re finished.

  1. On the Locations page, as shown in Figure 11.4, choose which workloads and locations the policy will be applied to. You can enable all workloads and locations as part of a single policy, with the exception of Power BI. While you can enable devices and on-premises repositories now, those locations will require additional steps to fully onboard and protect. Also, if you are using a new enhanced DLP template for your policy, on-premises repositories aren’t supported.

Figure 11.4 – Adding workloads and locations to the policy

For each location, you can apply filters to include or exclude objects (such as users, groups, sites, or devices). When finished, click Next.

  1. On the Policy settings page, determine what DLP rules you want to apply. You could choose from Review and customize the default settings from the template or Create or customize advanced DLP rules. They both have similar capabilities, though the Create or customize advanced DLP rules option has more flexibility in creating conditions with a more complex editing interface. In this example, you’ll just choose the Review and customize the default settings from the template option, though we’d recommend experimenting with both so you can see the flexibility of the options. Click Next.
  2. On the Info to protect subpage, as shown in Figure 11.5, select Edit to modify the DLP rule conditions:

Figure 11.5 – Reviewing the Info to protect page

Exam Tip
If you have selected the Devices or On-premises repositories location, you will not see or be able to select the Detect when this content is shared from Microsoft 365option. If you have selected SharePoint or OneDrive locations, you will not be able to see or use the User’s risk level for Adaptive protection is control. You’ll have to evaluate what features you need to use and potentially create separate policies to protect data in different locations with different features.

Implementing DLP for Workloads – Implementing Microsoft Purview data loss prevention (DLP)

Many workloads and services in the Microsoft 365 platform support DLP capabilities. DLP detects content based on a variety of mechanisms, such as keywords, built-in functions, and secondary matches that are located in proximity to the primary matched content. Microsoft Purview DLPcan also use document fingerprinting and machine learning algorithms to detect content.

Depending on the workload or application, DLP policies can take the following actions on detected content:

  • Display a notification (called a policy tip) that warns the users about sensitive content
  • Block sharing with or without the ability for the end user to override the block
  • Move sensitive items to a quarantine location
  • Prevent sensitive content from being displayed in a Teams chat
  • Encrypt content

DLP, from the workload perspective, can be applied to data in transit, data at rest, and data in use. In the following sections, you’ll review configuring DLP settings for the Exchange Online, SharePoint, OneDrive for Business, Teams, and Power BI workloads, as well as an overview of protecting on-premises file shares with the Azure Information Protection (AIP) scanner.

Prerequisites

DLP has license subscription requirements. Depending on the workload to be protected, users need one of the following licenses:

  • Microsoft 365 E3/A3/A5/E5/A5/G5
  • Microsoft 365 Business Premium
  • SharePoint Online Plan 2
  • OneDrive for Business Plan 2
  • Exchange Online Plan 2

• Microsoft 365 E5/A5/F5/G5 Compliance and F5 Security & Compliance • Microsoft 365 E5/A5/F5/G5 Information Protection & Governance

In addition, DLP for Microsoft Teams (chat and channel messages, in particular) and on-premises repositories requires one of the following licenses:

•    Microsoft 365 E5/A5/G5

•    Microsoft 365 E5/A5/F5/G5  Compliance or F5 Security & Compliance

•    Microsoft 365 E5/A5/F5/G5 Information Protection & Governance

In order to configure DLP policies, you must be a member of one of these role groups:

  • Compliance Administrator
  • Compliance Data Administrator
  • Information Protection
  • Information Protection Admin
  • Security Administrator

Organizations with any eligible subscription with DLP features (such as E1, F1, G1, A3, E3, G3, A5, E5, or G5) can create DLP alerts that are triggered on every matching activity.

Organizations with an A5, E5, or G5 subscription or an Office 365 Advanced Threat Protection Plan 2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on license can configure aggregated alerts—meaning that DLP alerts will only show up based on a certain threshold.

With that being said, let’s look at configuring some workload policies!

Configuring Workload Protection

In this section, you’ll walk through configuring workload protections at a high level using built-in templates.