Exchange Transport Rules To Unified DLP Play Book...Microsoft ETR to Unified DLP Page 3 of 51 1....

Microsoft ETR to Unified DLP

of 51

Exchange Transport

Rules

To

Unified DLP…

- Play Book

Disclaimer:

© 2020 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views

expressed in this document, including URL and other Internet Web site references, may change without notice.

You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property

in any Microsoft product. You may copy and use this document for your internal, reference purposes.


of 51

TABLE OF CONTENTS 1

1. INTRODUCTION .......................................................................................................................................... 3

1.1 Objective ................................................................................................................................................. 3 1.2 Scope ...................................................................................................................................................... 4 1.3 Assumptions ........................................................................................................................................... 4 1.4 Intended Audience .................................................................................................................................. 4

2. ADOPTION PROCESS FLOW ..................................................................................................................... 5

3. OVERVIEW ................................................................................................................................................... 6

4. LICENSING REQUIREMENTS ................................................................................................................. 11

5. REQUIRED ROLES TO SET-UP ................................................................................................................ 11

6. PHASES OF MIGRATION ......................................................................................................................... 12

6.1 Manual Approach: ................................................................................................................................ 12 6.1.1 Discovery/Analysis Phase ............................................................................................................. 12 6.1.2 Rationalization and Consolidation Phase ...................................................................................... 24 6.1.3 Migration ...................................................................................................................................... 24 6.1.4 Testing in Test mode..................................................................................................................... 24 6.1.5 Production ..................................................................................................................................... 26

6.2 Migration using Wizard (Tentative Date: Will be available from December 2020) ............................. 27 6.2.1 Discovery/Analysis Phase: ........................................................................................................... 27 6.2.2 Rationalize/Consolidate Phase ...................................................................................................... 30 6.2.3 Migrate and Test ........................................................................................................................... 30 6.2.4 Production Phase .......................................................................................................................... 32 6.2.5 Other useful Inputs........................................................................................................................ 33

7. MIGRATION FROM CLASSIC CLIENT (AIP) TO UNIFIED LABELLING CLIENT (MIP) ................ 34

7.1 Process to migrate ................................................................................................................................. 34 7.2 Benefits of MIP over AIP ..................................................................................................................... 36

8. MIGRATING TO OTHER WORKLOADS (SPO/ODB/MCAS) ................................................................ 37

8.1 Integration with MCAS (Preview) ........................................................................................................ 39

9. ENDPOINT DLP (DEVICES) (Preview) ..................................................................................................... 42

10. INSIGHTS/BEST PRACTICES ............................................................................................................... 48

11. ABBREVIATIONS .................................................................................................................................. 49

12. REFERENCES ......................................................................................................................................... 50

1 For Questions/Corrections: Contact Pavan (pabandar) – MIP-CXE


of 51

1. INTRODUCTION

Please use this guide as a starting point for migrating Exchange Transport Rules (ETR) to

Unified DLP. All links and references should be up to date, however, in the event that you

have a question about the correctness of any information in this document, please reach out

to our yammer group aka.ms/askmipteam

For a refresher on the knowledge and differences between Exchange Transport Rules (ETR)

and Microsoft Information Protection – Unified DLP (MIP-DLP) when applied to the

exchange workload, please review the overview section of this documentation prior to

moving forward.

All screenshots in this guide contain the proper configuration settings according to best

practices at the time of publication. Please ensure that your configurations mirror those used

in this guide. Please refer to the Microsoft documentation online at

https://docs.microsoft.com/en-us/microsoft-365/compliance/?view=o365-worldwide for the

latest updates

Though the name of this document shows as play book, it can be equally considered a

deployment guide. This document will be updated as and when new features are introduced

to the MIP. Also please note that, not all below stages needs to be implemented. It all depends

on the requirement of the organization and the availability of licenses.

There are 4 stages/tracks explained in this document.

Stage 1: Migration from ETR to Unified DLP (Section 7)

Stage 2: Migration from classic client (AIP) to unified labelling client (MIP) (Section 8)

Stage 3: Integration with other workloads (SPO/ODB/MCAS) (Section 9)

Stage 4: End point devices (Section 10)

1.1 Objective

This document provides an overview of how enterprise customers can migrate their existing

Exchange Transport Rules to Unified DLP portal. It walks through the different stages of

migration and shows the effectiveness of the unified DLP portal as a single place to define all

aspects of your DLP strategy.

In summary, this play book will help to

➢ Understand the migration process.

➢ Understand the unified console and interface.

➢ Develop a strategy for the migration.

➢ Ensure a smooth migration process.

➢ Find resources to support the migration process.

https://www.yammer.com/askIPteam#/home


of 51

1.2 Scope

This document helps readers understand the process to be followed during the migration of

traditional exchange transport rules to unified DLP, followed by the addition of other

workloads. Unified DLP has integration with multiple workloads that help to protect customer

data with a single policy.

This document helps in understanding the process to be followed in migrating existing ETR

rules (DLP) to unified DLP using:

a) Traditional manual approach

b) Using Microsoft developed in-built Migration Wizard.

This document also helps in providing guidance on various stages of the migration.

1.3 Assumptions

Customer has M365 E3/E5 license and is currently using ETR for data protection on Exchange.

1.4 Intended Audience

Customers, Partners, Internal Microsoft employees


of 51

2. ADOPTION PROCESS FLOW

(Shapes are not as per standards)

Figure 1: Adoption Flow


of 51

3. OVERVIEW

Microsoft Information Protection (MIP) helps to identify, discover, classify, and protect

sensitive information wherever it lives either at rest or in transit.

Figure 2: Microsoft Information Protection Cycle

Know your data assists in understanding the current data landscape and provides

organizations with the ability to identify sensitive content residing in Microsoft 365, across

Exchange, SPO, ODB and physical devices depending on workloads used and licensing owned.

Protect your data assists in applying flexible protection that includes visual marking,

encryption and access restrictions across apps, services and devices that travel inside and

outside the organization.

Prevent data loss (DLP) assists in preventing the accidental data loss and oversharing of

sensitive information with-in or outside the organization. In the Data Loss Prevention capability

of MIP, Global and Compliance admins can create policies across workloads and applies rules

to protect data oversharing. Pre-defined built in regulatory templates across various industries

are available. Administrators can create their own custom policies to suit organizational needs.

The URL for creating policies is : https://compliance.microsoft.com/datalossprevention. Login with

an appropriate role as described in section-6 of this document and create policies inclusive of

desired workloads.

https://compliance.microsoft.com/datalossprevention


of 51

Figure 2: Microsoft 365 Compliance Portal DLP wizard

Figure 3: Microsoft 365 Compliance Portal – DLP across workloads

The alerts produced during the protection of data can be viewed using DLP-Alerts/Activity

explorer. Activity explorer (E5 license) provides a 360 degree view (also known as “Know your

data”) of user risky activities across the tenant and helps administrators take preventive


of 51

measures. Figure 4 shows Activity Explorer with detailed metadata of user activity where and

when it has happened. (DLP- Real time alerts are coming soon)

Figure 4: Activity Explorer with user activities

Similarly, MIP has a Content Explorer which is part of the Data Classification dashboard.

Content Explorer shows a current snapshot of items with sensitivity labels, retention labels and

contained Sensitive Information Types in your organization. A DLP policy can help protect

sensitive information, which is detected through one or more Sensitive Information Types.

Microsoft 365 includes definitions for many common Sensitive Information Types from across

many different regions that are ready to use. For example, a credit card number, bank account

numbers, national ID numbers, and Windows Live ID service numbers.

Telemetry of the

activity

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide


of 51

Figure 5: Content Explorer with summary view

Upon further drill down, , the exact file location and file containing sensitive information can

be viewed for further action or protection, along with data pertaining to last modification date

and user.

For both features (Activity explorer and Content Explorer), separate role-based access is required

to view the files (Refer section 6)

EXCHANGE TRANSPORT RULE (ETR)

Prior to Unified DLP, most organizations protected data using the rules created in Exchange.

You can use mail flow rules (also known as transport rules) to identify and act on messages

that flow through the Exchange Online organization. Mail flow rules are like the Inbox rules

available in Outlook and Outlook on the web. The main difference is mail flow rules act on

messages while they are in transit, and not after the message is delivered to the mailbox. Mail

flow rules contain a richer set of conditions, exceptions and actions, which provide you with

the flexibility to implement many types of messaging policies.

Like Unified DLP, mail flow rules have components such as:

Conditions, Exceptions, Actions and Alerts/notifications.

Mail flow rules are primarily used for:

➢ Defining rules to encrypt messages.

➢ Defining rules to route mails based on keywords or phrases.

➢ Block mails when the attachment contains Sensitive Information Types or exceeds a

recommended size.


of 51

➢ Organization-wide message disclaimers, signatures, footers, or headers in Exchange

Online

➢ Setting the spam confidence level (SCL) in messages

For summary and detail reports about messages that matched mail flow rules, see here.

Figure 6: Exchange Admin Center for creating DLP Policy

On click of the yellow ribbon, you will be taken to the Unified Portal for further actions (You

may not see this, in your tenant at the moment). Refer Figure 6

Figure 7: Microsoft Compliance Portal -DLP Wizard

https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/disclaimers-signatures-footers-or-headers

https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/disclaimers-signatures-footers-or-headers

https://docs.microsoft.com/en-us/office365/SecurityCompliance/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages

https://docs.microsoft.com/en-us/exchange/monitoring/use-mail-protection-reports


of 51

With the availability of the unified console across, Microsoft recommends migrating all existing

ETR rules into unified DLP. This will provide a far more streamlined experience for

administrators via a single console.

Benefits of Migration:

Unified console

Single policy across all workloads (Exchange, SPO, ODB, Teams, Devices, MCAS)

Easy maintenance – One Administrative location

Protection of data at rest and in transit.

Easy navigation to other compliance features and capabilities

Improves ROI by providing new MIP features from a common portal

Greater protection coverage: Available for Office apps on Windows, web, Mac, Android and

iOS

4. LICENSING REQUIREMENTS

Pre-req for MIP: M365 E3/A3 or Office 365 E3 + EMS E3

For Auto Labelling, End Point DLP, Activity Explorer, Content Explorer, MCAS, Teams Chat and

all other new forthcoming features in MIP, consider Microsoft 365 - E5 Compliance Suite/

M365-Information Protection & Governance. Detailed M365 licensing guidance for security

and compliance with comparison of E3 and E5 features is available here

5. REQUIRED ROLES TO SET-UP

To create DLP policies/rules in the Microsoft 365 Compliance Center, the user should have a

role of Global Admin or Compliance Admin/ Compliance Data Admin

To view the data visualization in Data Classification moduleThere are two roles that grant

access to content explorer (RBAC):

Content Explorer List viewer: Membership in this role group allows you to see each item and

its location in list view. The data classification list viewer role has been pre-assigned to this role

group.

Content Explorer Content viewer: Membership in this role group allows you to view the

contents of each item in the list. The data classification content viewer role has been pre-

assigned to this role group.

https://docs.microsoft.com/en-us/office365/servicedescriptions/downloads/microsoft-365-compliance-licensing-comparison.xlsx


of 51

Stage1: Migration from Exchange Transport Rules to Unified DLP

6. PHASES OF MIGRATION

Below are the various phases to be followed before migrating to Unified DLP. This helps with

successful migration by providing clear deliverables at each phase of the migration project.

This document explains the process in two approaches: manual migration and through an

automated wizard approach (which is currently a work in progress).

6.1 Manual Approach:

High level project timelines (approximately) for a tenant with 100 ETR rules to be migrated to

Unified DLP are as follows:

6.1.1 Discovery/Analysis Phase

This phase consists of gathering the detailed requirements from the viewpoint of migrating

the Exchange Transport Rules to the Unified DLP portal. If the organization has multi tenants

and users are working in various geos, with exchange rules created across the geos from

different locations and admins, all the details related to number of ETR rules, purpose of usage

and telemetry will need to be gathered. Requirements for functionality, information analysis,

business and technical metadata, performance and access control must be gathered, analysed

and frozen. Infrastructure/Licensing requirements & high-level organizational needs must be

finalised and confirmed. This phase will help highlight the value of the advanced Compliance

features available in the M365 Compliance Portal and will help visualize how these features

can be applied to the organization. If required, a PoC also can be planned in this phase.

In this phase, extensive end user, IT and information security interviews will be conducted. The

existing rules will be studied. The conditions, actions and exceptions rules will be documented

in detail. Telemetry analysis will be carried out.

Based on current rules strategy a detailed gap analysis between ETR and Unified DLP

predicates analysis will be carried out. This gap analysis document will act as a mapping

document between source (ETR) to target (DLP)

Rationalize/Consolidate

(2wks)

Discovery/

Analysis (2wks)

Migrate/Test

(2wks)

Production


of 51

As of now, Microsoft has deployed 90% of all the predicates that are required for effective

migration from ETR to Unified DLP. Wherever a UI feature is unavailable, equivalent Powershell

cmdlets have been provided.

Below are the steps and commands:

Step 1: Export all transport rules with description into a txt or csv file.

Figure 8: Powershell cmdlet for exporting rules

The result will contain a description of all ETR rules:

Step 2: Export from EAC- DLP & review

Use the command below to review the feasibility of migration

$file = Export-TransportRuleCollection -Organization <Tenant Name> -Format

'DlpMigrationRuleCollection' ; Set-Content -Path "C:\Users\Public\Desktop\etrrules.xml" -

Value $file.FileData -Encoding Byte

The result will return a JSON as highlighted below:


of 51

Migrated json : [{ "Version": "1.0",

"PolicyId": "6ec5aaa5-777f-4395-a631-6469d5c739fc",

"PolicyName": "mtool_pol",

"Name": "mtool_rule",

"Id": null,

"Enabled": true,

"Mode": 1,

"RuleErrorAction": 0,

"MigrationParameters": [{

"Version": "1.0",

"Type": "SubjectContainsWords",

"Words": ["hello"],

"IsException": false

}, {

"Version": "1.0",

"Type": "Moderate",

"ModerateMessageByManager": true,

"ModerateMessageByUser": []

}],

"MigrationDetails": [{

"Type": "Condition",

"Level": "Warning",

"Name": "SCLOver",

"Message": [We do not support this condition in Unified DLP],

"PossibleCauses": [This is a mail flow specific condition],

"RecommendedAction": [Create a mail flow rule],

"Version": "1.0"

}]

}]

Warnings are also captured in the resulting JSON.

This will help the administrator discover and understand the rules which will get migrated

with warnings associated.

Example highlighted above shows that, SCLOver is not a supported condition as it is not a

DLP specific condition.

Once the feasibility analysis is done, the admin can progress towards migration.

3. Use the below cmdlet to migrate rules from EAC- DLP to Unified DLP:

Import-DlpComplianceRuleCollection -Organization <Tenant Name> -FileData $file.FileData


of 51

Figure 9: Powershell cmdlet for Importing rules

After running the above command, you can verify the migrated rules in Unified DLP by running

Get-DLPComplianceRule.

A second way of manually analysing is viausing the existing conditions and actions of ETR with

available Actions and conditions of Unified DLP.

Make a list of all the existing actions and conditions of ETR rules from the tenant and compare

with the available actions and conditions in unified DLP.

Sample analysis of available actions and conditions are below for reference: (Last column

needs to be filled as part of the analysis, whether this predicate has been used in the org or

not)

Actions Available in

Unified DLP Equivalent condition in DLP

Used in

our

Tenant

??

Forward the message for Approval

ModerateMessageByUser Yes ModerateMessageByUser Yes

ModerateMessageByManager Yes ModerateMessageByManager No

Redirect the message to

RedirectMessageTo Yes RedirectMessageTo TBD

RouteMessageOutboundConnector No -

Block the message

RejectMessageReasonText Yes Block Yes

DeleteMessage Yes Block No

Add recipients

BlindCopyTo Yes BlindCopyTo Yes

AddToRecipients Yes AddToRecipients TBD

AddManagerAsRecipientType Yes AddManagerAsRecipientType TBD

Apply Disclaimer

Apply HTML Disclaimer Yes Apply HTML Disclaimer NA

ApplyClassification Yes Set Label Yes

Modify the message properties

RemoveHeader Yes RemoveHeader


of 51

SetHeaderName Yes Set Header

ApplyClassification No -

Prepend Subject Yes Prepend Subject

ApplyRightsProtectionTemplate Yes Encrypt

Modify the message security

ApplyRightsProtectionTemplate Yes Encrypt

ApplyOME Yes Encrypt

RemoveOME Yes Remove OME

RemoveOMEv2 Yes Remove OME

Notification

Notify Sender Yes User Notification

GenerateIncidentReport Yes GenerateIncidentReport

GenerateNotification Yes User Notification

Other Actions

SetAuditSeverity Yes Report Severity Level

StopRuleProcessing Yes StopRuleProcessing

Quarantine Yes with

finetuning Moderation

Table 1 : Mapping actions between ETR predicates and Unified DLP predicates on Exchange

Conditions comparison document between ETR and Unified DLP:

Conditions Available in

Unified DLP

Equivalent

condition in

Unified DLP

Used

in our

Tenant

Sender

From Yes Sender Is Yes

FromScope Yes Content is received from No

FromMemberOf Yes Sender Is a member of

FromAddressContainsWords Yes Sender address contains words TBD

FromAddressMatchesPatterns Yes Sender address matches patterns

SenderDomainIs Yes Sender domain is

HasSenderOverride Yes Has sender override Yes

SenderIPRanges Yes Sender IP Address Is No

SenderADAttributeContainsWords Yes - with finetuning

Sender Is a member of

SenderADAttributeMatchesPatterns Yes - with finetuning

Sender Is a member of Yes

SenderInRecipientList No - TBD

Recipient TBD


of 51

SentTo Yes Recipient is

SentToScope Yes

Content is shared from NA

SentToMemberOf Yes

Recipient is a member of Yes

RecipientAddressContainsWords Yes

Recipient Address contains words

RecipientAddressMatchesPatterns Yes

Recipient address matches patterns

RecipientDomainIs Yes

Recipient domain is

RecipientADAttributeContainsWords Yes - with finetuning

Recipient is a member of

RecipientADAttributeMatchesPatterns Yes - with finetuning

Recipient is a member of

RecipientInSenderList No -

Subject or Body

SubjectOrBodyContainsWords Yes

Subject Or body contains words

SubjectOrBodyMatchesPatterns Yes

Subject Or body matches patterns

SubjectContainsWords Yes

Subject contains words

SubjectMatchesPatterns Yes

Subject matches patterns

Attachment / Document

AttachmentIsUnsupported

Yes

Attachmend could not be scanned

AttachmentNameMatchesPatterns Yes

Document name matches patterns

AttachmentExtensionMatchesWords Yes

Attachment file extension

AttachmentSizeOver Yes

Document size over

AttachmentProcessingLimitExceeded

Yes

Attachment content did not complete scanning

AttachmentHasExecutableContent Yes

Attachment file extension

AttachmentIsPasswordProtected

Yes

Attachment Is password protected

Attachment Property Is Yes

Document property is

AttachmentPropertyContainsWords Yes

Document property is

AttachmentContainsWords Yes - with finetuning

Content contains SIT


of 51

AttachmentMatchesPatterns Yes - with finetuning


Any recipients

AnyOfRecipientAddressContainsWords Yes - with finetuning

Recipient address contains words

AnyOfRecipientAddressMatchesPatterns Yes - with finetuning

Recipient address matches patterns

Message Additional 1

MessageContainsDataClassifications Yes


AnyOfToHeader Yes Recipient Is

AnyOfToHeaderMemberOf Yes Recipient is a member of

AnyOfCcHeader Yes Recipient Is

AnyOfCcHeaderMemberOf Yes Recipient is a member of

AnyOfToCcHeader Yes Recipient Is

AnyOfToCcHeaderMemberOf Yes Recipient is a member of

MessageSizeOver Yes Message size over

ContentCharacterSetContainsWords Yes

Content Characterset contains words

Sender Recipient Additional 1

SenderManagementRelationship No -

BetweenMemberOf1 and BetweenMemberOf2 No -

ManagerForEvaluatedUser and ManagerAddress No -

ADAttributeComparisonAttributeand ADComparisonOperator No -

Message Properties Additional 1

MessageTypeMatches Yes

Message type matches

HasClassification Yes

Label as a condition

WithImportance Yes With Importance

HasNoClassification No -

Message Headers Additional 1

HeaderContainsMessageHeader and HeaderContainsWords Yes

Header contains words

HeaderMatchesMessageHeader and HeaderMatchesPatterns Yes

Header matches patterns

Table 2 : Mapping conditions between ETR predicates and Unified DLP predicates on Exchange


of 51

From the above tables, the notation for the Yes/No/Yes with fine tuning is:

Yes - Direct mapping of condition & action is available in Unified DLP.

Example conditions: From, SentTo predicates.

No - Where we do not have the condition or action available in Unified DLP (Or this is not

applicable for the unified DLP scenario)

Example: Spam confidence level (SCL) is a numerical value indicating the likelihood that an

incoming email message is spam. SCL is a component of the Microsoft Exchange spam filter

and is specific to mail flow rules, not DLP.

Yes- with fine tuning: Mapped to another condition to maintain the same behaviour. This is

a scenario where we have another predicate in Unified DLP ensuring the same behaviour is

maintained to fulfill the scenario.

Example: AnyofToHeaders(ETR) = Recipient Is(Unified DLP)

Once the Actions and conditions have been identified and the resultant translation is

understood, perform a proof of concept as below:

The below screen is a representation of an ETR rule : Attachment Contains Words, with a

condition has ,” If the sender is : xxxxxxxxx “ and Attachment content contains words “Credit

Card Number”, do an action that, “ Forward to Manager for Approval”. The severity declared

for this rule as Low.


of 51

,

Figure 10: Exchange Transport Rule Wizard

The process of creating the equivalent Unified DLP process for setting similar Rule is as follows:

Create a custom policy


of 51

Figure 11: Microsoft Compliance Portal – Data Loss Prevention Template Selection

Choose location as : Exchange

Figure 12: Microsoft Compliance Portal – Data Loss Prevention - Workload Selection


of 51

Create a new rule and add conditions and actions as below:


of 51

Figure 13: Microsoft Compliance Portal – Data Loss Prevention- Rule creation Wizard

When you create a DLP policy, you can enable User notifications. When user notifications are

enabled, Microsoft 365 sends out both email notifications and policy tips. You can customize

notification email recipients, the email text and the policy tip text.

These 2 selected Actions are in preview now


of 51

On Save, you will have an ability to turn on the policy in test mode or directly into production

mode. Microsoft recommends testing first and then move to production

Figure 14: Microsoft Compliance Portal – Data Loss Prevention- Enabling Policies Wizard

6.1.2 Rationalization and Consolidation Phase

Based on the telemetry collected in the analysis phase, this phase helps to identify the rules

which are most frequently used, never used etc. This helps in rationalizing or removing some

of the redundant or unused rules as part of migration.

At the end of this phase, the final list of rules that are to be migrated or created to unified DLP

will be frozen.

6.1.3 Migration

The actual designed functionality of Unified DLP will be realized in this phase. The outputs of

the previous phases will act as Inputs in this phase.

There are two ways to perform migration.

1. Identify the ETR rule, based on the analysis document and create the Unified DLP policy

as explained in section 6.1 by choosing equivalent conditions and actions. This can be

done either by means of the M365 Compliance portal UI screens or through PowerShell

cmdlets.

2. Using the Microsoft - Migration wizard (currently, work in progress)

6.1.4 Testing in Test mode

Validation is an activity that validates the migrated rules against the analysis document or on

the current ETR environment. This is the stage to find defects that can only be exposed by

testing the entire system. It shows discrepancies between unified DLP and ETR process.

Attributes such as alerts, notifications, performance, sensitivity, coexistence, recovery and

reliability are ensured during this stage.


of 51

When the risks of data leakage aren't entirely obvious, it is difficult to work out where exactly

you should start with implementing DLP. Fortunately, DLP policies can be run in "test mode",

allowing you to gauge their effectiveness and accuracy before you turn them on

A parallel mode testing strategy by enabling the “Test Mode” is mandatory to test the end to

end Functionality and Performance.

Figure 15: Microsoft Compliance Portal – Data Loss Prevention- Enabling Test Mode

On reviewing the policy and submitting, the new DLP policy will begin to take effect within

approximately 1 hour.

Keep testing with various sensitive information types and monitor the notifications. If you leave

your DLP policy in test mode and analyze the incident report emails, you can start to get a feel

for the accuracy of the DLP policy and how effective it will be when it is enforced. In addition

to the incident reports, you can use the DLP reports to see an aggregated view of policy

matches across your tenant

DLP policy templates are not perfect straight out of the box. It is likely that you'll find some

false positives occurring in your environment, which is why it is so important to ease your way

into a DLP deployment, taking the time to adequately test and tune your policies.

As we discussed in the previous section of monitoring notifications and alerts, these helps very

much during the testing phase. A Sample report is as shown

https://docs.microsoft.com/en-us/microsoft-365/compliance/view-the-dlp-reports?view=o365-worldwide


of 51

Figure 16: Microsoft Compliance Portal – Data Loss Prevention- Alerts

When you're happy that your DLP policy is accurately and effectively detecting sensitive

information types, and that your end users are ready to deal with the policies being in place,

then you can enable the policy

6.1.5 Production

In this phase, the customer will move out of the testing environment and will deploy and

implement compliance workloads in their production environment, enabling the scenarios

discussed in previous phases.

The policies will be enabled to all users across the organization.


of 51

6.2 Migration using Wizard (Tentative Date: Will be available from December 2020)

Microsoft has developed a migration wizard for replacing this manual approach to an

automated process at a faster pace. This helps in improving the speed and accuracy of the

migration, resulting in fewer failures. This wizard acts like an accelerator during the migration

from ETR to DLP. No training is required. Merely effort on testing and re-validation before

moving to production should be undertaken.

Benefits of Automatic process:

- Minimal post migration steps

- Support multi-phase migration

- Support side by side analysis

- Less effort & huge time saving

- Detailed report for re-validation

Activities involved at each of the phase are explained below:

6.2.1 Discovery/Analysis Phase:

Once the customer is ready for migration of EAC (Exchange Admin Centre) DLP rules to Unified

DLP, login to compliance.microsoft.com or login to Exchange Admin centre and click on the

yellow ribbon. (refer below screen). This ribbon will not be available until, December 2020.

Login to Compliance.microsoft.com

Rationalize/Consolidate

(1wk)

Discovery/

Analysis (Day 0)

Migrate/Test

(1wk)

Production

(End of 2nd

Wk)


of 51

Figure 17: Microsoft Compliance Portal – Migration Wizard

On clicking the yellow banner – Get Started, the wizard will be connected to the underlying

schema and does the export/Import list of policies from EAC to Unified DLP, with a detailed

feasibility analysis of the migration.

Figure 18: Exchane Admin Center – Existing Policies

A report will be generated as below. This report helps the admin to re-validate the required

effort by looking at the recommendations provided.

Please note: Policies, rules, priority, and status will be exported as-is, from EAC DLP for admin’s

deeper analysis.


of 51

Sample migrated policies are shown below:

Figure 19: Microsoft Compliance Portal – Data Loss Prevention-Create Policy Wizard (Migration)

Figure 20: Microsoft Compliance Portal – Data Loss Prevention-Migration Analysis

As part of the pre-migration, the above screen helps the admin to decide the next steps. From

the above screen, 10/10 policies will migrate successfully in this process. This means that all

policies and rules can be migrated with warnings in case of unsupported predicates as some

of them are not present in Unified DLP. Also, there are 2 warnings, which identifies the work

arounds required, based on the provided recommendation


of 51

Please note that, this is a pre-migration analysis to allow the admin to analyse before actual

migration starts.

6.2.2 Rationalize/Consolidate Phase

If there are any warnings identified in the above phase, the admin will look at the below report

and implement the recommendations. Sample report below:

Figure 21: Microsoft Compliance Portal – Data Loss Prevention-Sample Report with recommendations

6.2.3 Migrate and Test

After implementing the suggested changes and rationalize and consolidate based on the

organizational usage of policies, admin will start migrating the policies by enabling them in

test mode as shown below. The evaluation can happen side by side to compare the EAC DLP

and Unified DLP results.

Figure 22: Review Migration and enable or disable policies


of 51

Admin can select the policies to be migrated or to be ignored before migrating. On confirm,

the selected policies get migrated to Unified DLP portal, under workload -Exchange with same

name. If there is an existing policy with same name, the wizard prompts for asking to change

the name. The migrated policies into unified portal will be displayed as below:

Figure 23: Microsoft Compliance Portal – Data Loss Prevention- Status ( Test Mode)

A thorough parallel testing can be done in this mode and validate the results.

For a side by side analysis customer can generate Incident Report (GIR) coming from both ETR

and Unified DLP.

Below figures shows both Incident Reports – One from Unified DLP and Other from Exchange

Admin Center-DLP

Figure 24: Generated Incident Report from Unified DLP – Detected Rule


of 51

EAC- DLP Incident Report is captured in the screenshot below:

Figure 25: Generated Incident Report from Exchange Admin Center – Detected Rule

Given this is a migration scenario where the rule name and policy name would remain the

same when the policies are migrated in the test mode for a side by side analysis, it is easy to

capture difference between the two as Unified DLP GIR would be include Service as a field.

Tracking the two GIRs will help the customer in validating that, the previously defined ETRs will

work as expected with Unified DLP post migration.

6.2.4 Production Phase

Post validating the results and upon satisfaction, the admin will change by clicking on Enable.

Figure 26: All migrated policies are enabled post testing


of 51

From then, the IT team/Admin will create or modify or tune all the DLP rules on Exchange in

the unified security and compliance portal. The migration approach, with wizard is much faster

than manual approach and is recommended based on our analysis.

6.2.5 Other useful Inputs

Based on our analysis and upon reviewing of various customer digital estates, we have

identified the usage of Actions and Conditions/Predicates and provided the equivalent in

Unified DLP.

For your reference, available actions and conditions are mentioned in Table 1 and Table 2 of

this document .


of 51

Stage -2: Migration from classic client (AIP) to unified labelling client (MIP)

7. MIGRATION FROM CLASSIC CLIENT (AIP) TO UNIFIED

LABELLING CLIENT (MIP)

7.1 Process to migrate

Microsoft’s goal is to provide a built-in, intelligent, unified and extensible solution to protect

sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-

party SaaS applications, and more. With Microsoft Information Protection (MIP), we are

building a unified set of capabilities for classification, labeling and protection not only in Office

apps, but also in other popular productivity services where information resides (e.g.,

SharePoint Online, Exchange Online, Power BI). Over the past year, we consistently delivered

built-in capabilities in MIP. You can now use built-in labels to protect documents and emails

in the latest Office apps (Word, PowerPoint, Excel, Outlook) on all platforms including the web,

iOS, Android, Mac, and Windows

Timelines to sunset label management in the Azure portal and AIP client (classic)

With label management in the Microsoft 365 compliance center now at parity with the AIP

portal experience, we are announcing that we will sunset label management in the Azure portal

as of March 31, 2021.

Step by step guide to migrate AIP classic client to MIP Unified client

1. Activate unified labeling from the Azure portal and migrate labels to the Microsoft 365

compliance center to apply policies uniformly across on-premises, Microsoft 365 cloud

services and more. This transition has no impact on existing AIP clients, and

administrators can perform this step right away. The process takes only a few minutes,

depending on the number of labels and complexity.

2. Copy your policies to the Microsoft 365 compliance center or create new policies there.

3. Publish your labels with label policies from the Microsoft 365 compliance center

4. Download the latest unified labeling client for Windows if you are not yet fully on Office

365 ProPlus.

5. Train end users to apply labels and protection in Office applications across web, Mac,

iOS, Android and Windows. Read this article to know which labeling capabilities are

available across platforms.

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide#publish-sensitivity-labels-by-creating-a-label-policy

https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide#support-for-sensitivity-label-capabilities-in-apps


of 51

Classic client – Labels & Policies

Figure 27: Azure Information Protection- Labels/Policies Wizard

Unified Labeling client – Activation

Figure 28: Azure Information Protection- Labels/Policies Migration/ Activation Wizard

Activation is a one-time process and once labels and policies moves into MIP portal,

subsequent enhancements will happen in the console

For more details, refer to this. More details on the functionality differences are detailed in the

official client comparison

https://techcommunity.microsoft.com/t5/microsoft-security-and/understanding-unified-labeling-migration/ba-p/783185

https://docs.microsoft.com/azure/information-protection/rms-client/use-client#compare-the-labeling-clients-for-windows-computers


of 51

7.2 Benefits of MIP over AIP

• Simpler management - single console (M365 compliance center) for unified labels and

policies across Office, SPO, EXO, Teams, Windows, MCAS and On-premise

• Unified labeling experience across protection (sensitivity) and governance (e.g.

retention)

• Unified reporting and analytics – Content explorer for sensitive data discovery and

Activity explorer for risky activity monitoring

• Classify customer’s intellectual property using trainable classifiers and customer

records using exact data match

• Enable admins to use Policy simulator to test and audit classification and MIP policies

at scale with confidence before deploying them out in their organization. This is

applicable only for auto labelling.

• Built-in labeling in Office apps – mobile (iOS and Android) Mac Office, and web apps

• Use server side Autolabeling to classify and protect documents at rest on SPO/ODB

and emails in transit

• Prevent data loss prevention in Teams

• Endpoint DLP is integrated with MIP and does not require 3rd party agent to classify

and protect information on Windows

• Endpoint signals are integrated with Activity explorer and enables admins to monitor

risky activities and setup alerts

• Simple and unified configuration from Compliance Center

• Microsoft 365 Analytics


of 51

Stage -3: Migration to other workloads

8. MIGRATING TO OTHER WORKLOADS (SPO/ODB/MCAS)

Once we create a DLP policy in the security and compliance center, it is stored in a central

policy store, and then synced to the various content sources, including:

• Exchange Online, and from there to Outlook on the web and Outlook.

• OneDrive for Business sites.

• SharePoint Online sites.

• Office desktop programs (Excel, PowerPoint, and Word).

• Microsoft Teams channels and chat messages.

After the policy has synced to the right locations, it starts to evaluate content and enforce

actions. As people add or change documents in their sites, the search engine scans the

content, so that you can search for it later. Each DLP policy that you have turned on runs in

the background (asynchronously), checking search frequently for any content that matches a

policy, and applying actions to protect it from inadvertent leaks.

Figure 29: Microsoft Compliance Portal-DLP- Policy Locations

The creation of rules, conditions, actions are remains same as explained in the section 6 of

this document. The predicates slightly differ from the exchange predicates in SPO/ODB.


of 51

Choosing a site and the ODB account is mandatory before creating a rule. Actions are

restricted to restrict access or encrypt the content

Figure 30: Microsoft Compliance Portal-DLP- Rule-Actions Wizard

Additional features that are available in SPO and ODB are Auto labelling (applicable only for

E5)

Figure 31: Microsoft Compliance Portal-Information Protections- Auto-labelling Wizard

The auto labelling feature in Information protection is also known as “Service Based”

labelling. This helps in labeling content at rest within SPO and OD4B and in transit via EXO.

Pre-requisites:

Simulation Mode:

Simulation mode is unique to auto-labeling policies and woven into the workflow. You can't

automatically label documents and emails until your policy has run at least one simulation


of 51

Workflow for an auto-labeling policy:

1. Create and configure an auto-labeling policy.

2. Run the policy in simulation mode and wait 24 hours, or until the simulation is

complete.

3. Review the results, and if necessary, refine your policy. Rerun simulation mode

and wait another 24 hours, or until the simulation is complete.

4. Repeat step 3 as needed.

5. Deploy in production

To view file contents in the source view, you must have the Content Explorer Content

Viewer role. Global admins don't have this role by default

To auto-label files in SharePoint and OneDrive:

• You have enabled sensitivity labels for Office files in SharePoint and OneDrive.

• At the time the auto-labeling policy runs, the file mustn't be open by another process

or user. A file that is checked out for editing falls into this category.

8.1 Integration with MCAS (Preview)

This feature currently is in Private preview and more additional features may come during

general availability.

Microsoft Information Protection extends to connected non-Microsoft apps through Microsoft

Cloud App Security. With these capabilities, you can discover and protect all your data from

one place – Microsoft Information Protection. With this integration to Microsoft Cloud App

Security, you can discover and protect your sensitive data across M365 service and non-

Microsoft apps.

Supported Non-Microsoft apps for DLP policies:

•Box

•Dropbox

•G-Suite

•Salesforce

•Cisco Webex

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide


of 51

Figure 32: Microsoft Compliance Portal-DLP- Policy Location

The process of adding a new rule, actions and conditions remains same as explained in section

7.1

The various action available in this preview are:

Figure 33: Microsoft Compliance Portal-DLP- MCAS Workload-Restricting the Third Party Apps


of 51

Matches for DLP Policy to a non-Microsoft Apps

You can see the policy matches in MCAS.

1. Go to Control section, and then to Policies page.

2. The new policy will be created in MCAS as well. Click on matches to see the new policy

matches:

Figure 34: Cloud App Security Portal - Policy

Note: In the future, policy matches will be also be available in Security and Compliance Center


of 51

Stage -4: Integration with Endpoint DLP (Devices)

9. ENDPOINT DLP (DEVICES) (PREVIEW)

Microsoft Endpoint DLP (E5 License required) is part of the Microsoft 365 DLP suite of features

you can use to discover and protect your sensitive data across Microsoft 365 services.

Microsoft Endpoint DLP allows you to monitor Windows 10 devices (without any additional

agent) and detect when sensitive data is used and shared. This gives you the visibility and

control you need to ensure sensitive data is used and protected properly, and to help prevent

risky behaviour that might compromise your sensitive data.

Microsoft Endpoint DLP enables you to audit and manage the following types of activities

users take on files on devices running Windows 10. This includes:

• File created and modified.

• File renamed.

• File copied to cloud - when a file is uploaded to a domain through Chromium Edge

browser

• File accessed by unallowed app - when a file is read by a process that was defined as

unallowed.

• (managed as part of the DLP policy)

• File printed - when a file is printed to a local or network printer.

• File copied to removable media - when a file is copied or created on removable media

device.

• File copied to network share - when a file is copied to a network share (e.g., \\my-

server) or

• mapped network drive

• File contents copied to clipboard - when data from a file is copied to clipboard.

The creation of policy remains same as explained in the above sections and action varies.

Figure 35: Microsoft Compliance Portal-DLP- End Point (Devices) Workload


of 51

Allowed actions in the policy are:

Figure 36: Microsoft Compliance Portal-DLP- End Point (Devices) Workload – Actions

By default, these policies works in the edge browser and if we want to block un-allowed apps

and un-authorized browser, we need to do additional settings in :


of 51

Figure 37: Microsoft Compliance Portal-End Point (Devices) Settings to restict Unallowed Apps/Browsers

To test this policy, we need to have a physical device or an azure VM. Below are the examples,

on blocking the sensitive information content in one of the devices (setting up of AzureVM is

not scope of this document)

Sample file used for this demo has credit card and SSN number as below :


of 51

Figure 38: Sample file containing Sensitive Information

Usecase -1:

Block, while copying the content to clipboard

Figure 39: Blocked message – While copying the Sensitive Information


of 51

Usecase -2:

Block the file while copying to network share

Figure 40: Blocked message – While copying the Sensitive Information to network share

Usecase-3:

Open with unallowed app (notepad ++ )

Figure 41: Blocked message – While opening the Sensitive Information file from un-allowed app


of 51

Usecase-4:

Upload to gmail where the domain mail.google.com was restricted in the endpoint DLP

settings

Figure 42: Blocked message – uploading the Sensitive Information file into an un-allowed app

Usecase-5:

Upload to xxx.Box.com

Figure 43: Blocked message – uploading the Sensitive Information file into an third party app

Microsoft Endpoint DLP detects the activities that users and processes take on endpoint-based

files.

These activities are reported to Microsoft 365 and appear in Microsoft 365 Compliance >>

Data classification >> Activity explorer.

Microsoft Endpoint DLP monitors the activity types mentioned above on all Word, Excel,

PowerPoint, .pdf and .csv files on the endpoint.

Each event type contains different attributes to provide you with a better understanding of

each event.

Here are couple of examples of insights discoverable through the Activity explorer. Below

screen is talking about the file accessed by un-allowed app and end point DLP rule caught in

the above use cases discussed


of 51

Figure 44: Tracking the user activities from Activity Explorer

Currently, Endpoint DLP is in public preview and coming up with more new features during

the general availability. Refer Microsoft docs always for latest Information.

10. INSIGHTS/BEST PRACTICES

Based on experience to date, a solid upgrade largely depends on 6 factors:

✓ Understand thoroughly the migration process.

✓ Seeing the value of unified Interface

✓ Accessing the scope of migration

✓ Managing and planning the migration process

✓ Taking advantage of MIP console

✓ Accommodating the changes and gaps in the Unified Interface


of 51

11. ABBREVIATIONS

Name Description

MIP Microsoft Information Protection

DLP Data Loss Prevention

ETR Exchange Transport Rule

SCC Security and Compliance Centre (Portal to create policies)

RBAC Role Based Access Control

SIT Sensitive Information Type

AIP Azure Information Protection

SPO Share Point Online

EXO Exchange Online

ODB One Drive for Business

DELPHI Consider it as DLP on End point device

VM Virtual Machine

EAC Exchange Admin Center

GIR Generate Incident Report


of 51

12. REFERENCES

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-

worldwide

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-

descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-

licensing-guidance

https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-timelines-for-sunsetting-label-

management-in-the/ba-p/1226179

https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-

automatically?view=o365-worldwide

https://techcommunity.microsoft.com/t5/microsoft-security-and/understanding-unified-labeling-

migration/ba-p/783185

sensitivity-label-automatically?view=o365-worldwide#how-to-configure-auto-labeling-policies-for-

sharepoint-onedrive-and-exchange

Videos:

MIP and Compliance V-blog part 1 - Setting up a secure collaboration environment - Microsoft Tech

Community

MIP and Compliance V-blog #2: Setting up a secure collaboration environment - End user point of view -

Microsoft Tech Community

MIP and Compliance V-blog#3: Setting up a secure collaboration environment – Security Admin POV -

Microsoft Tech Community

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance



https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-timelines-for-sunsetting-label-management-in-the/ba-p/1226179

https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-timelines-for-sunsetting-label-management-in-the/ba-p/1226179

https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide



https://techcommunity.microsoft.com/t5/microsoft-security-and/mip-and-compliance-v-blog-part-1-setting-up-a-secure/ba-p/1441759

https://techcommunity.microsoft.com/t5/microsoft-security-and/mip-and-compliance-v-blog-part-1-setting-up-a-secure/ba-p/1441759

https://techcommunity.microsoft.com/t5/microsoft-security-and/mip-and-compliance-v-blog-2-setting-up-a-secure-collaboration/ba-p/1455091





of 51

----- End of Document----

Exchange Transport Rules To Unified DLP Play Book...Microsoft ETR to Unified DLP Page 3 of 51 1....

Documents

Transcript of Exchange Transport Rules To Unified DLP Play Book...Microsoft ETR to Unified DLP Page 3 of 51 1....