Exchange Transport Rules To Unified DLP Play Book...Microsoft ETR to Unified DLP Page 3 of 51 1....
Transcript of Exchange Transport Rules To Unified DLP Play Book...Microsoft ETR to Unified DLP Page 3 of 51 1....
Microsoft ETR to Unified DLP
Page 1 of 51
Exchange Transport
Rules
To
Unified DLP…
- Play Book
Disclaimer:
© 2020 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views
expressed in this document, including URL and other Internet Web site references, may change without notice.
You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property
in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Microsoft ETR to Unified DLP
Page 2 of 51
TABLE OF CONTENTS 1
1. INTRODUCTION .......................................................................................................................................... 3
1.1 Objective ................................................................................................................................................. 3 1.2 Scope ...................................................................................................................................................... 4 1.3 Assumptions ........................................................................................................................................... 4 1.4 Intended Audience .................................................................................................................................. 4
2. ADOPTION PROCESS FLOW ..................................................................................................................... 5
3. OVERVIEW ................................................................................................................................................... 6
4. LICENSING REQUIREMENTS ................................................................................................................. 11
5. REQUIRED ROLES TO SET-UP ................................................................................................................ 11
6. PHASES OF MIGRATION ......................................................................................................................... 12
6.1 Manual Approach: ................................................................................................................................ 12 6.1.1 Discovery/Analysis Phase ............................................................................................................. 12 6.1.2 Rationalization and Consolidation Phase ...................................................................................... 24 6.1.3 Migration ...................................................................................................................................... 24 6.1.4 Testing in Test mode..................................................................................................................... 24 6.1.5 Production ..................................................................................................................................... 26
6.2 Migration using Wizard (Tentative Date: Will be available from December 2020) ............................. 27 6.2.1 Discovery/Analysis Phase: ........................................................................................................... 27 6.2.2 Rationalize/Consolidate Phase ...................................................................................................... 30 6.2.3 Migrate and Test ........................................................................................................................... 30 6.2.4 Production Phase .......................................................................................................................... 32 6.2.5 Other useful Inputs........................................................................................................................ 33
7. MIGRATION FROM CLASSIC CLIENT (AIP) TO UNIFIED LABELLING CLIENT (MIP) ................ 34
7.1 Process to migrate ................................................................................................................................. 34 7.2 Benefits of MIP over AIP ..................................................................................................................... 36
8. MIGRATING TO OTHER WORKLOADS (SPO/ODB/MCAS) ................................................................ 37
8.1 Integration with MCAS (Preview) ........................................................................................................ 39
9. ENDPOINT DLP (DEVICES) (Preview) ..................................................................................................... 42
10. INSIGHTS/BEST PRACTICES ............................................................................................................... 48
11. ABBREVIATIONS .................................................................................................................................. 49
12. REFERENCES ......................................................................................................................................... 50
1 For Questions/Corrections: Contact Pavan (pabandar) – MIP-CXE
Microsoft ETR to Unified DLP
Page 3 of 51
1. INTRODUCTION
Please use this guide as a starting point for migrating Exchange Transport Rules (ETR) to
Unified DLP. All links and references should be up to date, however, in the event that you
have a question about the correctness of any information in this document, please reach out
to our yammer group aka.ms/askmipteam
For a refresher on the knowledge and differences between Exchange Transport Rules (ETR)
and Microsoft Information Protection – Unified DLP (MIP-DLP) when applied to the
exchange workload, please review the overview section of this documentation prior to
moving forward.
All screenshots in this guide contain the proper configuration settings according to best
practices at the time of publication. Please ensure that your configurations mirror those used
in this guide. Please refer to the Microsoft documentation online at
https://docs.microsoft.com/en-us/microsoft-365/compliance/?view=o365-worldwide for the
latest updates
Though the name of this document shows as play book, it can be equally considered a
deployment guide. This document will be updated as and when new features are introduced
to the MIP. Also please note that, not all below stages needs to be implemented. It all depends
on the requirement of the organization and the availability of licenses.
There are 4 stages/tracks explained in this document.
Stage 1: Migration from ETR to Unified DLP (Section 7)
Stage 2: Migration from classic client (AIP) to unified labelling client (MIP) (Section 8)
Stage 3: Integration with other workloads (SPO/ODB/MCAS) (Section 9)
Stage 4: End point devices (Section 10)
1.1 Objective
This document provides an overview of how enterprise customers can migrate their existing
Exchange Transport Rules to Unified DLP portal. It walks through the different stages of
migration and shows the effectiveness of the unified DLP portal as a single place to define all
aspects of your DLP strategy.
In summary, this play book will help to
➢ Understand the migration process.
➢ Understand the unified console and interface.
➢ Develop a strategy for the migration.
➢ Ensure a smooth migration process.
➢ Find resources to support the migration process.
Microsoft ETR to Unified DLP
Page 4 of 51
1.2 Scope
This document helps readers understand the process to be followed during the migration of
traditional exchange transport rules to unified DLP, followed by the addition of other
workloads. Unified DLP has integration with multiple workloads that help to protect customer
data with a single policy.
This document helps in understanding the process to be followed in migrating existing ETR
rules (DLP) to unified DLP using:
a) Traditional manual approach
b) Using Microsoft developed in-built Migration Wizard.
This document also helps in providing guidance on various stages of the migration.
1.3 Assumptions
Customer has M365 E3/E5 license and is currently using ETR for data protection on Exchange.
1.4 Intended Audience
Customers, Partners, Internal Microsoft employees
Microsoft ETR to Unified DLP
Page 5 of 51
2. ADOPTION PROCESS FLOW
(Shapes are not as per standards)
Figure 1: Adoption Flow
Microsoft ETR to Unified DLP
Page 6 of 51
3. OVERVIEW
Microsoft Information Protection (MIP) helps to identify, discover, classify, and protect
sensitive information wherever it lives either at rest or in transit.
Figure 2: Microsoft Information Protection Cycle
Know your data assists in understanding the current data landscape and provides
organizations with the ability to identify sensitive content residing in Microsoft 365, across
Exchange, SPO, ODB and physical devices depending on workloads used and licensing owned.
Protect your data assists in applying flexible protection that includes visual marking,
encryption and access restrictions across apps, services and devices that travel inside and
outside the organization.
Prevent data loss (DLP) assists in preventing the accidental data loss and oversharing of
sensitive information with-in or outside the organization. In the Data Loss Prevention capability
of MIP, Global and Compliance admins can create policies across workloads and applies rules
to protect data oversharing. Pre-defined built in regulatory templates across various industries
are available. Administrators can create their own custom policies to suit organizational needs.
The URL for creating policies is : https://compliance.microsoft.com/datalossprevention. Login with
an appropriate role as described in section-6 of this document and create policies inclusive of
desired workloads.
Microsoft ETR to Unified DLP
Page 7 of 51
Figure 2: Microsoft 365 Compliance Portal DLP wizard
Figure 3: Microsoft 365 Compliance Portal – DLP across workloads
The alerts produced during the protection of data can be viewed using DLP-Alerts/Activity
explorer. Activity explorer (E5 license) provides a 360 degree view (also known as “Know your
data”) of user risky activities across the tenant and helps administrators take preventive
Microsoft ETR to Unified DLP
Page 8 of 51
measures. Figure 4 shows Activity Explorer with detailed metadata of user activity where and
when it has happened. (DLP- Real time alerts are coming soon)
Figure 4: Activity Explorer with user activities
Similarly, MIP has a Content Explorer which is part of the Data Classification dashboard.
Content Explorer shows a current snapshot of items with sensitivity labels, retention labels and
contained Sensitive Information Types in your organization. A DLP policy can help protect
sensitive information, which is detected through one or more Sensitive Information Types.
Microsoft 365 includes definitions for many common Sensitive Information Types from across
many different regions that are ready to use. For example, a credit card number, bank account
numbers, national ID numbers, and Windows Live ID service numbers.
Telemetry of the
activity
Microsoft ETR to Unified DLP
Page 9 of 51
Figure 5: Content Explorer with summary view
Upon further drill down, , the exact file location and file containing sensitive information can
be viewed for further action or protection, along with data pertaining to last modification date
and user.
For both features (Activity explorer and Content Explorer), separate role-based access is required
to view the files (Refer section 6)
EXCHANGE TRANSPORT RULE (ETR)
Prior to Unified DLP, most organizations protected data using the rules created in Exchange.
You can use mail flow rules (also known as transport rules) to identify and act on messages
that flow through the Exchange Online organization. Mail flow rules are like the Inbox rules
available in Outlook and Outlook on the web. The main difference is mail flow rules act on
messages while they are in transit, and not after the message is delivered to the mailbox. Mail
flow rules contain a richer set of conditions, exceptions and actions, which provide you with
the flexibility to implement many types of messaging policies.
Like Unified DLP, mail flow rules have components such as:
Conditions, Exceptions, Actions and Alerts/notifications.
Mail flow rules are primarily used for:
➢ Defining rules to encrypt messages.
➢ Defining rules to route mails based on keywords or phrases.
➢ Block mails when the attachment contains Sensitive Information Types or exceeds a
recommended size.
Microsoft ETR to Unified DLP
Page 10 of 51
➢ Organization-wide message disclaimers, signatures, footers, or headers in Exchange
Online
➢ Setting the spam confidence level (SCL) in messages
For summary and detail reports about messages that matched mail flow rules, see here.
Figure 6: Exchange Admin Center for creating DLP Policy
On click of the yellow ribbon, you will be taken to the Unified Portal for further actions (You
may not see this, in your tenant at the moment). Refer Figure 6
Figure 7: Microsoft Compliance Portal -DLP Wizard
Microsoft ETR to Unified DLP
Page 11 of 51
With the availability of the unified console across, Microsoft recommends migrating all existing
ETR rules into unified DLP. This will provide a far more streamlined experience for
administrators via a single console.
Benefits of Migration:
Unified console
Single policy across all workloads (Exchange, SPO, ODB, Teams, Devices, MCAS)
Easy maintenance – One Administrative location
Protection of data at rest and in transit.
Easy navigation to other compliance features and capabilities
Improves ROI by providing new MIP features from a common portal
Greater protection coverage: Available for Office apps on Windows, web, Mac, Android and
iOS
4. LICENSING REQUIREMENTS
Pre-req for MIP: M365 E3/A3 or Office 365 E3 + EMS E3
For Auto Labelling, End Point DLP, Activity Explorer, Content Explorer, MCAS, Teams Chat and
all other new forthcoming features in MIP, consider Microsoft 365 - E5 Compliance Suite/
M365-Information Protection & Governance. Detailed M365 licensing guidance for security
and compliance with comparison of E3 and E5 features is available here
5. REQUIRED ROLES TO SET-UP
To create DLP policies/rules in the Microsoft 365 Compliance Center, the user should have a
role of Global Admin or Compliance Admin/ Compliance Data Admin
To view the data visualization in Data Classification moduleThere are two roles that grant
access to content explorer (RBAC):
Content Explorer List viewer: Membership in this role group allows you to see each item and
its location in list view. The data classification list viewer role has been pre-assigned to this role
group.
Content Explorer Content viewer: Membership in this role group allows you to view the
contents of each item in the list. The data classification content viewer role has been pre-
assigned to this role group.
Microsoft ETR to Unified DLP
Page 12 of 51
Stage1: Migration from Exchange Transport Rules to Unified DLP
6. PHASES OF MIGRATION
Below are the various phases to be followed before migrating to Unified DLP. This helps with
successful migration by providing clear deliverables at each phase of the migration project.
This document explains the process in two approaches: manual migration and through an
automated wizard approach (which is currently a work in progress).
6.1 Manual Approach:
High level project timelines (approximately) for a tenant with 100 ETR rules to be migrated to
Unified DLP are as follows:
6.1.1 Discovery/Analysis Phase
This phase consists of gathering the detailed requirements from the viewpoint of migrating
the Exchange Transport Rules to the Unified DLP portal. If the organization has multi tenants
and users are working in various geos, with exchange rules created across the geos from
different locations and admins, all the details related to number of ETR rules, purpose of usage
and telemetry will need to be gathered. Requirements for functionality, information analysis,
business and technical metadata, performance and access control must be gathered, analysed
and frozen. Infrastructure/Licensing requirements & high-level organizational needs must be
finalised and confirmed. This phase will help highlight the value of the advanced Compliance
features available in the M365 Compliance Portal and will help visualize how these features
can be applied to the organization. If required, a PoC also can be planned in this phase.
In this phase, extensive end user, IT and information security interviews will be conducted. The
existing rules will be studied. The conditions, actions and exceptions rules will be documented
in detail. Telemetry analysis will be carried out.
Based on current rules strategy a detailed gap analysis between ETR and Unified DLP
predicates analysis will be carried out. This gap analysis document will act as a mapping
document between source (ETR) to target (DLP)
Rationalize/Consolidate
(2wks)
Discovery/
Analysis (2wks)
Migrate/Test
(2wks)
Production
Microsoft ETR to Unified DLP
Page 13 of 51
As of now, Microsoft has deployed 90% of all the predicates that are required for effective
migration from ETR to Unified DLP. Wherever a UI feature is unavailable, equivalent Powershell
cmdlets have been provided.
Below are the steps and commands:
Step 1: Export all transport rules with description into a txt or csv file.
Figure 8: Powershell cmdlet for exporting rules
The result will contain a description of all ETR rules:
Step 2: Export from EAC- DLP & review
Use the command below to review the feasibility of migration
$file = Export-TransportRuleCollection -Organization <Tenant Name> -Format
'DlpMigrationRuleCollection' ; Set-Content -Path "C:\Users\Public\Desktop\etrrules.xml" -
Value $file.FileData -Encoding Byte
The result will return a JSON as highlighted below:
Microsoft ETR to Unified DLP
Page 14 of 51
Migrated json : [{ "Version": "1.0",
"PolicyId": "6ec5aaa5-777f-4395-a631-6469d5c739fc",
"PolicyName": "mtool_pol",
"Name": "mtool_rule",
"Id": null,
"Enabled": true,
"Mode": 1,
"RuleErrorAction": 0,
"MigrationParameters": [{
"Version": "1.0",
"Type": "SubjectContainsWords",
"Words": ["hello"],
"IsException": false
}, {
"Version": "1.0",
"Type": "Moderate",
"ModerateMessageByManager": true,
"ModerateMessageByUser": []
}],
"MigrationDetails": [{
"Type": "Condition",
"Level": "Warning",
"Name": "SCLOver",
"Message": [We do not support this condition in Unified DLP],
"PossibleCauses": [This is a mail flow specific condition],
"RecommendedAction": [Create a mail flow rule],
"Version": "1.0"
}]
}]
Warnings are also captured in the resulting JSON.
This will help the administrator discover and understand the rules which will get migrated
with warnings associated.
Example highlighted above shows that, SCLOver is not a supported condition as it is not a
DLP specific condition.
Once the feasibility analysis is done, the admin can progress towards migration.
3. Use the below cmdlet to migrate rules from EAC- DLP to Unified DLP:
Import-DlpComplianceRuleCollection -Organization <Tenant Name> -FileData $file.FileData
Microsoft ETR to Unified DLP
Page 15 of 51
Figure 9: Powershell cmdlet for Importing rules
After running the above command, you can verify the migrated rules in Unified DLP by running
Get-DLPComplianceRule.
A second way of manually analysing is viausing the existing conditions and actions of ETR with
available Actions and conditions of Unified DLP.
Make a list of all the existing actions and conditions of ETR rules from the tenant and compare
with the available actions and conditions in unified DLP.
Sample analysis of available actions and conditions are below for reference: (Last column
needs to be filled as part of the analysis, whether this predicate has been used in the org or
not)
Actions Available in
Unified DLP Equivalent condition in DLP
Used in
our
Tenant
??
Forward the message for Approval
ModerateMessageByUser Yes ModerateMessageByUser Yes
ModerateMessageByManager Yes ModerateMessageByManager No
Redirect the message to
RedirectMessageTo Yes RedirectMessageTo TBD
RouteMessageOutboundConnector No -
Block the message
RejectMessageReasonText Yes Block Yes
DeleteMessage Yes Block No
Add recipients
BlindCopyTo Yes BlindCopyTo Yes
AddToRecipients Yes AddToRecipients TBD
AddManagerAsRecipientType Yes AddManagerAsRecipientType TBD
Apply Disclaimer
Apply HTML Disclaimer Yes Apply HTML Disclaimer NA
ApplyClassification Yes Set Label Yes
Modify the message properties
RemoveHeader Yes RemoveHeader
Microsoft ETR to Unified DLP
Page 16 of 51
SetHeaderName Yes Set Header
ApplyClassification No -
Prepend Subject Yes Prepend Subject
ApplyRightsProtectionTemplate Yes Encrypt
Modify the message security
ApplyRightsProtectionTemplate Yes Encrypt
ApplyOME Yes Encrypt
RemoveOME Yes Remove OME
RemoveOMEv2 Yes Remove OME
Notification
Notify Sender Yes User Notification
GenerateIncidentReport Yes GenerateIncidentReport
GenerateNotification Yes User Notification
Other Actions
SetAuditSeverity Yes Report Severity Level
StopRuleProcessing Yes StopRuleProcessing
Quarantine Yes with
finetuning Moderation
Table 1 : Mapping actions between ETR predicates and Unified DLP predicates on Exchange
Conditions comparison document between ETR and Unified DLP:
Conditions Available in
Unified DLP
Equivalent
condition in
Unified DLP
Used
in our
Tenant
Sender
From Yes Sender Is Yes
FromScope Yes Content is received from No
FromMemberOf Yes Sender Is a member of
FromAddressContainsWords Yes Sender address contains words TBD
FromAddressMatchesPatterns Yes Sender address matches patterns
SenderDomainIs Yes Sender domain is
HasSenderOverride Yes Has sender override Yes
SenderIPRanges Yes Sender IP Address Is No
SenderADAttributeContainsWords Yes - with finetuning
Sender Is a member of
SenderADAttributeMatchesPatterns Yes - with finetuning
Sender Is a member of Yes
SenderInRecipientList No - TBD
Recipient TBD
Microsoft ETR to Unified DLP
Page 17 of 51
SentTo Yes Recipient is
SentToScope Yes
Content is shared from NA
SentToMemberOf Yes
Recipient is a member of Yes
RecipientAddressContainsWords Yes
Recipient Address contains words
RecipientAddressMatchesPatterns Yes
Recipient address matches patterns
RecipientDomainIs Yes
Recipient domain is
RecipientADAttributeContainsWords Yes - with finetuning
Recipient is a member of
RecipientADAttributeMatchesPatterns Yes - with finetuning
Recipient is a member of
RecipientInSenderList No -
Subject or Body
SubjectOrBodyContainsWords Yes
Subject Or body contains words
SubjectOrBodyMatchesPatterns Yes
Subject Or body matches patterns
SubjectContainsWords Yes
Subject contains words
SubjectMatchesPatterns Yes
Subject matches patterns
Attachment / Document
AttachmentIsUnsupported
Yes
Attachmend could not be scanned
AttachmentNameMatchesPatterns Yes
Document name matches patterns
AttachmentExtensionMatchesWords Yes
Attachment file extension
AttachmentSizeOver Yes
Document size over
AttachmentProcessingLimitExceeded
Yes
Attachment content did not complete scanning
AttachmentHasExecutableContent Yes
Attachment file extension
AttachmentIsPasswordProtected
Yes
Attachment Is password protected
Attachment Property Is Yes
Document property is
AttachmentPropertyContainsWords Yes
Document property is
AttachmentContainsWords Yes - with finetuning
Content contains SIT
Microsoft ETR to Unified DLP
Page 18 of 51
AttachmentMatchesPatterns Yes - with finetuning
Content contains SIT
Any recipients
AnyOfRecipientAddressContainsWords Yes - with finetuning
Recipient address contains words
AnyOfRecipientAddressMatchesPatterns Yes - with finetuning
Recipient address matches patterns
Message Additional 1
MessageContainsDataClassifications Yes
Content contains SIT
AnyOfToHeader Yes Recipient Is
AnyOfToHeaderMemberOf Yes Recipient is a member of
AnyOfCcHeader Yes Recipient Is
AnyOfCcHeaderMemberOf Yes Recipient is a member of
AnyOfToCcHeader Yes Recipient Is
AnyOfToCcHeaderMemberOf Yes Recipient is a member of
MessageSizeOver Yes Message size over
ContentCharacterSetContainsWords Yes
Content Characterset contains words
Sender Recipient Additional 1
SenderManagementRelationship No -
BetweenMemberOf1 and BetweenMemberOf2 No -
ManagerForEvaluatedUser and ManagerAddress No -
ADAttributeComparisonAttributeand ADComparisonOperator No -
Message Properties Additional 1
MessageTypeMatches Yes
Message type matches
HasClassification Yes
Label as a condition
WithImportance Yes With Importance
HasNoClassification No -
Message Headers Additional 1
HeaderContainsMessageHeader and HeaderContainsWords Yes
Header contains words
HeaderMatchesMessageHeader and HeaderMatchesPatterns Yes
Header matches patterns
Table 2 : Mapping conditions between ETR predicates and Unified DLP predicates on Exchange
Microsoft ETR to Unified DLP
Page 19 of 51
From the above tables, the notation for the Yes/No/Yes with fine tuning is:
Yes - Direct mapping of condition & action is available in Unified DLP.
Example conditions: From, SentTo predicates.
No - Where we do not have the condition or action available in Unified DLP (Or this is not
applicable for the unified DLP scenario)
Example: Spam confidence level (SCL) is a numerical value indicating the likelihood that an
incoming email message is spam. SCL is a component of the Microsoft Exchange spam filter
and is specific to mail flow rules, not DLP.
Yes- with fine tuning: Mapped to another condition to maintain the same behaviour. This is
a scenario where we have another predicate in Unified DLP ensuring the same behaviour is
maintained to fulfill the scenario.
Example: AnyofToHeaders(ETR) = Recipient Is(Unified DLP)
Once the Actions and conditions have been identified and the resultant translation is
understood, perform a proof of concept as below:
The below screen is a representation of an ETR rule : Attachment Contains Words, with a
condition has ,” If the sender is : xxxxxxxxx “ and Attachment content contains words “Credit
Card Number”, do an action that, “ Forward to Manager for Approval”. The severity declared
for this rule as Low.
Microsoft ETR to Unified DLP
Page 20 of 51
,
Figure 10: Exchange Transport Rule Wizard
The process of creating the equivalent Unified DLP process for setting similar Rule is as follows:
Create a custom policy
Microsoft ETR to Unified DLP
Page 21 of 51
Figure 11: Microsoft Compliance Portal – Data Loss Prevention Template Selection
Choose location as : Exchange
Figure 12: Microsoft Compliance Portal – Data Loss Prevention - Workload Selection
Microsoft ETR to Unified DLP
Page 22 of 51
Create a new rule and add conditions and actions as below:
Microsoft ETR to Unified DLP
Page 23 of 51
Figure 13: Microsoft Compliance Portal – Data Loss Prevention- Rule creation Wizard
When you create a DLP policy, you can enable User notifications. When user notifications are
enabled, Microsoft 365 sends out both email notifications and policy tips. You can customize
notification email recipients, the email text and the policy tip text.
These 2 selected Actions are in preview now
Microsoft ETR to Unified DLP
Page 24 of 51
On Save, you will have an ability to turn on the policy in test mode or directly into production
mode. Microsoft recommends testing first and then move to production
Figure 14: Microsoft Compliance Portal – Data Loss Prevention- Enabling Policies Wizard
6.1.2 Rationalization and Consolidation Phase
Based on the telemetry collected in the analysis phase, this phase helps to identify the rules
which are most frequently used, never used etc. This helps in rationalizing or removing some
of the redundant or unused rules as part of migration.
At the end of this phase, the final list of rules that are to be migrated or created to unified DLP
will be frozen.
6.1.3 Migration
The actual designed functionality of Unified DLP will be realized in this phase. The outputs of
the previous phases will act as Inputs in this phase.
There are two ways to perform migration.
1. Identify the ETR rule, based on the analysis document and create the Unified DLP policy
as explained in section 6.1 by choosing equivalent conditions and actions. This can be
done either by means of the M365 Compliance portal UI screens or through PowerShell
cmdlets.
2. Using the Microsoft - Migration wizard (currently, work in progress)
6.1.4 Testing in Test mode
Validation is an activity that validates the migrated rules against the analysis document or on
the current ETR environment. This is the stage to find defects that can only be exposed by
testing the entire system. It shows discrepancies between unified DLP and ETR process.
Attributes such as alerts, notifications, performance, sensitivity, coexistence, recovery and
reliability are ensured during this stage.
Microsoft ETR to Unified DLP
Page 25 of 51
When the risks of data leakage aren't entirely obvious, it is difficult to work out where exactly
you should start with implementing DLP. Fortunately, DLP policies can be run in "test mode",
allowing you to gauge their effectiveness and accuracy before you turn them on
A parallel mode testing strategy by enabling the “Test Mode” is mandatory to test the end to
end Functionality and Performance.
Figure 15: Microsoft Compliance Portal – Data Loss Prevention- Enabling Test Mode
On reviewing the policy and submitting, the new DLP policy will begin to take effect within
approximately 1 hour.
Keep testing with various sensitive information types and monitor the notifications. If you leave
your DLP policy in test mode and analyze the incident report emails, you can start to get a feel
for the accuracy of the DLP policy and how effective it will be when it is enforced. In addition
to the incident reports, you can use the DLP reports to see an aggregated view of policy
matches across your tenant
DLP policy templates are not perfect straight out of the box. It is likely that you'll find some
false positives occurring in your environment, which is why it is so important to ease your way
into a DLP deployment, taking the time to adequately test and tune your policies.
As we discussed in the previous section of monitoring notifications and alerts, these helps very
much during the testing phase. A Sample report is as shown
Microsoft ETR to Unified DLP
Page 26 of 51
Figure 16: Microsoft Compliance Portal – Data Loss Prevention- Alerts
When you're happy that your DLP policy is accurately and effectively detecting sensitive
information types, and that your end users are ready to deal with the policies being in place,
then you can enable the policy
6.1.5 Production
In this phase, the customer will move out of the testing environment and will deploy and
implement compliance workloads in their production environment, enabling the scenarios
discussed in previous phases.
The policies will be enabled to all users across the organization.
Microsoft ETR to Unified DLP
Page 27 of 51
6.2 Migration using Wizard (Tentative Date: Will be available from December 2020)
Microsoft has developed a migration wizard for replacing this manual approach to an
automated process at a faster pace. This helps in improving the speed and accuracy of the
migration, resulting in fewer failures. This wizard acts like an accelerator during the migration
from ETR to DLP. No training is required. Merely effort on testing and re-validation before
moving to production should be undertaken.
Benefits of Automatic process:
- Minimal post migration steps
- Support multi-phase migration
- Support side by side analysis
- Less effort & huge time saving
- Detailed report for re-validation
Activities involved at each of the phase are explained below:
6.2.1 Discovery/Analysis Phase:
Once the customer is ready for migration of EAC (Exchange Admin Centre) DLP rules to Unified
DLP, login to compliance.microsoft.com or login to Exchange Admin centre and click on the
yellow ribbon. (refer below screen). This ribbon will not be available until, December 2020.
Login to Compliance.microsoft.com
Rationalize/Consolidate
(1wk)
Discovery/
Analysis (Day 0)
Migrate/Test
(1wk)
Production
(End of 2nd
Wk)
Microsoft ETR to Unified DLP
Page 28 of 51
Figure 17: Microsoft Compliance Portal – Migration Wizard
On clicking the yellow banner – Get Started, the wizard will be connected to the underlying
schema and does the export/Import list of policies from EAC to Unified DLP, with a detailed
feasibility analysis of the migration.
Figure 18: Exchane Admin Center – Existing Policies
A report will be generated as below. This report helps the admin to re-validate the required
effort by looking at the recommendations provided.
Please note: Policies, rules, priority, and status will be exported as-is, from EAC DLP for admin’s
deeper analysis.
Microsoft ETR to Unified DLP
Page 29 of 51
Sample migrated policies are shown below:
Figure 19: Microsoft Compliance Portal – Data Loss Prevention-Create Policy Wizard (Migration)
Figure 20: Microsoft Compliance Portal – Data Loss Prevention-Migration Analysis
As part of the pre-migration, the above screen helps the admin to decide the next steps. From
the above screen, 10/10 policies will migrate successfully in this process. This means that all
policies and rules can be migrated with warnings in case of unsupported predicates as some
of them are not present in Unified DLP. Also, there are 2 warnings, which identifies the work
arounds required, based on the provided recommendation
Microsoft ETR to Unified DLP
Page 30 of 51
Please note that, this is a pre-migration analysis to allow the admin to analyse before actual
migration starts.
6.2.2 Rationalize/Consolidate Phase
If there are any warnings identified in the above phase, the admin will look at the below report
and implement the recommendations. Sample report below:
Figure 21: Microsoft Compliance Portal – Data Loss Prevention-Sample Report with recommendations
6.2.3 Migrate and Test
After implementing the suggested changes and rationalize and consolidate based on the
organizational usage of policies, admin will start migrating the policies by enabling them in
test mode as shown below. The evaluation can happen side by side to compare the EAC DLP
and Unified DLP results.
Figure 22: Review Migration and enable or disable policies
Microsoft ETR to Unified DLP
Page 31 of 51
Admin can select the policies to be migrated or to be ignored before migrating. On confirm,
the selected policies get migrated to Unified DLP portal, under workload -Exchange with same
name. If there is an existing policy with same name, the wizard prompts for asking to change
the name. The migrated policies into unified portal will be displayed as below:
Figure 23: Microsoft Compliance Portal – Data Loss Prevention- Status ( Test Mode)
A thorough parallel testing can be done in this mode and validate the results.
For a side by side analysis customer can generate Incident Report (GIR) coming from both ETR
and Unified DLP.
Below figures shows both Incident Reports – One from Unified DLP and Other from Exchange
Admin Center-DLP
Figure 24: Generated Incident Report from Unified DLP – Detected Rule
Microsoft ETR to Unified DLP
Page 32 of 51
EAC- DLP Incident Report is captured in the screenshot below:
Figure 25: Generated Incident Report from Exchange Admin Center – Detected Rule
Given this is a migration scenario where the rule name and policy name would remain the
same when the policies are migrated in the test mode for a side by side analysis, it is easy to
capture difference between the two as Unified DLP GIR would be include Service as a field.
Tracking the two GIRs will help the customer in validating that, the previously defined ETRs will
work as expected with Unified DLP post migration.
6.2.4 Production Phase
Post validating the results and upon satisfaction, the admin will change by clicking on Enable.
Figure 26: All migrated policies are enabled post testing
Microsoft ETR to Unified DLP
Page 33 of 51
From then, the IT team/Admin will create or modify or tune all the DLP rules on Exchange in
the unified security and compliance portal. The migration approach, with wizard is much faster
than manual approach and is recommended based on our analysis.
6.2.5 Other useful Inputs
Based on our analysis and upon reviewing of various customer digital estates, we have
identified the usage of Actions and Conditions/Predicates and provided the equivalent in
Unified DLP.
For your reference, available actions and conditions are mentioned in Table 1 and Table 2 of
this document .
Microsoft ETR to Unified DLP
Page 34 of 51
Stage -2: Migration from classic client (AIP) to unified labelling client (MIP)
7. MIGRATION FROM CLASSIC CLIENT (AIP) TO UNIFIED
LABELLING CLIENT (MIP)
7.1 Process to migrate
Microsoft’s goal is to provide a built-in, intelligent, unified and extensible solution to protect
sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-
party SaaS applications, and more. With Microsoft Information Protection (MIP), we are
building a unified set of capabilities for classification, labeling and protection not only in Office
apps, but also in other popular productivity services where information resides (e.g.,
SharePoint Online, Exchange Online, Power BI). Over the past year, we consistently delivered
built-in capabilities in MIP. You can now use built-in labels to protect documents and emails
in the latest Office apps (Word, PowerPoint, Excel, Outlook) on all platforms including the web,
iOS, Android, Mac, and Windows
Timelines to sunset label management in the Azure portal and AIP client (classic)
With label management in the Microsoft 365 compliance center now at parity with the AIP
portal experience, we are announcing that we will sunset label management in the Azure portal
as of March 31, 2021.
Step by step guide to migrate AIP classic client to MIP Unified client
1. Activate unified labeling from the Azure portal and migrate labels to the Microsoft 365
compliance center to apply policies uniformly across on-premises, Microsoft 365 cloud
services and more. This transition has no impact on existing AIP clients, and
administrators can perform this step right away. The process takes only a few minutes,
depending on the number of labels and complexity.
2. Copy your policies to the Microsoft 365 compliance center or create new policies there.
3. Publish your labels with label policies from the Microsoft 365 compliance center
4. Download the latest unified labeling client for Windows if you are not yet fully on Office
365 ProPlus.
5. Train end users to apply labels and protection in Office applications across web, Mac,
iOS, Android and Windows. Read this article to know which labeling capabilities are
available across platforms.
Microsoft ETR to Unified DLP
Page 35 of 51
Classic client – Labels & Policies
Figure 27: Azure Information Protection- Labels/Policies Wizard
Unified Labeling client – Activation
Figure 28: Azure Information Protection- Labels/Policies Migration/ Activation Wizard
Activation is a one-time process and once labels and policies moves into MIP portal,
subsequent enhancements will happen in the console
For more details, refer to this. More details on the functionality differences are detailed in the
official client comparison
Microsoft ETR to Unified DLP
Page 36 of 51
7.2 Benefits of MIP over AIP
• Simpler management - single console (M365 compliance center) for unified labels and
policies across Office, SPO, EXO, Teams, Windows, MCAS and On-premise
• Unified labeling experience across protection (sensitivity) and governance (e.g.
retention)
• Unified reporting and analytics – Content explorer for sensitive data discovery and
Activity explorer for risky activity monitoring
• Classify customer’s intellectual property using trainable classifiers and customer
records using exact data match
• Enable admins to use Policy simulator to test and audit classification and MIP policies
at scale with confidence before deploying them out in their organization. This is
applicable only for auto labelling.
• Built-in labeling in Office apps – mobile (iOS and Android) Mac Office, and web apps
• Use server side Autolabeling to classify and protect documents at rest on SPO/ODB
and emails in transit
• Prevent data loss prevention in Teams
• Endpoint DLP is integrated with MIP and does not require 3rd party agent to classify
and protect information on Windows
• Endpoint signals are integrated with Activity explorer and enables admins to monitor
risky activities and setup alerts
• Simple and unified configuration from Compliance Center
• Microsoft 365 Analytics
Microsoft ETR to Unified DLP
Page 37 of 51
Stage -3: Migration to other workloads
8. MIGRATING TO OTHER WORKLOADS (SPO/ODB/MCAS)
Once we create a DLP policy in the security and compliance center, it is stored in a central
policy store, and then synced to the various content sources, including:
• Exchange Online, and from there to Outlook on the web and Outlook.
• OneDrive for Business sites.
• SharePoint Online sites.
• Office desktop programs (Excel, PowerPoint, and Word).
• Microsoft Teams channels and chat messages.
After the policy has synced to the right locations, it starts to evaluate content and enforce
actions. As people add or change documents in their sites, the search engine scans the
content, so that you can search for it later. Each DLP policy that you have turned on runs in
the background (asynchronously), checking search frequently for any content that matches a
policy, and applying actions to protect it from inadvertent leaks.
Figure 29: Microsoft Compliance Portal-DLP- Policy Locations
The creation of rules, conditions, actions are remains same as explained in the section 6 of
this document. The predicates slightly differ from the exchange predicates in SPO/ODB.
Microsoft ETR to Unified DLP
Page 38 of 51
Choosing a site and the ODB account is mandatory before creating a rule. Actions are
restricted to restrict access or encrypt the content
Figure 30: Microsoft Compliance Portal-DLP- Rule-Actions Wizard
Additional features that are available in SPO and ODB are Auto labelling (applicable only for
E5)
Figure 31: Microsoft Compliance Portal-Information Protections- Auto-labelling Wizard
The auto labelling feature in Information protection is also known as “Service Based”
labelling. This helps in labeling content at rest within SPO and OD4B and in transit via EXO.
Pre-requisites:
Simulation Mode:
Simulation mode is unique to auto-labeling policies and woven into the workflow. You can't
automatically label documents and emails until your policy has run at least one simulation
Microsoft ETR to Unified DLP
Page 39 of 51
Workflow for an auto-labeling policy:
1. Create and configure an auto-labeling policy.
2. Run the policy in simulation mode and wait 24 hours, or until the simulation is
complete.
3. Review the results, and if necessary, refine your policy. Rerun simulation mode
and wait another 24 hours, or until the simulation is complete.
4. Repeat step 3 as needed.
5. Deploy in production
To view file contents in the source view, you must have the Content Explorer Content
Viewer role. Global admins don't have this role by default
To auto-label files in SharePoint and OneDrive:
• You have enabled sensitivity labels for Office files in SharePoint and OneDrive.
• At the time the auto-labeling policy runs, the file mustn't be open by another process
or user. A file that is checked out for editing falls into this category.
8.1 Integration with MCAS (Preview)
This feature currently is in Private preview and more additional features may come during
general availability.
Microsoft Information Protection extends to connected non-Microsoft apps through Microsoft
Cloud App Security. With these capabilities, you can discover and protect all your data from
one place – Microsoft Information Protection. With this integration to Microsoft Cloud App
Security, you can discover and protect your sensitive data across M365 service and non-
Microsoft apps.
Supported Non-Microsoft apps for DLP policies:
•Box
•Dropbox
•G-Suite
•Salesforce
•Cisco Webex
Microsoft ETR to Unified DLP
Page 40 of 51
Figure 32: Microsoft Compliance Portal-DLP- Policy Location
The process of adding a new rule, actions and conditions remains same as explained in section
7.1
The various action available in this preview are:
Figure 33: Microsoft Compliance Portal-DLP- MCAS Workload-Restricting the Third Party Apps
Microsoft ETR to Unified DLP
Page 41 of 51
Matches for DLP Policy to a non-Microsoft Apps
You can see the policy matches in MCAS.
1. Go to Control section, and then to Policies page.
2. The new policy will be created in MCAS as well. Click on matches to see the new policy
matches:
Figure 34: Cloud App Security Portal - Policy
Note: In the future, policy matches will be also be available in Security and Compliance Center
Microsoft ETR to Unified DLP
Page 42 of 51
Stage -4: Integration with Endpoint DLP (Devices)
9. ENDPOINT DLP (DEVICES) (PREVIEW)
Microsoft Endpoint DLP (E5 License required) is part of the Microsoft 365 DLP suite of features
you can use to discover and protect your sensitive data across Microsoft 365 services.
Microsoft Endpoint DLP allows you to monitor Windows 10 devices (without any additional
agent) and detect when sensitive data is used and shared. This gives you the visibility and
control you need to ensure sensitive data is used and protected properly, and to help prevent
risky behaviour that might compromise your sensitive data.
Microsoft Endpoint DLP enables you to audit and manage the following types of activities
users take on files on devices running Windows 10. This includes:
• File created and modified.
• File renamed.
• File copied to cloud - when a file is uploaded to a domain through Chromium Edge
browser
• File accessed by unallowed app - when a file is read by a process that was defined as
unallowed.
• (managed as part of the DLP policy)
• File printed - when a file is printed to a local or network printer.
• File copied to removable media - when a file is copied or created on removable media
device.
• File copied to network share - when a file is copied to a network share (e.g., \\my-
server) or
• mapped network drive
• File contents copied to clipboard - when data from a file is copied to clipboard.
The creation of policy remains same as explained in the above sections and action varies.
Figure 35: Microsoft Compliance Portal-DLP- End Point (Devices) Workload
Microsoft ETR to Unified DLP
Page 43 of 51
Allowed actions in the policy are:
Figure 36: Microsoft Compliance Portal-DLP- End Point (Devices) Workload – Actions
By default, these policies works in the edge browser and if we want to block un-allowed apps
and un-authorized browser, we need to do additional settings in :
Microsoft ETR to Unified DLP
Page 44 of 51
Figure 37: Microsoft Compliance Portal-End Point (Devices) Settings to restict Unallowed Apps/Browsers
To test this policy, we need to have a physical device or an azure VM. Below are the examples,
on blocking the sensitive information content in one of the devices (setting up of AzureVM is
not scope of this document)
Sample file used for this demo has credit card and SSN number as below :
Microsoft ETR to Unified DLP
Page 45 of 51
Figure 38: Sample file containing Sensitive Information
Usecase -1:
Block, while copying the content to clipboard
Figure 39: Blocked message – While copying the Sensitive Information
Microsoft ETR to Unified DLP
Page 46 of 51
Usecase -2:
Block the file while copying to network share
Figure 40: Blocked message – While copying the Sensitive Information to network share
Usecase-3:
Open with unallowed app (notepad ++ )
Figure 41: Blocked message – While opening the Sensitive Information file from un-allowed app
Microsoft ETR to Unified DLP
Page 47 of 51
Usecase-4:
Upload to gmail where the domain mail.google.com was restricted in the endpoint DLP
settings
Figure 42: Blocked message – uploading the Sensitive Information file into an un-allowed app
Usecase-5:
Upload to xxx.Box.com
Figure 43: Blocked message – uploading the Sensitive Information file into an third party app
Microsoft Endpoint DLP detects the activities that users and processes take on endpoint-based
files.
These activities are reported to Microsoft 365 and appear in Microsoft 365 Compliance >>
Data classification >> Activity explorer.
Microsoft Endpoint DLP monitors the activity types mentioned above on all Word, Excel,
PowerPoint, .pdf and .csv files on the endpoint.
Each event type contains different attributes to provide you with a better understanding of
each event.
Here are couple of examples of insights discoverable through the Activity explorer. Below
screen is talking about the file accessed by un-allowed app and end point DLP rule caught in
the above use cases discussed
Microsoft ETR to Unified DLP
Page 48 of 51
Figure 44: Tracking the user activities from Activity Explorer
Currently, Endpoint DLP is in public preview and coming up with more new features during
the general availability. Refer Microsoft docs always for latest Information.
10. INSIGHTS/BEST PRACTICES
Based on experience to date, a solid upgrade largely depends on 6 factors:
✓ Understand thoroughly the migration process.
✓ Seeing the value of unified Interface
✓ Accessing the scope of migration
✓ Managing and planning the migration process
✓ Taking advantage of MIP console
✓ Accommodating the changes and gaps in the Unified Interface
Microsoft ETR to Unified DLP
Page 49 of 51
11. ABBREVIATIONS
Name Description
MIP Microsoft Information Protection
DLP Data Loss Prevention
ETR Exchange Transport Rule
SCC Security and Compliance Centre (Portal to create policies)
RBAC Role Based Access Control
SIT Sensitive Information Type
AIP Azure Information Protection
SPO Share Point Online
EXO Exchange Online
ODB One Drive for Business
DELPHI Consider it as DLP on End point device
VM Virtual Machine
EAC Exchange Admin Center
GIR Generate Incident Report
Microsoft ETR to Unified DLP
Page 50 of 51
12. REFERENCES
https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-
worldwide
https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-
descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-
licensing-guidance
https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-timelines-for-sunsetting-label-
management-in-the/ba-p/1226179
https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-
automatically?view=o365-worldwide
https://techcommunity.microsoft.com/t5/microsoft-security-and/understanding-unified-labeling-
migration/ba-p/783185
sensitivity-label-automatically?view=o365-worldwide#how-to-configure-auto-labeling-policies-for-
sharepoint-onedrive-and-exchange
Videos:
MIP and Compliance V-blog part 1 - Setting up a secure collaboration environment - Microsoft Tech
Community
MIP and Compliance V-blog #2: Setting up a secure collaboration environment - End user point of view -
Microsoft Tech Community
MIP and Compliance V-blog#3: Setting up a secure collaboration environment – Security Admin POV -
Microsoft Tech Community
Microsoft ETR to Unified DLP
Page 51 of 51
----- End of Document----