Category: Purview Information Protection

Pre-requisites

1. Your Tenant must be a part of CCP channel https://aka.ms/JoinCCP, and have opted-in with a test tenant for the Private Preview ring through this form.​
2. End user must have a valid Microsoft 365 E5 or equivalent. ​
3. End user must have at least one of these service plans : “Information Protection for Office 365 – Premium AND/OR “Azure Information Protection Premium P2”.​
4. End user must be in the Office Insiders Beta channel​
5. You must have valid permissions to be able to configure/update a DLP policy.​
6. Connected experience must NOT be disabled explicitly using regkey. By default this office wide setting is enabled (Optional connected experience is no longer required)​
7. Minimum Outlook Build – 16.0.17315.20000​

What´s New

There are some significant enhancements made to the DLP oversharing feature, aka the Block, warn, justify popups before sending sensitive/unlabeled/specifically labeled emails.​

1. Customizable Oversharing Popup: You can now optionally tailor your oversharing dialog by customizing the title, body, and include dynamic variables such as matched recipients. (Stay tuned as we roll out additional support for matched labels and attachment filenames variables in the coming month)​
2. DLP Predicates support for Policy Tips and Oversharing: Enhance your oversharing protection with expanded support for DLP predicates. Now, you can enforce Policy tip & Oversharing dialog support for below new DLP predicates:​

• Content is not labeled – Detects if there is no label in the entire email envelope​
• Message is not labeled – Detects if message body has no label​
• Attachment is not labeled – Detects if there is any attachment without a label​
• File extension – Detects the specified file extension & can be used accordingly in combination with other predicates​

Keep an eye out as we introduce support for attachment contains and message contains (Targeted “Content contains”) in the upcoming month.​

Existing: Default Oversharing dialog

So far, you could only use default Oversharing dialog using above Purview UX or below cmdlet. Default dialog shows the Policy tip strings in the dialog along with any override options (as configured by admin)​

​-NotifyPolicyTipDisplayOption Dialog​

​Going forward, you can also choose to customize this dialog using steps in the next slide. If you don’t customize, default Oversharing popup will continue to show to end users.​

New: Customizable Oversharing dialog​

Steps-​

1. Prepare a JSON file like shown on the right. (//Comments have been added to explain each attribute & the constraints. Please go through those in the screenshot. For any mismatch, there will be an error shown on PowerShell.)​​
2. You can add the dynamic variable  %%MatchedRecipientsList%% in this format in the custom dialog’s body​
3. All the JSON attributes like “LocalizationData”, “Language”, “Title”, “Body”, “HasFreeTextOption”, “DefaultLanguage”, are case sensitive. If there is any error, it will default to default Oversharing dialog with Policy tip strings.​
4. Regarding override, please note that the text is NOT customizable for Acknowledgement and False positive overrides. Only the justification options are customizable.​
5. The two dynamic variables or tokens (%%MatchedLabelName%% and %%MatchedAttachmentName%% will be rolled out in March. It would then look like below. Until then, it would not return anything in the dialog for end users.​

Sample JSON file​

1. Create a JSON config file

• Feel free to copy and paste this script on a text editor like notepad (windows)​
• Feel free to make any changes to the strings to suit your requirements. Keep the case-sensitive JSON attributes intact and take care of the constraints for each attribute. Else you might see an error.​
• Save the file with a ‘.json’ extension. Make sure to select ‘All files’ as the file type.​

​{   
​"LocalizationData": [​
        //First language specification   ​
        {​

          "Language":"en-us",​
           //Title: Text customizable. No custom formatting. Max: 75 chars​

          "Title":"This email might contain sensitive information, please review!",​

​           //Body: Text customizable. Plain text formatting (bold, italic, underline and line break supported). Max: 1000 chars. You can add these dynamic variables too in the body: %%MatchedRecipientsList%%, %%MatchedLabelName%%, %%MatchedAttachmentName%%​

          "Body":"You are trying to send potential <Bold>sensitive information</Bold> to non-approved recipients.<LineBreak />Please review the recipient(s) (<Bold>%%MatchedRecipientsList%%</Bold>) <Italic>before sending</Italic>.<LineBreak />You can also submit one of the justifications below.",​

​          //Options: Applicable when you choose allow override with justification. No text formatting or dynamic variables supported. Up to three options allowed in each language, four if HasFreeTextOption = true. Each option to not exceed 100 chars.​

          "Options": [​
            "Recipients are part of a partner org",​
            "My manager is aware and has approved",​
            "Other"​
          ]​
        },​
​        //Second language specification ​
       {​
          "Language":"es-es",​
          "Title":"Este correo contiene información sensible!",​
          "Body":"Estás enviando información corporativa a recipientes no autorizados: <Bold>%%MatchedRecipientsList%%</Bold><LineBreak />. Por favor revisarlos <Italic>antes de enviar</Italic>.<LineBreak />También puede ingresar una justification.",​
          "Options": [​
          "Destinatarios son parte de una sociedad",​
          "Mi gerente aprobó enviar al desinatario",​
          "Otra"​
          ]​
        } ​
        //Up to 10 languages can be added          ​
    ],​
   //Makes a free text box available for justification but ensure there is atleast one justification option added to each language to be displayed on top of the free text box​
  "HasFreeTextOption":"true",​
   //Set a default language for the dialog mandatorily​
  "DefaultLanguage": "en-us"​
}​

Customizable Oversharing dialog​

​2. Upload the JSON using below cmdlet or Purview UX​

​$content = Get-Content “Path to JSON"| Out-String​

​New/Set-DlpComplianceRule –Identity <Rule_Name> -NotifyUser Owner -NotifyPolicyTipCustomDialog $content -NotifyPolicyTipDisplayOption Dialog​

In case, you wish to​

​- Remove JSON & see default Oversharing dialog instead​

​NotifyPolicyTipCustomDialog “” -NotifyPolicyTipDisplayOption Dialog​

​- To disable the OV dialog option​

​NotifyPolicyTipDisplayOption Tip​

Sample Custom Oversharing dialog​

Override Configuration in DLP rule​

• NotifyAllowOverride: FalsePositive, WithJustification​
• NotifyOverrideRequirements: WithAcknowledgement​

New DLP Predicates support – Advanced rules using JSON (Rules with AND/OR/groups)​

• Content is not labeled – Detects if there is no label in the entire email envelope​

"ConditionName": "ContentIsNotLabeled“​
"Value": "true”​                                      ​

• Message is not labeled – Detects if message body has no label​

"ConditionName": “MessageIsNotLabeled“​
"Value": "true”                                             ​

• Attachment is not labeled – Detects if there is any attachment without a label​

"ConditionName": “AttachmentIsNotLabeled“​
"Value": "true”​

• File extension is – Detects the specified file extension & can be used accordingly in combination with other predicates​

"ConditionName": "ContentExtensionMatchesWords",​
"Value": ["pdf", "docx“]​

• Message/Attachment contains -​

"ConditionName": "ContentContainsSensitiveInformation",​
"Value": [​
        {​
          "groups": [​
            {​
              "Operator": "Or",​
              "labels": [​
                {​
                  "name": "defa4170-0d19-0005-000a-bc88714345d2",​
                  "type": "Sensitivity"​
                }],​
                "name": "Default",​
                "target": "Message" //(OR "Attachment")​
            }]
        }]​

Note – For advanced DLP rules configuration, refer to Example 2 at Set-DlpComplianceRule (ExchangePowerShell) | Microsoft Learn​

New DLP Predicates support – Parameters based​

• Content is not labeled – Detects if there is no label in the entire email envelope​

​Set-DlpComplianceRule -ContentIsNotLabeled $true​

• Message is not labeled – Detects if message body has no label​

Set-DlpComplianceRule -MessageIsNotLabeled $true​

• Attachment is not labeled – Detects if there is any attachment without a label​

Set-DlpComplianceRule -AttachmentIsNotLabeled $true​

• File extension is – Detects the specified file extension & can be used accordingly in combination with other predicates​

Set-DlpComplianceRule -ContentExtensionMatchesWords docx​

The above set of DLP predicates unlock many AIP scenarios like detecting an unlabeled message body with unlabeled attachments, detecting an unlabeled attachment (say except pdf files) with specifically labeled message body, and so much more.​

Known limitations​

1. Existing Content contains predicate might NOT work with new predicates.​
2. Policy in test mode might NOT show the right warning dialog when user clicks Send – Rollout in a week​

Upcoming features​

1. 2 new DLP predicates for Policy tip, Oversharing and Transport DLP – Message contains & Attachment contains SITs/labels​
2. Two new dynamic variables or tokens for custom dialog (%%MatchedLabelName%% and %%MatchedAttachmentName%% – Rollout in March ​
3. DLP Purview UX configuration capability for all new features – Rollout in March ​