Test your Data Loss Prevention policies (preview)
You should test and tune the behavior of your Microsoft Purview Data Loss Prevention (DLP) policies as part of your DLP policy deployment. This article introduces you to some of the basic methods you can use to test policies in your DLP environment.
Test mode
When you deploy a new policy, you should run it in test mode, and then use the view the reports for and any alerts to assess the impact. Test mode allows you to see the impact of an individual policy on all the items that are in the policies scope. You use it to find out what items match a policy.
Test-DlpPolicies (preview)
Test-DlpPolicies is a cmdlet that allows you to see what SharePoint Online and OneDrive for Business scoped DLP policies match/don't match an individual item in SharePoint Online or OneDrive for Business.
Before you begin
- You must be able to connect to Connect to Security & Compliance PowerShell.
- You must have a valid smtp address to send the report to. For example:
dlp_admin@contoso.com - You must get the site ID where the item is located.
- You must have the direct link path to the item.
Important
- Test-DlpPolicies only works for items that are in SharePoint Online (SPO) or OneDrive for Business (ODB).
- It will only report results for policies that include SharePoint Online alone, OneDrive alone or SharePoint and OneDrive in their scope.
- Test-DlpPolices works only with simple conditions. It doesn't work with complex, grouped, or nested conditions.
Use Test-DlpPolices
To see which DLP policies an item will match, follow these steps:
Get the direct link path to the item
Open the SharePoint or OneDrive folder in a browser.
Select the files ellipsis and select details.
In the details pane, scroll down and select Path (Copy direct link). Save it.
For example:
https://contoso.sharepoint.com/personal/user_contoso_com/Documents/test.docx
Get the site ID
For SharePoint use the following syntax to get the site id and save it.
$reportAddress = "email@report.com" $siteName = "SITENAME@TENANT.onmicrosoft.com" $filePath = "https://Contoso.sharepoint.com/sites/SOMESITENAME/Shared%20Documents/TESTFILE.pptx" $r = Get-Mailbox -Identity $siteName -GroupMailbox $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'} Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload SPO -SendReportTo $reportAddress
- For OneDrive use the following syntax to get the site id and save it.
$reportAddress = "email@report.com" $odbUser = "USER@TENANT.onmicrosoft.com" $filePath = "https://contoso-my.sharepoint.com/personal/userid_contoso_onmicrosoft_com/Documents/TESTFILE.docx" $r = Get-Mailbox -Identity $odbUser $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'} Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload ODB -SendReportTo $reportAddress
Here's an example of a returned value:
36ca70ab-6f38-7f3c-515f-a71e59ca6276
Run Test-DlpPolicies
- Run this syntax in the PowerShell window
Test-DlpPolicies -workload <workload> -Fileurl <path/direct link> -SendReportTo <smtpaddress>
For example:
Test-DlpPolicies -workload <ODB> -Fileurl <https://contoso.sharepoint.com/personal/user_contoso_com/Documents/test.docx> -SendReportTo <dlp_admin@contoso.com>
For detailed syntax and parameter information, see Test-DlpPolicies.
Interpret the report
The report is sent to the smtp address you passed the Test-DlpPolicies PowerShell command. There are multiple fields, here are explanations of the most important ones.
| Field name | Means |
|---|---|
| Classification ID | The sensitive information type (SIT) the item is categorized as |
| Confidence | The confidence level of the SIT |
| Count | The total number of times the SIT value was found in the item, this includes duplicates |
| Unique Count | The number SIT values found in the item with duplicates eliminated |
| Policy Details | The name and GUID of the policy that was evaluated |
| Rules - Rule Details | The DLP rule name and GUID |
| Rules - Predicates - Name | The condition defined in the DLP rule |
| Rules - Predicates - IsMatch | Whether the item matched the conditions |
| Predicates - Past Actions | Any actions, like notify user, block, block with override that 's been taken on the item |
| Predicates - Rule's Actions | The action defined in the DLP rule |
| Predicates - IsMatched | Whether the item matched the rule |
| IsMatched | Whether the item matched the overall policy |
Feedback
Submit and view feedback for