Merk
Tilgang til denne siden krever autorisasjon. Du kan prøve å logge på eller endre kataloger.
Tilgang til denne siden krever autorisasjon. Du kan prøve å endre kataloger.
Note
The features described in this article are in preview. This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that automatically quarantines files containing sensitive information in SharePoint and OneDrive. Work through this scenario in your test environment to familiarize yourself with the quarantine action and policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users. How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
Prerequisites and assumptions
Before you start, make sure you've completed the following:
Create a quarantine site in SharePoint
The quarantine destination must be a SharePoint site within your tenant. You can use any SharePoint site template. The quarantine site can't be a OneDrive location.
When you set up your quarantine site:
- Restrict access. Make sure the site is accessible only by the administrators who manage quarantine operations. Don't share it with information workers or general users.
- Don't use a site that contains active business content. Create a dedicated site for quarantine purposes.
- Manage the lifecycle. Administrators are responsible for access control and lifecycle management of the quarantine site.
Tip
If your organization uses on-demand classification, it's recommended that you exclude the quarantine site from on-demand classification scans. While scanning the quarantine site doesn't compromise security, excluding it avoids unnecessary processing.
Configure quarantine settings in Microsoft Purview
Before you can select the quarantine action in a DLP policy, you must configure the quarantine folder path and tombstone file message in DLP settings.
Sign in to the Microsoft Purview portal.
Go to Data loss prevention > Settings.
Select File quarantine.
Under Quarantine folder path, select a SharePoint site from the list of available sites.
Note
The site list is automatically populated from your tenant's SharePoint sites. You can't manually enter a path. If you recently created a new SharePoint site, it might take time for the site to appear in the list. If the site you need isn't listed, wait and check back later.
Under Replacement file message, provide the text content for the tombstone file that replaces each quarantined file. For example:
"This file has been moved to a secure quarantine location because it matched a data loss prevention policy. Contact your compliance administrator at compliance@contoso.com for assistance."
Save your settings.
Important
You can't select the quarantine action in a DLP policy until you complete this configuration. The policy creation wizard prompts you to configure these settings first if they aren't already set.
Sensitivity labels
This scenario uses the Highly Confidential sensitivity label. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
Alerts
This procedure uses alerts. See Get started with the data loss prevention alerts.
Policy intent statement and mapping
We need to quarantine files in SharePoint and OneDrive that contain financial data classified as "Highly Confidential," so that the files are removed from their original location and placed in a secure admin-controlled quarantine site. We want a tombstone file left in the original location to notify the file owner. We want the compliance admin alerted whenever a file is quarantined.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| "We need to quarantine files in SharePoint and OneDrive..." | - Where to monitor: SharePoint sites, OneDrive accounts - Administrative scope: Full directory - Action: Restrict access or encrypt the content in Microsoft 365 locations > Block everyone and move file to quarantine location |
| "...that contain financial data classified as 'Highly Confidential'..." | - What to monitor: Use the Custom template - Conditions for match: Add the sensitive info types that apply to the financial data your organization needs to protect (for example, Credit Card Number, U.S. Bank Account Number). - Additional condition: Content contains > Sensitivity labels > Highly Confidential |
| "We want the compliance admin alerted whenever a file is quarantined." | - Incident reports: Send an alert to admins when a rule match occurs: On - Send alert every time an activity matches the rule: selected - Severity level: High |
| "We want a tombstone file left in the original location to notify the file owner." | - Tombstone file content is configured in DLP Settings > File quarantine (not in the policy itself). Verify that the tombstone message is configured before you create this policy. |
Steps to create the policy
Important
For this policy creation procedure, accept the default include and exclude values and leave the policy turned off. Change these values when you deploy the policy.
Create the policy
Sign in to the Microsoft Purview portal.
Open the Data loss prevention solution and go to Policies.
Select Create policy.
Select Enterprise applications & devices.
Select Custom from the Categories list.
Select Custom policy from the Regulations list.
Select Next.
Enter a name and description for the policy. You can use the policy intent statement here.
Important
Policies can't be renamed.
Select Next.
Accept the Full directory default under Admin units.
Select Next.
Choose where to apply the policy. Select only the following locations:
- SharePoint sites
- OneDrive accounts
Select Next.
On the Define policy settings page, make sure the Create or customize advanced DLP rules option is selected.
Select Next.
Select + Create rule. Name the rule and provide a description.
Under Conditions, select Add condition > Content contains > Add > Sensitive info types.
Select the sensitive info types that apply to the financial data you want to protect (for example, Credit Card Number, U.S. Bank Account Number).
Select Add.
Optionally, add a sensitivity label condition:
- Under the Content contains section, select Add group.
- Leave the Boolean operator set to AND.
- Select Add condition > Content contains > Add > Sensitivity labels.
- Select the Highly Confidential sensitivity label.
- Select Add.
Under Actions, select Add an action > Restrict access or encrypt the content in Microsoft 365 locations.
Select Block everyone and move file to quarantine location.
Note
If quarantine settings aren't configured, you're prompted to configure them. Select the link to open the File quarantine settings page in a new tab, complete the configuration, and then return to the policy creation wizard.
Under User notifications, set the toggle to On if you want to notify users through policy tips.
Under Incident reports, set Use this severity level in admin alerts and reports to High.
Make sure the Send an alert to admins when a rule match occurs toggle is set to On.
Select Send alert every time an activity matches the rule.
Select Save.
Review the rule, then select Next.
Select the Run the policy in simulation mode radio button.
Tip
Simulation mode is supported for the quarantine action. Use simulation mode to evaluate the impact of the policy before you turn it on. Review the policy matches in Activity Explorer and the DLP alerts dashboard to verify that the policy targets the files you expect.
Select Next.
Review the policy, then select Submit.
Select Done.
Validate the policy
After the policy is deployed, validate the following:
| Scenario | Expected result |
|---|---|
| A file matching the policy is uploaded to a SharePoint site in scope. | The file is moved to the quarantine site. A tombstone file appears at the original location. A DLP alert is generated. |
| Check the tombstone file at the original location. | The tombstone file displays the admin-configured message and the relative path of the quarantined file. |
| Review the DLP alert. | The alert shows the file owner, original file path, and quarantine file location. |
| Review Activity Explorer. | A DLP rule match event appears with quarantine file location details. |