• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Compliance / Unable to Turn Off User Overrides in Office 365 DLP Policies

Unable to Turn Off User Overrides in Office 365 DLP Policies

November 27, 2017 by Paul Cunningham 2 Comments

During some recent testing of Office 365 DLP policies I encountered what I suspect is a bug in the Security & Compliance Center.

After creating a new DLP policy from a template, I could not disable the User overrides settings in the “High volume of content detected” rule.

Even after turning off user overrides, saving the policy changes, and waiting for the policy change to deploy successfully, the override continued to be available for end users. Re-editing the rule in the Security & Compliance Center would show that the setting had reverted to its original setting.

After multiple attempts I finally decided to use PowerShell to make the change. If you need to do this, connect to the Security & Compliance Center and use the following commands.

To view a list of DLP policy rules, run Get-DlpComplianceRule. If you want to see rules for a specific policy, use the -Policy parameter.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\> Get-DlpComplianceRule
 
Name                          Disabled                      Policy Name                   Mode
----                          --------                      -----------                   ----
High volume of content det... False                         Testing - Australian Pll      Enforce
High volume of content det... False                         U.S. Financial Data           Enforce
Low volume of content dete... False                         U.S. Financial Data           Enforce
Low volume of content dete... False                         Testing - Australian Pll      Enforce
 
PS C:\> Get-DlpComplianceRule -Policy "Testing - Australian Pll"
 
Name                          Disabled                      Policy Name                   Mode
----                          --------                      -----------                   ----
High volume of content det... False                         Testing - Australian Pll      Enforce
Low volume of content dete... False                         Testing - Australian Pll      Enforce

To see the user override setting for a rule, look at the NotifyAllowOverride property.

1
2
3
4
5
6
Name                                                        NotifyAllowOverride
----                                                        -------------------
High volume of content detected Australia PII
High volume of content detected U.S. Financial              WithJustification
Low volume of content detected U.S. Financial
Low volume of content detected Australia PII

TechNet lists the possible values as:

  • FalsePositive
  • WithoutJustification
  • WithJustification

But you can also null the value to turn off user overrides. Use Set-DlpComplianceRule to make the change.

1
PS C:\> Set-DlpComplianceRule "High volume of content detected U.S. Financial" -NotifyAllowOverride $null

I’ve tested two separate DLP policy templates and both of them exhibited the same behaviour, which makes me suspect it is a general Security & Compliance Center bug and not specific to any template.

Compliance Data Loss Prevention, DLP, PowerShell

Comments

  1. Jay Kilby says

    November 6, 2019 at 8:41 pm

    Paul, i can connect to the SCC no issue but the cmdlets are not available they just do not show??
    any pointers i cant seem to find any details for this issue.

    thanks

    Jay

    Reply
  2. Anthony Fear says

    January 3, 2018 at 6:28 am

    Paul
    I experienced a similar issue……was unable to access to the Security and Compliance Center after creating a new DLP policy.

    Opening Ticket with Microsoft who confirmed it was a bug. They had to deploy a fix to my tenant.

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 9 – Controversial Teams guest changes and a roundup of important Microsoft 365 announcements and features
  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland