During some recent testing of Office 365 DLP policies I encountered what I suspect is a bug in the Security & Compliance Center.
After creating a new DLP policy from a template, I could not disable the User overrides settings in the “High volume of content detected” rule.
Even after turning off user overrides, saving the policy changes, and waiting for the policy change to deploy successfully, the override continued to be available for end users. Re-editing the rule in the Security & Compliance Center would show that the setting had reverted to its original setting.
After multiple attempts I finally decided to use PowerShell to make the change. If you need to do this, connect to the Security & Compliance Center and use the following commands.
To view a list of DLP policy rules, run Get-DlpComplianceRule. If you want to see rules for a specific policy, use the -Policy parameter.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
PS C:\> Get-DlpComplianceRule Name Disabled Policy Name Mode ---- -------- ----------- ---- High volume of content det... False Testing - Australian Pll Enforce High volume of content det... False U.S. Financial Data Enforce Low volume of content dete... False U.S. Financial Data Enforce Low volume of content dete... False Testing - Australian Pll Enforce PS C:\> Get-DlpComplianceRule -Policy "Testing - Australian Pll" Name Disabled Policy Name Mode ---- -------- ----------- ---- High volume of content det... False Testing - Australian Pll Enforce Low volume of content dete... False Testing - Australian Pll Enforce |
To see the user override setting for a rule, look at the NotifyAllowOverride property.
|
1 2 3 4 5 6 |
Name NotifyAllowOverride ---- ------------------- High volume of content detected Australia PII High volume of content detected U.S. Financial WithJustification Low volume of content detected U.S. Financial Low volume of content detected Australia PII |
TechNet lists the possible values as:
- FalsePositive
- WithoutJustification
- WithJustification
But you can also null the value to turn off user overrides. Use Set-DlpComplianceRule to make the change.
|
1 |
PS C:\> Set-DlpComplianceRule "High volume of content detected U.S. Financial" -NotifyAllowOverride $null |
I've tested two separate DLP policy templates and both of them exhibited the same behaviour, which makes me suspect it is a general Security & Compliance Center bug and not specific to any template.
Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.
Paul
I experienced a similar issue……was unable to access to the Security and Compliance Center after creating a new DLP policy.
Opening Ticket with Microsoft who confirmed it was a bug. They had to deploy a fix to my tenant.