Microsoft 365

Unable to Turn Off User Overrides in Office 365 DLP Policies

Avatar photo
Post author:Written By 2 Comments

During some recent testing of Office 365 DLP policies I encountered what I suspect is a bug in the Security & Compliance Center.

After creating a new DLP policy from a template, I could not disable the User overrides settings in the “High volume of content detected” rule.

Unable to Turn Off User Overrides in Office 365 DLP Policies

Even after turning off user overrides, saving the policy changes, and waiting for the policy change to deploy successfully, the override continued to be available for end users. Re-editing the rule in the Security & Compliance Center would show that the setting had reverted to its original setting.

After multiple attempts I finally decided to use PowerShell to make the change. If you need to do this, connect to the Security & Compliance Center and use the following commands.

To view a list of DLP policy rules, run Get-DlpComplianceRule. If you want to see rules for a specific policy, use the -Policy parameter.

PS C:\> Get-DlpComplianceRule

Name                          Disabled                      Policy Name                   Mode
----                          --------                      -----------                   ----
High volume of content det... False                         Testing - Australian Pll      Enforce
High volume of content det... False                         U.S. Financial Data           Enforce
Low volume of content dete... False                         U.S. Financial Data           Enforce
Low volume of content dete... False                         Testing - Australian Pll      Enforce

PS C:\> Get-DlpComplianceRule -Policy "Testing - Australian Pll"

Name                          Disabled                      Policy Name                   Mode
----                          --------                      -----------                   ----
High volume of content det... False                         Testing - Australian Pll      Enforce
Low volume of content dete... False                         Testing - Australian Pll      Enforce

To see the user override setting for a rule, look at the NotifyAllowOverride property.

Name                                                        NotifyAllowOverride
----                                                        -------------------
High volume of content detected Australia PII
High volume of content detected U.S. Financial              WithJustification
Low volume of content detected U.S. Financial
Low volume of content detected Australia PII

TechNet lists the possible values as:

  • FalsePositive
  • WithoutJustification
  • WithJustification

But you can also null the value to turn off user overrides. Use Set-DlpComplianceRule to make the change.

PS C:\> Set-DlpComplianceRule "High volume of content detected U.S. Financial" -NotifyAllowOverride $null

I’ve tested two separate DLP policy templates and both of them exhibited the same behaviour, which makes me suspect it is a general Security & Compliance Center bug and not specific to any template.

Tags: , ,

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Jay Kilby 6 Nov 2019 Reply

    Paul, i can connect to the SCC no issue but the cmdlets are not available they just do not show??
    any pointers i cant seem to find any details for this issue.

    thanks

    Jay

  2. Anthony Fear 3 Jan 2018 Reply

    Paul
    I experienced a similar issue……was unable to access to the Security and Compliance Center after creating a new DLP policy.

    Opening Ticket with Microsoft who confirmed it was a bug. They had to deploy a fix to my tenant.

Leave a Reply