MS-102 GĐ7 Module 50

Data Loss Prevention (DLP)

DLP policies cho Exchange, SharePoint, OneDrive, Teams và Endpoint: phát hiện và ngăn chặn rò rỉ dữ liệu nhạy cảm — CCCD, tài khoản ngân hàng, hợp đồng mật.

Tình huống – VinaCorp

HR vô tình đính kèm file Excel chứa 3.500 CCCD nhân viên vào email gửi đối tác. IT cần: DLP policy chặn email chứa CCCD ra ngoài, hiển thị policy tip cho user, cho phép override với justification, và Endpoint DLP chặn copy file HR lên USB.

DLP Locations & Actions

Location	Phát hiện tại	Actions có thể dùng
Exchange Online	Email gửi đi/nhận về	Block, Encrypt, Policy tip, Quarantine, Redirect
SharePoint Online	File upload/share	Block external share, Restrict access, Alert
OneDrive	File sync/share	Block share, Alert
Teams	Chat messages, channel posts	Block message, Policy tip
Endpoint (MDE)	File operations trên Windows	Block USB, Block cloud upload, Block print, Audit
On-premises (Scanner)	File shares, SharePoint on-prem	Quarantine, Alert (read-only actions)

DLP Action Hierarchy

Audit only

Ghi log, không block

Policy tip + Override

Cảnh báo, user có thể ghi lý do

Block + Override

Block nhưng cho phép override

Block (strict)

Block hoàn toàn, không override

Lab A – DLP Policy: Block CCCD trong Email (PowerShell)

Connect-IPPSSession -UserPrincipalName [email protected] # Tạo DLP policy cho Exchange — chặn CCCD gửi ra ngoài New-DlpCompliancePolicy -Name "VinaCorp-DLP-CCCD-Email" ` -ExchangeLocation All ` -Mode Enable New-DlpComplianceRule -Name "Block-CCCD-External-Email" ` -Policy "VinaCorp-DLP-CCCD-Email" ` -ContentContainsSensitiveInformation @( @{Name="Vietnam National Identification Number"; minCount=5; maxConfidence=85} ) ` -SentToScope NotInOrganization ` -BlockAccess $true ` -BlockAccessScope PerAnonymousUser ` -NotifyUser Owner ` -NotifyPolicyTipCustomText "Email này chứa số CCCD. Vui lòng xoá dữ liệu cá nhân hoặc liên hệ [email protected] để được hỗ trợ." ` -NotifyAllowOverride WithJustification ` -IncidentReportContent All ` -ReportSeverityLevel High ` -AlertProperties @{AggregationType="SimpleAggregation"; Threshold=1} Write-Host "DLP policy created: Block CCCD in outbound email"

DLP policy created: VinaCorp-DLP-CCCD-Email Rule: Block-CCCD-External-Email - Detects: Vietnam National ID (≥5 instances, confidence 85%) - Action: Block + Policy tip + Override with justification - Alert: Incident report to compliance team

Thêm location SharePoint/Teams vào policy

# Mở rộng policy sang SharePoint + Teams
Set-DlpCompliancePolicy -Identity "VinaCorp-DLP-CCCD-Email" `
    -AddSharePointLocation All `
    -AddTeamsLocation All `
    -AddOneDriveLocation All

Write-Host "DLP policy expanded to SharePoint, Teams, OneDrive"

Lab B – Endpoint DLP: Block USB Copy

Yêu cầu: MDE onboarded devices, Windows 10/11, Purview Endpoint DLP onboarding enabled

# Tạo DLP policy với Endpoint location
New-DlpCompliancePolicy -Name "VinaCorp-Endpoint-DLP" `
    -EndpointDlpLocation All `
    -Mode Enable

New-DlpComplianceRule -Name "Block-HR-Data-USB" `
    -Policy "VinaCorp-Endpoint-DLP" `
    -ContentContainsSensitiveInformation @(
        @{Name="Vietnam National Identification Number"; minCount=1},
        @{Name="Credit Card Number"; minCount=1}
    ) `
    -EndpointDlpRestrictions @(
        @{Key="CopyToRemovableMedia"; Value="Block"},
        @{Key="CopyToNetworkShare"; Value="Audit"},
        @{Key="Print"; Value="Block"},
        @{Key="UploadToCloudService"; Value="Block"},
        @{Key="AccessByUnallowedApps"; Value="Block"}
    ) `
    -NotifyUser Owner `
    -NotifyPolicyTipCustomText "Không được phép sao chép dữ liệu nhân sự ra USB hoặc in ấn."

Write-Host "Endpoint DLP: Block USB copy for sensitive HR data"

Endpoint DLP policy created: VinaCorp-Endpoint-DLP Rule: Block-HR-Data-USB - Copy to USB: Blocked - Print: Blocked - Cloud upload: Blocked - Network share: Audit only Applies to all onboarded MDE devices

DLP Activity Explorer & Reports

1purview.microsoft.com → Data loss prevention → Activity explorer

2Filter: Activity type = DLP rule matched → xem tất cả DLP events trong 30 ngày

3Tab DLP reports: top rules matched, top users, top locations

# Xem DLP incidents qua PowerShell
Get-DlpIncidentDetailReport -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) |
    Select-Object Date, Title, Severity, UserName, RuleName, PolicyName |
    Sort-Object Date -Descending |
    Format-Table -AutoSize

Date Title Severity UserName RuleName ---- ----- -------- -------- -------- 4/20 09:11 DLP rule matched High [email protected] Block-CCCD-External-Email 4/19 14:32 DLP rule matched Medium [email protected] Block-HR-Data-USB

Tổng kết M50

Kiến thức cốt lõi

✅ DLP bao phủ 6 locations: Exchange, SP, OD, Teams, Endpoint, On-prem
✅ Override with justification: user giải thích lý do → ghi log cho audit
✅ Endpoint DLP cần MDE onboarding trước
✅ minCount: policy chỉ trigger khi đủ số lượng instances
✅ Mode Enable → phải test bằng Mode AuditAndNotify trước khi enforce

Lab đã thực hành

🔬 Lab A: DLP block CCCD outbound email + policy tip + override
🔬 Mở rộng policy sang SharePoint/Teams/OneDrive
🔬 Lab B: Endpoint DLP block USB/print/cloud upload
🔬 Activity Explorer + DLP incident reports

M49 M51: Sensitivity Labels