Microsoft Teams
A Microsoft customizable chat-based workspace.
10,401 questions
Why doesn't my Microsoft Teams DLP Policy Work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOS%3C/text%3E%3C/svg%3E)
Ojii-San2.0
0
Reputation points
About a year and a half ago, I tested a DLP policy to block messages containing credit card numbers in Microsoft Teams chat and it worked perfectly.
Now, I am being tasked to implement that same DLP policy. Since, I didn't fully remember all the settings and the Purview Compliance portal has changed some, I configured the policy and used this Microsoft Documentation as a reference: Data loss prevention and Microsoft Teams | Microsoft Learn. I set the following main criteria:
Rule: PCI Restriction
- Scope: Teams Chat and Channel Messages - All users & groups
- Conditions:
- Content Contains: Sensitive Info Types - Credit Card Number - High Confidence - 1 to Any [AND]
- Content Contains [NOT]: Sensitive Info Types - Test Credit Card Numbers***** - High Confidence - 1 to Any [AND]
- Content is Shared from Microsoft 365: Only with people inside my organization
- Actions: Restrict access or encrypt the content in Microsoft 365 locations****** - Block everyone
*These are just a select few numbers provided by a proprietary system for testing.
**This is the only action available to me with the options to me.
The above rule didn't work initially. It wouldn't block messages in Microsoft Teams containing credit card numbers and instead was alerting my team on files in OneDrive. I eventually deduced that the following is incorrect:
Conditions:
- Content is Shared from Microsoft 365: Only with people inside my organization
- Actions: Restrict access or encrypt the content in Microsoft 365 locations - Block everyone
They seem to override the scope and apply to other core 365 products. Once removed, the policy stopped the scanning of files in OneDrive. Now the only criteria left are:
- Scope: Teams Chat and Channel Messages - All users & groups
- Conditions:
- Content Contains: Sensitive Info Types - Credit Card Number - High Confidence - 1 to Any [AND]
- Content Contains [NOT]: Sensitive Info Types - Test Credit Card Numbers***** - High Confidence - 1 to Any
I left this policy to sync overnight, but it still doesn't block messages in Microsoft Teams containing credit card numbers. I don't understand what changed since I originally tested this.
I've tried looking this up, but the only thing that I could find was this Microsoft Community post: https://answers.microsoft.com/en-us/msteams/forum/all/data-loss-prevention-for-microsoft-teams/f1c8ce9a-13c5-47db-a335-2c6d383fb62f?page=2
Any suggestions to what I might be doing incorrectly?
Microsoft Teams
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,250 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
phemanth 11,470 Reputation points Microsoft Vendor2024-11-19T18:25:49.1966667+00:00 Thanks for reaching out to Microsoft Q&A.
Here are a few steps that help you troubleshoot the issue:
- Policy Scope: Ensure that your DLP policy is correctly scoped to include all relevant Teams users. Sometimes, if users are not part of the specified groups, the policy may not apply as expected. Verify that all users are included in the scope you set.
- Conditions: You mentioned that you removed the condition regarding sharing with people inside your organization. This is a good step, as it can sometimes interfere with how the policy is applied. Make sure your conditions are strictly focused on the sensitive info types you want to monitor.
- Policy Sync: After making changes, it can take some time for the policy to sync across Microsoft 365 services. If you haven’t already, allow a bit more time for the changes to propagate fully.
- Testing with Real Data: Ensure that the test credit card numbers you are using are not being flagged as sensitive information. Sometimes, if the test numbers are not recognized as valid sensitive info types, the policy may not trigger as expected.
- DLP Licensing: Confirm that your organization has the appropriate licensing for DLP in Teams. DLP for Teams requires specific licenses (like E5) to function correctly. If your organization has downgraded or changed licenses, this could affect the policy’s effectiveness.
Hope this helps. Do let us know if you any further queries.
-
Ojii-San2.0 0 Reputation points
2024-11-19T18:41:31.9966667+00:00 Hi @phemanth
Yes, I had gone through all those steps.
- The policy scope is only for Teams Chats and Channel messages for all users and groups.
- The only condition left, as specified in the post, is that the content contains the credit card sensitive info type.
- I had left it for long enough that the policy took effect. The only problem was that it was still detecting only OneDrive files containing credit card info. This is still after I removed the conflicting condition as stated in point 2 and the scope only being for Teams.
- Actually, any test numbers not specified in my exclusion info type should also be flagged. Still, any messages containing credit card numbers are not being flagged.
- Yes, my organization is using E5.
-
phemanth 11,470 Reputation points Microsoft Vendor
2024-11-21T18:26:09.9933333+00:00 Here are a few additional considerations and steps you mght take to
- Policy Configuration Review
- Check for Overlapping Policies: Ensure there are no other DLP policies that might conflict with the one you’re trying to implement. Sometimes, multiple policies can interfere with each other, leading to unexpected behavior.
- Testing with Valid Data
- Use Recognized Test Data: Make sure the test credit card numbers you’re using are recognized by Microsoft as valid sensitive information. If they don’t match the definitions, the policy won’t trigger.
- Policy Application Timing
- Allow More Time for Sync: Although you’ve waited overnight, sometimes it can take longer for changes to propagate, especially in larger organizations. Consider waiting a bit longer or checking the policy status in the admin center.
- Diagnostic Tools
- Run DLP Diagnostics: Use the diagnostic tools available in the Microsoft 365 admin center to analyze your DLP policy. This can help identify any configuration errors or issues that might be preventing the policy from working correctly.
- Policy Tips and Notifications
- Enable Policy Tips: If not already done, enable policy tips to see if they provide any feedback when sensitive information is detected. This can help you understand if the policy is being triggered but not acting as expected.
- External Sharing Considerations
- Review External Sharing Settings: If your organization allows external sharing, ensure that the policy is set up to handle messages sent to external users correctly. DLP policies can behave differently based on whether the recipients are internal or external.
-
phemanth 11,470 Reputation points Microsoft Vendor
2024-11-22T19:05:42.1266667+00:00 @Ojii-San2.0 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer