Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Export DLP rules from Security and Compliance Center

Open ACK00 opened this issue 3 years ago • 20 comments

Need a solution for exporting and importing Security and Compliance Center DLP policies. The provided cmdlets from this document: https://docs.microsoft.com/en-us/powershell/module/exchange/export-dlppolicycollection?view=exchange-ps only partially work. The Export DlpCollection did not work.

Any ideas? Have ran into this issue several times.

ACK00 avatar Feb 17 '22 14:02 ACK00

Have you tried exporting the DLP Policies from Microsoft365DSC? Are you running into any issues?

Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy

NikCharlebois avatar Feb 17 '22 19:02 NikCharlebois

Have you tried exporting the DLP Policies from Microsoft365DSC? Are you running into any issues?

Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy

@NikCharlebois Am I running this from my admin PowerShell or do I need to be in the ExchangeOnline powershell? and I did just try to run this and no luck.

ACK00 avatar Feb 17 '22 19:02 ACK00

@NikCharlebois I can access the compliance center via Connect IPPSession and Get-DlpCompliancePolicy works, and Import-Module and updated some permissions in Azure... but then when I run Export-DlpPolicyCollection I get an error. Every time.

Not recognized as a cmdlet, I have updated my Azure cmdlet database I have updated permissions, etc. I think the cmdlet is deprecated....

ACK00 avatar Feb 17 '22 19:02 ACK00

you need to run the command Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy in a standard PowerShell 5 session. This would be the complete script to export the policies:

# Generated by Microsoft365DSC from https://export.microsoft365dsc.com on 2/21/2022, 1:32:22 PM
# Visit https://microsoft365dsc.com for more information

# Getting client credential
$Credential = Get-Credential

# Exporting resources using credentials
Export-M365DSCConfiguration -Components @("SCDLPCompliancePolicy") -Credential $Credential

Additionally, please make sure to follow this guide: https://microsoft365dsc.com/user-guide/get-started/complete-story/

andikrueger avatar Feb 21 '22 12:02 andikrueger

@andikrueger thank you for the reply. Do I run this command in place of the Export-DlpPolicyCollection command? I am sorry but I have never used this resource before. Like I mentioned above, I Connect via IPPPSession to the security and compliance center with credentials and run the commands. In your instructions you have credential commands as well. and then the link to gettting started with 365dsc. So it looks like I have to install the dsc module to then follow the commands? Thank you for your assistance

ACK00 avatar Feb 21 '22 15:02 ACK00

Did you have a chance to look at the getting started guide for Microsoft 365 DSC? Microsoft365DSC handles the connection for you and there is no need to run the commands manually.

andikrueger avatar Feb 21 '22 15:02 andikrueger

@andikrueger I was able to export rules.... this is the Contoso demo site I am using.... now stuck on Destination path to see the configs... or trying to find where the exports went... the Destination path came up and I added the Set-Content but now stuck on where the export is living. Thanks.

image

ACK00 avatar Feb 21 '22 16:02 ACK00

No need to add set-content. Only the target path of the export is needed. Export-M365DSCConfiguration will handle the creation of the target folder and files

andikrueger avatar Feb 21 '22 16:02 andikrueger

@andikrueger Success! I have now gotten the policy configs in a file. Making progress, now my question is when I get to this command, how to I define what tenant I want the DLP policy configs to import to?

Start-DSCConfiguration .\M365TenantConfig -Wait -Verbose -Force

ACK00 avatar Feb 21 '22 18:02 ACK00

You need to define some credentials to compile the configuration. These should be of the target tenant.

andikrueger avatar Feb 21 '22 18:02 andikrueger

@andikrueger define credentials in the .mof file that is created or as signing into the PowerShell in the desired target tenant?

ACK00 avatar Feb 21 '22 19:02 ACK00

No. They are used within the ps1 file and then compiled and therefor available within the mof file. If you need to secure the credentials in the mof file, there is a good docs article available: https://docs.microsoft.com/en-us/powershell/dsc/pull-server/securemof

andikrueger avatar Feb 21 '22 19:02 andikrueger

@andikrueger So do I literally change the credentials in the ps.1 file to the target tenant? For example, I export the policies into a mof file from tenant 1, I want to import them into tenant 2. So do I need to change the credentials in the mof file to tenant 2 and then run the Start-DSCConfiguration .\M365TenantConfig -Wait -Verbose -Force command?

ACK00 avatar Feb 21 '22 19:02 ACK00

@andikrueger WE DID IT! Thank you so much for your help.

ACK00 avatar Feb 21 '22 19:02 ACK00

@andikrueger Got excited too soon, any custom DLP with custom sensitive info types we get errors, any ideas?

image

image

ACK00 avatar Feb 22 '22 17:02 ACK00

@ACK00 Any chance you can provide some screenshots of you DLP rules so we can try to repro ?

desmay avatar Feb 22 '22 17:02 desmay

@desmay

This is a rough template of replicated policies that I am tasked with importing. This one caused the error above. I understand this is not the ideal scenario for a DLP structure. The last screen shot is the overall config and I know the file extensions are funky but that is what I was given to work with. Do custom DLP policies have problems importing typically?

image image image image image

ACK00 avatar Feb 22 '22 18:02 ACK00

@ACK00 Thx let me see if I repro

desmay avatar Feb 22 '22 18:02 desmay

@ACK00 After reviewing your screenshots we don't have support for custom SITs only the OOB SITs. We can look to add this to the backlog as an enhancement to SCDLPCompliancePolicy resource.

desmay avatar Feb 23 '22 13:02 desmay

@desmay Thank you. We have had multiple clients ask for a feature that shows the configurations of their DLP policies, most are customized. A solution for this is needed frequently. Or perhaps a better GUI export or print out from the console would be even better for customer experience. Thanks again.

ACK00 avatar Feb 23 '22 14:02 ACK00

Started some investigation on this. The Get-DLPSensitiveInformationTyupe cmdlet doesn't return much other than name and description. We are required to look at the DLPSensitiveInformationTypeRuleCollection property which is obtained by the Get-DLPSensisitveInformationRulePack cmdlet and properties are all handled by an XML blob which will add complexity. If we are to implement this as a resource (SCDLPSensitiveInformationType) we can implement the rules as XML for the Test-TargetResource's function sake and we would need to break them down into properties.

NikCharlebois avatar Dec 07 '22 14:12 NikCharlebois

you need to run the command Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy in a standard PowerShell 5 session. This would be the complete script to export the policies:

# Generated by Microsoft365DSC from https://export.microsoft365dsc.com on 2/21/2022, 1:32:22 PM
# Visit https://microsoft365dsc.com for more information

# Getting client credential
$Credential = Get-Credential

# Exporting resources using credentials
Export-M365DSCConfiguration -Components @("SCDLPCompliancePolicy") -Credential $Credential

Additionally, please make sure to follow this guide: https://microsoft365dsc.com/user-guide/get-started/complete-story/

I just wanna say: if it works, I love you

gabriel-rech avatar Nov 24 '23 17:11 gabriel-rech