Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This scenario shows how to create a Microsoft Purview DLP policy using the U.S. PII Data Enhanced template to monitor sensitive data on endpoint devices. The policy runs in audit-only (simulation) mode, enabling visibility into user activity and data risk without impacting users, while using policy tips and Activity explorer for validation and analysis.
This scenario is for an unrestricted admin creating and full directory policy.
Prerequisites and assumptions
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
This scenario uses the Confidential sensitivity label, so it requires you to create and publish sensitivity labels. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
This procedure uses a hypothetical distribution group Human Resources and a distribution group for the security team at Contoso.com.
This procedure uses alerts, see: Get started with the data loss prevention alerts
Policy intent statement and mapping
We, Contoso, want to begin evaluating how sensitive information—specifically U.S. Personally Identifiable Information (PII)—is being handled on endpoint devices across our organization. Before enforcing restrictions, we want visibility into user activity and potential data risk without impacting productivity.
To achieve this, we will create a policy that monitors activity on devices, detects when U.S. PII is involved, and records those events for analysis. When users perform actions that match the policy conditions, we want to show policy tips to raise awareness and educate them, but we do not want to block or restrict their actions at this stage.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “We want to evaluate how sensitive (U.S. PII) data is being used on endpoint devices…” | - Administrative scope: Full directory - Where to monitor: Devices - Scope: All users, devices |
| “We want to detect content that matches U.S. Personally Identifiable Information (PII) definitions…” | - Template selection: U.S. Personally Identifiable Information (PII) Data Enhanced - Conditions for a match: Built-in sensitive information types included in the template |
| “We want to observe activity without impacting users or blocking business processes…” | - Protection actions: No restrictive actions configured - Mode: Audit-only behavior via simulation mode |
| “We want to capture and review events when policy conditions are met…” | - Monitoring and reporting: Activity explorer used to review matched events - Alerts/events generated for matching activities |
| “We want to educate users at the time of activity without enforcing restrictions…” | - User experience: Policy tips enabled (Show policy tips while in simulation mode) - No blocking or override prompts configured |
| “We want to safely test the policy before enforcing it in production…” | - Policy mode: Run in simulation mode - Deployment approach: Validate behavior before switching to enforcement |
Steps to create policy
Sign in to the Microsoft Purview portal. > Data loss prevention > Policies.
Choose + Create policy.
Select Data stored in connected sources.
For this scenario, under Categories, choose Privacy.
Under Regulations choose U.S. Personally Identifiable Information (PII) Data Enhanced, and then choose Next.
Give your new policy a Name and Description, and then choose Next.
Accept the default Full directory under Admin units. Select Next.
Select the Devices location and deselect all other locations and then choose Next.
On the Define policy settings page, choose Next.
On the Info to protect page, choose Next.
On the Protection actions page, choose Next again.
On the Customize access and override settings page, choose Audit or restrict activities on Devices and then choose Next.
On the Policy mode page, accept the default Run the policy in simulation mode and select Show policy tips while in simulation mode.
Choose Next.
Choose Submit.
Once the new policy is created, choose Done.
Now it’s time to test your policy:
On the Data Loss Prevention home page, open Activity explorer.
Try to share a test item from your Endpoint DLP device that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.
Back in Activity explorer, check the list of activities for this event.