Create a DLP policy to protect documents with FCI or other properties

In Office 365, you can use a data loss prevention (DLP) policy to identify, monitor, and protect sensitive information. Many organizations already have a process to identify and classify sensitive information by using the classification properties in Windows Server File Classification Infrastructure (FCI), the document properties in SharePoint, or the document properties applied by a third-party system. If this describes your organization, you can create a DLP policy in Office 365 that recognizes the properties that have been applied to documents by Windows Server FCI or other system, so that the DLP policy can be enforced on Office documents with specific FCI or other property values.

Diagram showing Office 365 and external classification system

For example, your organization might use Windows Server FCI to identify documents with personally identifiable information (PII) such as social security numbers, and then classify the document by setting the Personally Identifiable Information property to High, Moderate, Low, Public, or Not PII based on the type and number of occurrences of PII found in the document. In Office 365, you can create a DLP policy that identifies documents that have that property set to specific values, such as High and Medium, and then takes an action such as blocking access to those files. The same policy can have another rule that takes a different action if the property is set to Low, such as sending an email notification. In this way, DLP in Office 365 integrates with Windows Server FCI and can help protect Office documents uploaded or shared to Office 365 from Windows Server–based file servers.

A DLP policy simply looks for a specific property name/value pair. Any document property can be used, as long as the property has a corresponding managed property for SharePoint search. For example, a SharePoint site collection might use a content type named Trip Report with a required field named Customer. Whenever a person creates a trip report, they must enter the customer name. This property name/value pair can also be used in a DLP policy — for example, if you want a rule that blocks access to the document for external users when the Customer field contains Contoso.

List of conditions with Document properties contain any of these values highlighted

Before you create the DLP policy

Before you can use a Windows Server FCI property or other property in a DLP policy, you need to create a managed property in the SharePoint admin center. Here’s why.

In SharePoint Online and OneDrive for Business, the search index is built up by crawling the content on your sites. The crawler picks up content and metadata from the documents in the form of crawled properties. The search schema helps the crawler decide what content and metadata to pick up. Examples of metadata are the author and the title of a document. However, to get the content and metadata from the documents into the search index, the crawled properties must be mapped to managed properties. Only managed properties are kept in the index. For example, a crawled property related to author is mapped to a managed property related to author.

This is important because DLP in Office 365 uses the search crawler to identify and classify sensitive information on your sites, and then store that sensitive information in a secure portion of the search index. When you upload a document to Office 365, SharePoint automatically creates crawled properties based on the document properties. But to use an FCI or other property in a DLP policy, that crawled property needs to be mapped to a managed property so that content with that property is kept in the index.

For more information on search and managed properties, see Manage the search schema in SharePoint Online.

Step 1: Upload a document with the needed property to Office 365

You first need to upload a document with the property that you want to reference in your DLP policy. Office 365 will detect the property and automatically create a crawled property from it. In the next step, you’ll create a managed property, and then map the managed property to this crawled property.

Step 2: Create a managed property

  1. Sign in to the Office 365 admin center.

  2. In the left navigation, choose Admin centers > SharePoint. You're now in the SharePoint admin center.

  3. In the left navigation, choose search > on the search administration page > Manage Search Schema.

    search administration page in SharePoint admin center

  4. On the Managed Properties page > New Managed Property.

    Managed Properties page with New Managed Property button highlighted

  5. Enter a name and description for the property. This name is what will appear in your DLP policies.

  6. For Type, choose Text.

  7. Under Main characteristics, select Queryable and Retrievable.

  8. Under Mappings to crawled properties > Add a mapping.

  9. In the crawled property selection dialog box > find and select the crawled property that corresponds to the Windows Server FCI property or other property that you will use in your DLP policy > OK.

    crawled property selection dialog box

  10. At the bottom of the page > OK.

Create a DLP policy that uses an FCI property or other property

In this example, an organization is using FCI on its Windows Server–based file servers; specifically, they’re using the FCI classification property named Personally Identifiable Information with possible values of High, Moderate, Low, Public, and Not PII. Now they want to leverage their existing FCI classification in their DLP policies in Office 365, so in the Office 365 Security & Compliance Center, they’ll start with a policy template and then customize it to use the FCI classification.

First, they follow the steps above to create a managed property in SharePoint Online, which maps to the crawled property created automatically from the FCI property.

Next, they create a DLP policy by starting from the policy template U.S. Personally Identifiable Information (PII) Data, which already identifies and classifies certain types of sensitive information. Then they add two rules that both use the condition Document properties contain any of these values:

  • The first rule blocks access to the document if the FCI classification property Personally Identifiable Information equals High or Moderate and the document is shared with people outside the organization.

  • The second rule sends a notification to the document owner if the FCI classification property Personally Identifiable Information equals Low and the document is also shared with people outside the organization.

Create the DLP policy

  1. Sign in to the Office 365 admin center.

  2. Navigate to Admin centers > Security & Compliance. You're now in the Security & Compliance Center.

  3. In the Security & Compliance Center, navigate to Security policies > Data loss prevention and click New (+).

  4. In the list of DLP policy templates, select the template that protects the types of sensitive information that you need and click Next.

    In this example, you’ll select U.S. Personally Identifiable Information ‎(PII)‎ Data because you want this DLP policy to integrate with the FCI classification property named Personally Identifiable Information.

    New DLP policy dialog with U.S. PII Data policy template highlighted

  5. Under Which services do you want to protect, choose the services that you want the DLP policy to protect.

    To protect just specific sites, choose Select specific sites > Add (+) > enter the URL of the site > add > OK. When you’re done adding sites, click Next.

    When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

  6. Under Customize rules (optional) choose New DLP Rule (+).

    New rule button highlighted

  7. Choose Add condition, click the down arrow and select Document properties contain any of these values.

    List of conditions with Document properties contain any of these values highlighted

  8. Under Document properties, click Add (+).

    Condition for Document properties contain any of these values

  9. Select Choose from a built-in property > Personally Identifiable Information. In the Value box, enter High,Moderate and click OK.

    Windows Server FCI includes many built-in properties, including Personally Identifiable Information used in this example, which you can select here. The possible values for each property can be different for every organization. The High, Moderate, and Low values used here are only an example. For your organization, you can view the Windows Server FCI classification properties with their possible values in the file Server Resource Manager on the Windows Server–based file server. For more information, see Create a classification property.

    In addition, you can select Choose a custom property. This can be any managed property available in SharePoint Online (see the previous section).

    Note: For Value, you can enter multiple values separated by commas (no spaces). The property name and value are not case sensitive.

    Choosing built-in FCI property and entering property values in dialog

  10. In the New DLP Rule window, choose Actions > select an action, select Block access to content and click Add actions.

  11. In the New DLP Rule dialog box, choose General, enter a name and description, and click OK.

  12. Repeat steps 6-10 to create another rule, but enter Low as the property value, and choose Send a notification for the action.

When you finish, your policy should have two new rules that both use the Document properties contain any of these values condition. One rule blocks access to content where the Personally Identifiable Information property equals High or Moderate. A second rule sends a notification about content where the Personally Identifiable Information property equals Low.

New DLP policy dialog showing two rules just created

After you create the DLP policy

Doing the steps in the previous sections will create a DLP policy that will quickly detect content with that property, but only if that content is newly uploaded (so that the content’s indexed), or if that content is old but just edited (so that the content’s re-indexed).

To detect content with that property everywhere, you may want to manually request that your library, site, or site collection be re-indexed, so that the DLP policy is aware of all the content with that property. In SharePoint Online, content is automatically crawled based on a defined crawl schedule. The crawler picks up content that has changed since the last crawl and updates the index. If you need your DLP policy to protect content before the next scheduled crawl, you can take these steps.

Warning: Re-indexing a site can cause a massive load on the search system. Don’t re-index your site unless your scenario absolutely requires it.

For more information, see Manually request crawling and re-indexing of a site, a library or a list.

Re-index a site (optional)

  1. On the site, choose Settings (gear icon in upper right) > Site Settings.

  2. Under Search, choose Search and offline availability > Reindex site.

More information

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×