Export DLP rules from Security and Compliance Center

[ACK00]

Need a solution for exporting and importing Security and Compliance Center DLP policies. The provided cmdlets from this document: https://docs.microsoft.com/en-us/powershell/module/exchange/export-dlppolicycollection?view=exchange-ps only partially work. The Export DlpCollection did not work.

Any ideas? Have ran into this issue several times.

[NikCharlebois]

Have you tried exporting the DLP Policies from Microsoft365DSC? Are you running into any issues?

Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy

[ACK00]

Have you tried exporting the DLP Policies from Microsoft365DSC? Are you running into any issues?

Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy

@NikCharlebois Am I running this from my admin PowerShell or do I need to be in the ExchangeOnline powershell? and I did just try to run this and no luck.

[ACK00]

@NikCharlebois I can access the compliance center via Connect IPPSession and Get-DlpCompliancePolicy works, and Import-Module and updated some permissions in Azure... but then when I run Export-DlpPolicyCollection I get an error. Every time.

Not recognized as a cmdlet, I have updated my Azure cmdlet database I have updated permissions, etc. I think the cmdlet is deprecated....

[andikrueger]

you need to run the command Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy in a standard PowerShell 5 session. This would be the complete script to export the policies:

# Generated by Microsoft365DSC from https://export.microsoft365dsc.com on 2/21/2022, 1:32:22 PM
# Visit https://microsoft365dsc.com for more information

# Getting client credential
$Credential = Get-Credential

# Exporting resources using credentials
Export-M365DSCConfiguration -Components @("SCDLPCompliancePolicy") -Credential $Credential

Additionally, please make sure to follow this guide: https://microsoft365dsc.com/user-guide/get-started/complete-story/

[ACK00]

@andikrueger thank you for the reply. Do I run this command in place of the Export-DlpPolicyCollection command? I am sorry but I have never used this resource before. Like I mentioned above, I Connect via IPPPSession to the security and compliance center with credentials and run the commands. In your instructions you have credential commands as well. and then the link to gettting started with 365dsc. So it looks like I have to install the dsc module to then follow the commands? Thank you for your assistance

[andikrueger]

Did you have a chance to look at the getting started guide for Microsoft 365 DSC? Microsoft365DSC handles the connection for you and there is no need to run the commands manually.

[ACK00]

@andikrueger I was able to export rules.... this is the Contoso demo site I am using.... now stuck on Destination path to see the configs... or trying to find where the exports went... the Destination path came up and I added the Set-Content but now stuck on where the export is living. Thanks.

[andikrueger]

No need to add set-content. Only the target path of the export is needed. Export-M365DSCConfiguration will handle the creation of the target folder and files

[ACK00]

@andikrueger Success! I have now gotten the policy configs in a file. Making progress, now my question is when I get to this command, how to I define what tenant I want the DLP policy configs to import to?

Start-DSCConfiguration .\M365TenantConfig -Wait -Verbose -Force

[andikrueger]

You need to define some credentials to compile the configuration. These should be of the target tenant.

[ACK00]

@andikrueger define credentials in the .mof file that is created or as signing into the PowerShell in the desired target tenant?

[andikrueger]

No. They are used within the ps1 file and then compiled and therefor available within the mof file. If you need to secure the credentials in the mof file, there is a good docs article available: https://docs.microsoft.com/en-us/powershell/dsc/pull-server/securemof

[ACK00]

@andikrueger So do I literally change the credentials in the ps.1 file to the target tenant? For example, I export the policies into a mof file from tenant 1, I want to import them into tenant 2. So do I need to change the credentials in the mof file to tenant 2 and then run the Start-DSCConfiguration .\M365TenantConfig -Wait -Verbose -Force command?

[ACK00]

@andikrueger WE DID IT! Thank you so much for your help.

[ACK00]

@andikrueger Got excited too soon, any custom DLP with custom sensitive info types we get errors, any ideas?

[desmay]

@ACK00 Any chance you can provide some screenshots of you DLP rules so we can try to repro ?

[ACK00]

@desmay

This is a rough template of replicated policies that I am tasked with importing. This one caused the error above. I understand this is not the ideal scenario for a DLP structure. The last screen shot is the overall config and I know the file extensions are funky but that is what I was given to work with. Do custom DLP policies have problems importing typically?

[desmay]

@ACK00 Thx let me see if I repro

[desmay]

@ACK00 After reviewing your screenshots we don't have support for custom SITs only the OOB SITs. We can look to add this to the backlog as an enhancement to SCDLPCompliancePolicy resource.

[ACK00]

@desmay Thank you. We have had multiple clients ask for a feature that shows the configurations of their DLP policies, most are customized. A solution for this is needed frequently. Or perhaps a better GUI export or print out from the console would be even better for customer experience. Thanks again.

[NikCharlebois]

Started some investigation on this. The Get-DLPSensitiveInformationTyupe cmdlet doesn't return much other than name and description. We are required to look at the DLPSensitiveInformationTypeRuleCollection property which is obtained by the Get-DLPSensisitveInformationRulePack cmdlet and properties are all handled by an XML blob which will add complexity. If we are to implement this as a resource (SCDLPSensitiveInformationType) we can implement the rules as XML for the Test-TargetResource's function sake and we would need to break them down into properties.

[gabriel-rech]

you need to run the command Export-M365DSCConfiguration -Components SCDLPCOmpliancePolicy in a standard PowerShell 5 session. This would be the complete script to export the policies:

# Generated by Microsoft365DSC from https://export.microsoft365dsc.com on 2/21/2022, 1:32:22 PM
# Visit https://microsoft365dsc.com for more information

# Getting client credential
$Credential = Get-Credential

# Exporting resources using credentials
Export-M365DSCConfiguration -Components @("SCDLPCompliancePolicy") -Credential $Credential

Additionally, please make sure to follow this guide: https://microsoft365dsc.com/user-guide/get-started/complete-story/

I just wanna say: if it works, I love you