Microsoft 365: Microsoft Purview – how to create a Document Fingerprint and use it to DLP policy to block the email send by the user – Data Governance 

Learn as if you will live forever, live like you will die tomorrow.

Hello Everyone,  

Hope you all are doing well.  

Today I am going to discuss about Document Fingerprint and how to create a Document Fingerprint and use it to DLP policy to block the email send by the user  

If you want to know about Microsoft Purview, then you can read the previous article link for following is given below – https://knowledge-junction.in/2023/05/11/microsoft-365-exploring-microsoft-purview-introduction-simplifying-concepts-study-material-for-exam-sc-900-microsoft-security-compliance-and-identity-fundamentals/ 

Key takeaways from this article 

At the end of this article, we will understand 

• We will understand about Document Fingerprint in Microsoft Purview 
• We will also learn about Data Loss Prevention in Microsoft Purview 
• Licenses requirement to perform DLP policy in Microsoft Purview 
• Understand how to create a document fingerprint and use it in DLP policy to block the email send by users 

What is Document Fingerprinting?  

• Document Fingerprinting is a Data Loss Prevention (DLP) feature that converts a standard text form into a sensitive information type, which you can use in the rules of your DLP policies.  
• For example, you can create a document fingerprint based on a blank template and then create a DLP policy that detects and blocks all outgoing documents that use that template with sensitive content filled in.  
• Document fingerprinting within the Microsoft 365 ecosystem makes it simpler for you, as the admin, to protect that information by identifying standard forms that are used by all users within the business.  

Benefits for using Document Fingerprinting  

• Employees in an organization responsible for dealing with information manage many kinds of sensitive information when completing their regular daily tasks.  
• To prevent unintentionally sharing information that has been created from official company templates, you can configure and implement document fingerprinting as a custom sensitive information type.  
• A good example of this is documents managed by HR workers that can potentially contain personal information, which can be identified by document fingerprinting.  

Licensing Requirements  

• Microsoft 365 E5/A5/G5/E3/A3/G3  
• Office 365 E5/A5/G5/E3/A3/G3   
• Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance   
• Microsoft 365 E5/A5/F5/G5 Information Protection and Governance  

How does it work?  

In the same way that a person’s fingerprints have unique patterns, documents have unique word patterns.  

• When we upload a file, DLP identifies the unique word pattern in the document   
• DLP creates a document fingerprint based on that pattern   
• DLP uses that document fingerprint to detect outbound documents containing the same pattern  

Example of a patient document matching a document fingerprint of a patient template  

• The patient template contains the blank fields “Patient Details” and “Description” and descriptions for each field-the word pattern.  
• When we upload the original patient template, it is in one of the supported file types and in plain text.  
• DLP converts this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value representing the original text, and the fingerprint is saved as a data classification in Microsoft 365  
• The document fingerprint then becomes a sensitive information type that we can associate with a DLP policy.  
• After we associate the fingerprint with a DLP policy, DLP detects any outbound emails containing documents that match the patient document fingerprint and deals with them according to your organization’s policy  

Let get Started   

Step 1 – Create a fingerprint-based Sensitive Information Type  

We have the detailed article for navigate to Microsoft Purview compliance portal– Microsoft 365 – Navigate to Microsoft Purview compliance portal – https://knowledge-junction.in/2023/05/04/small-tricks-and-tips-microsoft-365-administration-microsoft-purview-portal-how-to-navigate/

• Go to the Microsoft Purview compliance portal at https://compliance.microsoft.com/homepage  

• Open Microsoft Purview compliance portal > Data classification > Classifiers.  
• On the Classifiers page, choose Sensitive info types > Create Fingerprint based SIT.  

• After clicking the Create Fingerprint based SIT then enter a name and description for our new Sensitive info types.  

• Click on the Upload file and select the file that we wish to use as the fingerprint template.  

• Select the confidence level required for each i.e., low, medium and high and then choose Next.  

• Review your settings > Create.  
• When the confirmation page displays, choose Done.  

• After creating the fingerprint-based SIT, we can also verify the results in the Microsoft Purview compliance portal. There we will see our new SIT with the type identified as Fingerprint.  

Before we Start with Step 2 let get to know about Data Loss Prevention  

What is Data Loss Prevention (DLP)?  

• Microsoft Purview Data Loss Prevention is a solution that helps to prevent the unsafe or unauthorized sharing, transfer, or use of sensitive data in your organization.  
• Using it, you can identify and monitor sensitive data, which allows your organization to enforce your data protection policies and keep your information safe  
• Microsoft offers various pre-defined DLP templates that are tailored to specific countries and regions, such as the US Patriot Act, UK Data Protection Act, or GDPR. These templates come with pre-configured sensitive information types and rules consisting of conditions and actions. We only must assign the template to one or more Microsoft 365 locations.  

Step 2 – Let us put our SIT to work by using it in a Data Loss Prevention policy  

• In the Microsoft Purview compliance portal, select Data loss prevention > Policies > + Create policy to create a new policy.  

• Select the Custom template from the Categories Section  

• Select your region or country > Next.  

• Name your policy and provide a description > Next.  

• Next is to Assign Admin Units: If any organization is using administrative units in Azure Active Directory, a retention label policy that does not include SharePoint sites can be automatically restricted to specific users by selecting administrative units.  
• If we do not want to restrict the policy by using administrative units, or your organization has not configured administrative units, keep the default of Full directory.  

• On the Choose locations page, we can toggle on or off any of the locations. For each location, you can leave it at the default to apply the policy to the entire location or specify includes and excludes. .  

• On the Define policy settings page, choose Create customize advanced DLP rules to customized and provide the additional rules for the DLP policy and Click Next.  

• On the Customize advanced DLP rules page, choose Create rule.  

• Provide a name and description for our rule.  

• Under Conditions choose Add condition > Content contains.  
• Give a new set of DLP rules a Group name > Add > Sensitive info types.  

• Search for and select the name of our fingerprint SIT and Click Add.  
• Now it will check if our Content contains the fingerprint SIT

• Add another condition that when Content is shared from Microsoft 365 with people outside the organization  
• By adding this condtion Content can’t be shared with people outside the organization if the content contains fingerprint SIT

• Select your confidence level > Add an action.  
• For actions, let us make the DLP rule restrict external recipients from receiving emails containing any documents matching the fingerprint. This will still let internal sharing take place to avoid disrupting business processes.  

• For user notifications, we will compose customized notification email and policy tip texts to make sure affected end users understand why restrictions are being applied.  

• If we wanted to, we could also allow internal users to override the restrictions by providing a justification.  
• With that, we can save the DLP rule   

• Review the DLP rules and if changes are needed just click on the edit option  

• Choose between these two options:  
• Test your policy > Next  
• Turn on your policy right away > Next.  

• Review your settings > Submit > Done.  

Step 3 – Let check the outcome  

• Let verify how our policy works by creating a filled version of our fingerprinted document and by then attempting to send it to an external recipient.  

• Open Outlook on the Web and create a new email targeting an external recipient.  
• Then attached the filled form in the mail.   
• In a few seconds, the custom policy tip will get triggered, informing me that policy is violated and cannot send the mail to that recipient.  

• Click on Learn more to get more information about policy violation   

• If we neglected the policy tip and sent the email anyway, DLP restrictions took over.  
• The email gets blocked from being sent to the external recipient  

• In a few moments, we will receive a custom email notification as – “Message contains the following sensitive information: Hospital Patient Detail.”  

I hope this article will help you to know about document fingerprint, Data Loss Prevention and how to create a document fingerprint and use it in DLP policy to block the email send by users 

Also get my article updates on my social media handles. 

LinkedIn – https://www.linkedin.com/in/prajyot-yawalkar-093716224/ 

Twitter – https://twitter.com/PrajyotYawalkar?t=oovP0r9FnDtz5nNSJGKO0Q&s=09 

Have a wonderful day.  

Thanks for reading.