I was messing around a little with Office 365 Compliance settings using Powershell, as I’d like to configure a large number of tenants with certain Data Loss Prevention (DLP) rules based on sensitive data in Sharepoint Online, Onedrive for Business and Exchange Online.
I then noticed that it wasn’t possible to use New-DlpComplianceRule in conjunction with predefined or custom sensitive data types, my code + error:
New-DlpComplianceRule -Name "SocialSecurityRule" -Policy "JosLTest" -ContentContainsSensitiveInformatio n @{Name="Credit Card Number"; minCount="2"} -BlockAccess $True The value specified in sensitive information is invalid. + CategoryInfo : NotSpecified: (:) [New-DlpComplianceRule], InvalidContentC...mationException + FullyQualifiedErrorId : [Server=DB5EUR01WS007,RequestId=4a19a0bd-abea-4e06-9dc1-47fc35be9d63,TimeStamp=16-11-201 6 12:02:24] [FailureCategory=Cmdlet-InvalidContentContainsSensitiveInformationException] D7D004DA,Microsoft.Office .CompliancePolicy.Tasks.NewDlpComplianceRule + PSComputerName : eur01b.ps.compliance.protection.outlook.com
Fun thing is, this is actually exactly as Technet shows how it should be done.
So I called support, apparently this is a bug. So, for now, if you want to create a DLP compliance policy and rule, follow this example:
Create the policy:
New-DlpCompliancePolicy -Name "Test Policy by Jos" -Comment "TestPolicy" -SharePointLocation All -OneDriveLocation All -ExchangeLocation All -Mode Enable
Get all DLP rule sensitive data types:
Get-DlpSensitiveInformationType
Use the GUID of the information type when you create your rule:
New-DlpComplianceRule -Name "Test Rule by Jos" -Policy "Test Policy by Jos" -ContentContainsSensitiveInformatio n @{Name="50842eb7-edc8-4019-85dd-5a5c1f2bb085"; minCount="2"} -BlockAccess $True