How to Use General Office 365 Data Loss Prevention Features
Published Date:
Description
This article describes the Office 365 data loss prevention (DLP) features applying to all users at UVU and common actions users may need to take with them. These features will automatically encrypt files that are found to contain restricted data such as social security or credit card numbers using a label so that only UVU Microsoft accounts can access their content. It will also allow users to manually apply the same protections to other files. They will also prevent the upload of files containing unlabeled restricted data to OneDrive and Sharepoint or the download of restricted data files by non-approved external users.
Solution
Pop-up Message Examples and How to Address Them
When restricted data is detected as described above, you will generally receive a pop-up message based on the detected content. Below you will find examples and descriptions of what they mean and what actions may be taken to resolve the issue. Please note the pop-ups may appear slightly different because of all the different platforms and applications where the notification may be received.
Here are some examples of common pop-ups/notifications from these features and what they mean.
Client side auto labeling
Your local Office 365 app such as Word or Excel has detected a social security number or credit card number in the file you currently have open and automatically applied the “Internal Restricted Data - SSN or CCN” label to it which encrypts the document so that it can only be accessed by UVU Microsoft accounts. The label is not fully applied until the document is saved.
Office application screen showing policy tips from client side labeling as well as an example of restricted data and an applied encryption label.
Upload to OneDrive or SharePoint blocked
The file being uploaded contains restricted data such as a credit card number or social security number and must be encrypted before upload. You can remove the restricted data and attempt the upload again or it can be encrypted by applying the “Internal Restricted Data - SSN or CCN” label to the document or if you believe the file is being mistakenly flagged, you can report it to the Service Desk.
Image of OneDrive web app blocked upload notification described previously.
Access to the file is temporarily denied
If an external guest attempts to access shared content in OneDrive or SharePoint before it can be scanned by DLP policies, they will receive the following message and will need to wait a few minutes for the DLP policies to finish scanning.
Image showing SharePoint web app notification described previously.
Restricted data icon
If a file in OneDrive or SharePoint is found to contain restricted data it may present an icon such as this indicating that restricted data such as a social security number or credit card number is present within the file and external sharing is disabled unless it was specifically enabled with the Security team for a business purpose.
Image of OneDrive web app showing restricted data icon next to file name as well as in the file hover expand menu.
Download blocked
An external Microsoft account attempting to access a shared file with restricted data such as a social security or credit card number will receive this message unless Security has flagged their account or domain for sharing of restricted data.
Image of Defender for Cloud Apps notification showing that the download of the file was blocked as described previously.
Manually Apply or Remove Protections to an Office Document
From the “Home” tab, expand the white and blue “Sensitivity” icon to view the list of available labels.
Select the “Internal Restricted Data - SSN or CCN” label to encrypt the document.
Image of local Word application showing the “Home” tab, “Sensitivity” button, and the “Internal Restricted Data - SSN or CCN” label unchecked.
If you encounter any issues, try ensuring you’re signed in to the office app with your UVU Microsoft account. You may also need to restart the office app or your computer. Occasionally re-installation of Office 365 is required. Please contact the Service Desk if you need assistance.
Image showing the sign-in/account profile button in the top right-hand corner of Office 365 apps and a user currently signed into their UVU Microsoft account.
The label will continue to be reapplied automatically as long as the file continues to contain restricted data such as a social security or credit card number. After removing the data, you can follow the same steps used to manually apply a label to toggle it off. If you are having trouble locating and removing the offending data or if you need to remove the label while keeping the data for some reason, please get in touch with the Service Desk.
From the “Home” tab, expand the white and blue “Sensitivity” icon to view the list of available labels.
Uncheck the “Internal Restricted Data - SSN or CCN” label to decrypt the document.
Image of Microsoft Word application showing the “Home” tab, “Sensitivity” button, and the “Internal Restricted Data - SSN or CCN” label checked.
If you encounter any issues, try ensuring you’re signed in to the office app with your UVU Microsoft account. You may also need to restart the office app or your computer. Occasionally re-installation of Office 365 is required. Please contact the Service Desk if you need assistance.
Related Articles
Contact Support
If you need to report that a file has been incorrectly flagged as containing a social security or credit card number or if you believe a file should be getting automatically protected but isn’t, please contact the Service Desk.