Professional Documents
Culture Documents
Powershell Quick Reference - Security and Compliance Center
Powershell Quick Reference - Security and Compliance Center
Documentation: https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/office-365-scc-powershell
Security and Compliance Center Admin Page – https://protection.office.com
Role Groups in the SCC DLP Sensitive Information Types
Role Group Cmdlets: Find existing Sensitive Information Types:
Get-RoleGroup – User ‘Get-RoleGroup | FL’ to get a detailed list of accounts in the SCC Get-DlpSensitiveInformationType
New-RoleGroup – Add a custom group, with specific roles in the SCC
Remove-RoleGroup – Remove only custom and not built-in Role Groups Create new Sensitive Information Type with Fingerprints:
Set-RoleGroup – Modify settings on existing Role Groups $Content01 = Get-Content "\\File01\HR\EmployeeInfo.docx" -Encoding byte
$FingerPrint01 = New-DlpFingerprint -FileData $Content01 -Description "Confidential
Cmdlet Usage: Employee Information"
Get-RoleGroup | Where {$_.Name -like ‘*admin*'} | Ft New-DlpSensitiveInformationType -Name "Confidential Employee Information" -Fingerprints
New-RoleGroup 'View-Only Auditor' -Roles 'View-Only Audit Logs' -Members George $FingerPrint01 -Description "Sensitive Employee Information - HR"
Remove-RoleGroup -Name 'View-Only Auditor'
Set-RoleGroup -Name 'View-Only Auditor' -Description “Users with View Only Auditing” Remove old unused Sensitive Information Types:
Remove-DlpSensitiveInformationType – Name "Confidential Employee Information"
$CSV = Import-CSV “CustomGroupDescriptions.csv”
Foreach ($Group in $CSV) {Set-RoleGroup -Name $Group.Name -Description Change an existing Sensitive Information Type:
$Group.Description Set-DlpSensitiveInformationType – Name "Confidential Employee Information"
}
2
Get-DlpCompliancePolicy
To use Device Management cmdlets – Enable MDM for tenant first: Damian Scoles
https://support.office.com/en-us/article/overview-of-mobile-device-
Get-DlpComplianceRule
management-mdm-for-office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Microsoft MVP
Get-DlpComplianceRuleV2 Book Author
Get-DlpDetectionsReport
New Device Rule – Tenant Wide, Less Options www.practicalpowershell.com
Get-DlpKeywordDictionary
Get-DlpSensitiveInformationType
New-DeviceTenantRule Powershellgeek.com
Get-DlpSensitiveInformationTypeRulePackage @PPowerShell
New Device Rule – Very Specific Configuration, More Options
Get-DlpSiDetectionsReport
New-DeviceConfigurationRule
Migrate-DlpFingerprint Helpful Tips
New-DlpCompliancePolicy
** Note the two cmdlet above have Set, Get and Remove Verbs as well Tab through parameters to see all available
New-DlpComplianceRule
New-DlpComplianceRuleV2 Check for latest module version
Device Rules can be used in conjunction with Conditional Access Read the latest Microsoft Docs for SCC
New-DlpFingerprint
Get-DeviceConditionalAccessPolicy Read Teams MVP blogs for more tips
New-DlpKeywordDictionary
Get-DeviceConditionalAccessRule Use MFA for better security
New-DlpSensitiveInformationType
New-DeviceConditionalAccessPolicy Need Help – ‘Get-Help’
New-DlpSensitiveInformationTypeRulePackage
New-DeviceConditionalAccessRule Read cmdlet Synopsis for functionality
Remove-DlpCompliancePolicy
Remove-DeviceConditionalAccessPolicy
Remove-DlpComplianceRule
Remove-DeviceConditionalAccessRule Reporting Cmdlets
Remove-DlpComplianceRuleV2
Set-DeviceConditionalAccessPolicy
Remove-DlpKeywordDictionary Get-DataRetentionReport
Set-DeviceConditionalAccessRule
Remove-DlpSensitiveInformationType Get-DeviceComplianceDetailsReport
Remove-DlpSensitiveInformationTypeRulePackage REGEX Testing / Reference Get-DeviceComplianceDetailsReportFilter
Set-DlpCompliancePolicy Get-DeviceComplianceReportDate
Set-DlpComplianceRule RegEx Testing Microsoft RegEx Reference
Get-DeviceComplianceSummaryReport
Set-DlpComplianceRuleV2 Get-DeviceComplianceUserReport
Set-DlpKeywordDictionary https://regex101.com/ https://docs.microsoft.com/en-us/
https://regexr.com/ dotnet/standard/base-types/regular- Get-DlpDetectionsReport
Set-DlpSensitiveInformationType Get-DlpSiDetectionsReport
Set-DlpSensitiveInformationTypeRulePackage http://osherove.com/tools expression-language-quick-reference
Get-MailFilterListReport
Get-SupervisoryReviewPolicyReport
Cmdlet Highlight Future Cmdlets (Currently Not Working) Get-SupervisoryReviewReport
Get-LongTermAuditItems Get-InformationBarrierReportDetails
More On PowerShell
Get-SCInsights – provides user totals per workloads – Windows PowerShell Blog
Get-LongTermAuditStats Get-InformationBarrierReportSummary
ExO, Archive, SharePoint, OneDrive and more
blogs.msdn.com/b/powershell
Script Center
DLP Fingerprinting technet.microsoft.com/scriptcenter
PowerShell Tips of the Week
$RDDoc1 = Get-Content "z:\RD\ResearchDoc-Contoso.docx" -Encoding byte
www.practicalpowershell.com/blog
$RDDoc1FingerPrint = New-DlpFingerprint -FileData $RDDoc1 -Description "Research and Development Doc 1"
New-DlpSensitiveInformationType -Name "RD Document 1 Fingerprint" -Fingerprints $RDDoc1FingerPrint -Description "Research and PowerShell Team – GitHub
Development Doc 1 - CONFIDENTIAL." https://github.com/powershell
3
Modify an Existing Dictionary (removing keywords in this case) Modify existing rules/policies
$DLPKeywords = "Technical Specifications, Development Methodologies" Set-SupervisoryReviewPolicyV2 -Name "R&D" -Reviewers “greg@cooltoys.com”
$EncodedDLPKeywords = [system.Text.Encoding]::UTF8.GetBytes($DLPKeywords); Set-SupervisoryReviewRule -SamplingRate 25 -Policy "R&D"
Set-DlpKeywordDictionary -Name "Technical Docs" -FileData $EncodedDLPKeywords
PowerShell Quick Reference - Security and Compliance Center (v1.01)
5
Information Barriers
Information Barriers are a logical construct that prevents communication between groups of people. Any of the people that are blocked from communicating need to be synced to
Azure AD. The filters for users are based off of Azure AD users and the attributes that are allowed for filters.
Create a new Information Barrier Policy: Kick off process to segment accounts:
New-InformationBarrierPolicy -Name ‘HR-Research’ -AssignedSegment HR -SegmentsBlocked Research -State InActive Start-InformationBarrierPoliciesApplication
List all Information Barrier Policies: Stop the process of segmenting accounts
Get-InformationBarrierPolicy | Ft Stop-InformationBarrierPoliciesApplication
Remove an existing Information Barrier Policy: Check on the process of this application:
Remove-InformationBarrierPolicy Get-InformationBarrierPoliciesApplicationStatus
Change settings on existing Information Barrier Policy: Verify a policied is applies to a user:
Set-InformationBarrierPolicy Get-InformationBarrierRecipientStatus -Identity JohnSmith
Validate Information Barrier Policies:
Test-InformationBarrierPolicy
Unified Audit Log Retention: https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-policies
Unified Audit Log Retention Policies determine how to handle audit logs for a tenant: Remove and Existing Policy:
List the settings of a Policy: Remove-UnifiedAuditLogRetentionPolicy
Get-UnifiedAuditLogRetentionPolicy Change Settings on an existing Policy:
Create a new Policy: Set-UnifiedAuditLogRetentionPolicy "SharePoint Audit Policy" -Priority 100
New-UnifiedAuditLogRetentionPolicy -Name "SharePoint Audit Policy" -Description "Six Change record types for an existing Policy:
month retentionpolicy SharePoint log items" -RecordTypes SharePoint -RetentionDuration Set-UnifiedAuditLogRetentionPolicy "Office 365 Audit Policy" -RecordTypes SharePoint,
SixMonths -Priority 1 ExchangeAdmin, MicrosoftTeams, Yammer, Sway