Professional Documents
Culture Documents
Document Finger printing M 365 Compliance
Document Finger printing M 365 Compliance
In this article
Basic scenario for Document Fingerprinting
How Document Fingerprinting works
Use PowerShell to create a classification rule package based on document fingerprinting
Government forms
Health Insurance Portability and Accountability Act (HIPAA) compliance forms
Employee information forms for Human Resources departments
Custom forms created specifically for your organization
Ideally, your organization already has an established business practice of using certain
forms to transmit sensitive information. After you upload an empty form to be converted
to a document fingerprint and set up a corresponding policy, the DLP detects any
documents in outbound mail that match that fingerprint.
) Important
For now, DLP can use document fingerprinting as a detection method in Exchange
online only.
The following example shows what happens if you create a document fingerprint based on
a patent template, but you can use any form as a basis for creating a document fingerprint.
fingerprint with a DLP policy, DLP detects any outbound emails containing documents that
h h fi i dd l ih h di i i ' li
match the patent fingerprint and deals with them according to your organization's policy.
For example, you might want to set up a DLP policy that prevents regular employees from
sending outgoing messages containing patents. DLP will use the patent fingerprint to
detect patents and block those emails. Alternatively, you might want to let your legal
department to be able to send patents to other organizations because it has a business
need for doing so. You can allow specific departments to send sensitive information by
creating exceptions for those departments in your DLP policy, or you can allow them to
override a policy tip with a business justification.
DLP uses classification rule packages to detect sensitive content. To create a classification
l k b d d fi i h N Dl Fi i dN
rule package based on a document fingerprint, use the New-DlpFingerprint and New-
DlpSensitiveInformationType cmdlets. Because the results of New-DlpFingerprint aren't
stored outside the data classification rule, you always run New-DlpFingerprint and New-
DlpSensitiveInformationType or Set-DlpSensitiveInformationType in the same PowerShell
session. The following example creates a new document fingerprint based on the file C:\My
Documents\Contoso Employee Template.docx. You store the new fingerprint as a variable
so you can use it with the New-DlpSensitiveInformationType cmdlet in the same
PowerShell session.
PowerShell = Copy
Now, let's create a new data classification rule named "Contoso Employee Confidential"
that uses the document fingerprint of the file C:\My Documents\Contoso Customer
Information Form.docx.
PowerShell = Copy
You can now use the Get-DlpSensitiveInformationType cmdlet to find all DLP data
classification rule packages, and in this example, "Contoso Customer Confidential" is part of
the data classification rule packages list.
Finally, add the "Contoso Customer Confidential" data classification rule package to a DLP
policy in the Security & Compliance Center. This example adds a rule to an existing DLP
policy named "ConfidentialPolicy".
PowerShell = Copy
PowerShell = Copy
DLP now detects documents that match the Contoso Customer Form.docx document
fingerprint.
New-DlpFingerprint
New-DlpSensitiveInformationType
Remove-DlpSensitiveInformationType
Set-DlpSensitiveInformationType
Get-DlpSensitiveInformationType
Recommended content
Learn about the data loss prevention Alerts dashboard - Microsoft 365
Compliance
Learn about data loss prevention alerts and the alerts dashboard.
Get started with the data loss prevention alert dashboard - Microsoft 365
Compliance
Get started with defining and managing alerts for data loss prevention policies.
Data Loss Prevention policy tips reference - Microsoft 365 Compliance
Learn how to add a policy tip to a data loss prevention (DLP) policy notify a user that they are
working with content that conflicts with a DLP policy.