Managing SharePoint Data Loss Prevention (DLP) Policies using PnP PowerShell

1. Introduction

Data Loss Prevention (DLP) Policies in SharePoint Online help prevent sensitive data from being shared or leaked. Using PnP PowerShell, organizations can:

Create custom DLP policies
Manage policy enforcement
Audit DLP violations
Automate policy updates

This guide covers the step-by-step management of DLP policies using PnP PowerShell.

---

2. Prerequisites

Before managing DLP policies, ensure:

• PnP PowerShell is installed Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force
• You have SharePoint Admin or Global Admin permissions
• You have Microsoft Compliance Center access
• You have the SharePoint Admin Center URL of your tenant

---

3. Connecting to SharePoint Online

Before configuring DLP policies, connect to SharePoint Online:

$AdminURL = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $AdminURL -Interactive

• Replace "yourtenant" with your actual SharePoint tenant name.
• This prompts you to log in using Microsoft 365 credentials.

---

4. Understanding DLP Policies

DLP policies detect and prevent sharing of sensitive data such as:

Credit card numbers
Social Security numbers
Financial statements
Health records

Key Actions in DLP Policies:

✔ Notify users when they share sensitive data
✔ Block access to documents violating DLP rules
✔ Encrypt emails or documents containing confidential data
✔ Log policy violations for auditing

---

5. Creating DLP Policies Using PnP PowerShell

To create a new DLP policy, use the following PowerShell script:

# Define policy settings
$PolicyName = "Financial Data Protection"
$Description = "Prevents sharing of financial data outside the organization."
$RuleName = "Block Credit Card Sharing"
$Sites = @("https://yourtenant.sharepoint.com/sites/Finance")

# Create DLP policy
New-PnPDlpCompliancePolicy -Name $PolicyName -Description $Description -ExchangeLocation All -SharePointLocation $Sites -OneDriveLocation All -Mode Enable -Priority 1
Write-Host "DLP Policy '$PolicyName' created successfully."

This policy:

• Blocks credit card number sharing in SharePoint Online.
• Applies to OneDrive and Exchange as well.
• Enables the policy immediately.

---

6. Managing and Modifying DLP Policies

A. View Existing DLP Policies

To list all DLP policies in SharePoint Online:

Get-PnPDlpCompliancePolicy | Format-Table Name, Mode, Priority, CreatedBy -AutoSize

✔ This displays all active policies and their details.

B. Update an Existing DLP Policy

Modify an existing policy to restrict document sharing:

Set-PnPDlpCompliancePolicy -Identity "Financial Data Protection" -Mode Enable -Priority 2
Write-Host "DLP Policy 'Financial Data Protection' updated successfully."

✔ This updates the policy mode and priority.

C. Delete a DLP Policy

To remove a DLP policy:

Remove-PnPDlpCompliancePolicy -Identity "Financial Data Protection" -Force
Write-Host "DLP Policy 'Financial Data Protection' deleted successfully."

⚠ Warning: Deleting a policy removes its enforcement permanently.

---

7. Monitoring and Auditing DLP Policies

A. Check DLP Policy Violations

To view violations and generate an audit log:

$Violations = Get-PnPDlpCompliancePolicyViolation -PolicyName "Financial Data Protection"
$Violations | Export-Csv -Path "C:\Reports\DLPViolations.csv" -NoTypeInformation
Write-Host "DLP Violations report exported."

This logs policy violations into a CSV file for analysis.

---

B. Check Users Triggering DLP Policies

To find which users triggered a DLP violation:

$Violations | Select-Object User, ViolationType, DocumentUrl | Format-Table -AutoSize

Helps in identifying risky user activities.

---

8. Automating DLP Policy Enforcement

To ensure DLP policies are enforced automatically, schedule a PowerShell script.

A. Save the Script

# Connect to SharePoint
$AdminURL = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $AdminURL -Interactive

# Reapply DLP policies
$Sites = Get-PnPTenantSite | Where-Object { $_.Url -match "Finance|HR" }
foreach ($Site in $Sites) {
    Set-PnPDlpCompliancePolicy -Identity "Financial Data Protection" -Mode Enable
    Write-Host "DLP Policy applied to $($Site.Url)"
}

B. Schedule the Script

1. Open Task Scheduler.
2. Click Create Basic Task.
3. Choose a Trigger (e.g., daily).
4. Select Action > Start a Program.
5. Set Program/Script to powershell.exe.
6. In Add Arguments, enter: -File "C:\Path\To\DLP-Enforce.ps1"
7. Click Finish to enable automation.

Now, DLP policies are automatically applied to new sites!