what is DLP in m365? how you can apply it for SharePoint online with an example by using powershell commands

 Microsoft 365 Data Loss Prevention (DLP) is a security feature designed to identify, monitor, and protect sensitive information across Microsoft 365 services like SharePoint Online, OneDrive, Exchange, and Teams. It helps prevent accidental or malicious sharing, leakage, or loss of sensitive data such as personally identifiable information (PII), financial data, or health records by enforcing policies that detect sensitive content and optionally block or restrict its access or sharing.fidelissecurity+2​

How DLP Works in M365

• It uses predefined or custom sensitive information types to scan content in real-time.
• When sensitive data is detected, DLP policies can automatically trigger protective actions like blocking sharing, encrypting content, or alerting admins.
• DLP provides reporting and alerts to help manage compliance.

Applying DLP to SharePoint Online using PowerShell

To apply DLP policies to SharePoint Online, you typically create and manage the policies in Microsoft Purview compliance portal, but you can use PowerShell to assign existing DLP policies to SharePoint sites.

Here is an example approach using PowerShell with Exchange Online Management Shell and SharePoint Online:

Step 1: Connect to Exchange Online (required for DLP cmdlets)

powershell

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Step 2: Get list of DLP policies

powershell

Get-DlpPolicy

Step 3: If you need, create a new custom DLP policy (requires detailed rules normally created via Compliance portal)

Step 4: Apply a DLP policy to SharePoint Online locations

You can assign locations for DLP policies like SharePoint sites:

powershell

Set-DlpComplianceRule -Identity "YourDLPComplianceRuleName" -SharePointSites @("https://yourtenant.sharepoint.com/sites/yoursite")

Note: Most DLP policies are managed through the Microsoft Purview compliance center GUI for policy creation and assignment. PowerShell is mainly used for policy management or automation like enabling/disabling policies or updating locations.

Summary

• DLP in M365 protects sensitive data from leakage by enforcing policies across SharePoint and other services.
• PowerShell cmdlets like Get-DlpPolicy and Set-DlpComplianceRule can manage and assign DLP policies programmatically.
• Creating and customizing DLP rules is generally done via the Microsoft Purview compliance center for granular control.

This setup ensures sensitive data stored in SharePoint Online is monitored and protected according to your organization's compliance and data governance needs.

xamples of SharePoint Data Loss Prevention (DLP) policy rules to block sensitive file sharing typically involve these components:

Example DLP Policy Use Case

• Goal: Block sharing of sensitive items (e.g., Social Security Numbers, credit card data, or documents labeled "Confidential") from SharePoint and OneDrive sites to external users.
• Exceptions: Do not block sharing for members of HR or specific internal groups.
• Actions: Block or restrict access, send alerts to security teams, notify users when sharing is blocked.

Elements of a Typical SharePoint DLP Policy Rule

Description	Configuration in DLP Rule
Users to monitor	All users, except excluded groups (e.g., Human Resources)
Locations to monitor	SharePoint sites and OneDrive accounts
Sensitive content types	US Social Security Number (SSN), Credit Card Number, Custom sensitivity labels like "Confidential"
Condition 1	Content is shared with people outside the organization
Condition 2	Content contains specified sensitive info types or sensitivity labels
Actions	Block external sharing or restrict access; notify security team via email alerts
User notification	Provide policy tips and email alerts informing users of sharing restrictions

Scenario Summary

• When a file containing sensitive data is shared externally, the DLP policy detects the content based on sensitive information types and the sharing scope.
• The policy blocks external access to that file.
• The user attempting to share receives an alert notification.
• The security or compliance team is notified by email of the incident for investigation.
• This prevents sensitive data from being leaked outside the organization via SharePoint Online.

How to Customize

• Add multiple conditions joined by AND/OR for granular control.
• Use sensitivity labels as content conditions for better integration.
• Configure incident reports and notifications.
• Define exceptions carefully to avoid business disruption.

This example is from Microsoft's official guidance on how DLP policies monitor SharePoint/OneDrive content for sensitive data and block unauthorized sharing, with alerting for compliance monitoring and user education.

 

Specific sensitive information types (SITs) you should include in your Data Loss Prevention (DLP) rules for SharePoint Online depend on your organization's compliance needs and data risks, but typically include the following categories:

Common Sensitive Info Types for DLP Policies

• Personally Identifiable Information (PII):
• Social Security Numbers (SSN)
• Passport numbers
• Driver's license numbers
• Personal addresses, phone numbers, email addresses
• Financial Information:
• Credit card and debit card numbers
• Bank account numbers
• Payment card industry data
• Health Information (Protected Health Information - PHI):
• Medical record numbers
• Health insurance information
• Genetic or biometric data
• Government Identifiers:
• Tax Identification Numbers
• National ID numbers
• Passport and visa numbers
• Authentication Data:
• Passwords
• Account credentials
• Confidential Business Data:
• Intellectual property including trade secrets, patents
• Customer data and contracts
• Financial forecasts and business strategies
• Special Categories Under Regulations (e.g., GDPR Special Category Data):
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Genetic data and biometric data for ID purposes
• Data about sexual orientation or sex life

Why Include These?

These data types are frequently targeted for theft or accidental exposure and have legal and regulatory protections that require you to monitor and prevent unauthorized sharing or leakage.

How to Use in DLP

• Use built-in Microsoft 365 sensitive info types for easy policy creation.
• Customize and combine multiple info types in rules tailored to your organization's specifics.
• Include classification labels or tags as additional conditions.

These sensitive info types align with Microsoft Purview's built-in classifiers designed to detect and protect such information in your SharePoint Online environment.

Implement Conditional access in SPO to prevent download and printing files

Implement Conditional access in SPO to prevent download and printing files

To implement conditional access in SharePoint Online (SPO) to prevent downloading and printing of documents in a library, you typically apply session controls in a Microsoft Entra ID (Azure AD) Conditional Access policy that restricts actions such as printing and downloading when accessing SharePoint. This cannot be done directly on a SPO site only with simple SPO cmdlets but requires creating a Conditional Access policy via Microsoft Graph PowerShell and enabling "Limited Access" mode (also called "AllowLimitedAccess" or "Block Download").

Here is a step-by-step approach using PowerShell and SharePoint Online cmdlets:

Step 1: Connect to SharePoint Online Management Shell

powershell

Connect-SPOService -Url https://yourtenant-admin.sharepoint.com -Credential (Get-Credential)

Step 2: Set Conditional Access on the SPO site to allow limited access (this will restrict download and printing)

powershell

Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite -ConditionalAccessPolicy AllowLimitedAccess

This sets the site to use the limited access policy enforced via Conditional Access.

Step 3: Create or configure a Conditional Access policy in Azure AD (Microsoft Entra) to enable session controls for SharePoint Online

This step requires the use of Microsoft Graph PowerShell module, because Conditional Access policies are managed through Azure AD (Entra), not directly on SPO.

Connect to Microsoft Graph PowerShell

powershell

Install-Module Microsoft.Graph -Scope CurrentUser

Import-Module Microsoft.Graph

$permissions = @("Policy.ReadWrite.ConditionalAccess", "Policy.Read.All", "Application.Read.All")

Connect-MgGraph -Scopes $permissions

Define the policy restricting download and printing by enforcing "Use app enforced restrictions" session control on SharePoint Online app

Example policy creation cmdlet (adjust JSON to your needs):

powershell

$conditions = @{

    Applications = @{

        IncludeApplications = @("00000003-0000-0ff1-ce00-000000000000") # SharePoint Online App ID

    }

    Users = @{

        IncludeUsers = @("All")

    }

}

$sessionControls = @{

    CloudAppSecurity = @{

        Type = "mcas"

        Mode = "blockDownloads"

    }

}

$grantControls = @{

    BuiltInControls = @("block")

}

$params = @{

    DisplayName = "Block Download and Printing for SPO"

    State = "enabled"

    Conditions = $conditions

    SessionControls = $sessionControls

    GrantControls = $grantControls

}

New-MgIdentityConditionalAccessPolicy @params

This policy ensures that when users access SharePoint Online, download and printing is blocked via session controls enforced by Microsoft Defender for Cloud Apps (MCAS).

Summary

• Use Set-SPOSite -ConditionalAccessPolicy AllowLimitedAccess to enable limited access mode on the SPO site.
• Configure a Conditional Access policy using Microsoft Graph PowerShell to apply session controls on SharePoint Online to block downloads and printing.

 

To View Deleted Site Collections #PowerShell

 To View Deleted Site Collections #PowerShell

===================================

Returns all deleted site collections from the Recycle Bin.

Syntax

ParameterSetAllSites (Default)

Syntax

Get-SPODeletedSite
    [[-Identity] <SpoSitePipeBind>]
    [-Limit <String>]
    [-IncludePersonalSite]
    [<CommonParameters>]
Description
The Get-SPODeletedSite cmdlet returns all deleted site collections that match the given criteria from the Recycle Bin.
By default the cmdlet only returns site and site collections that are not Personal Sites (My Sites). To include personal sites, use the IncludePersonalSite parameter. To return only Personal Sites, use the IncludeOnlyPersonalSite parameter.
These two Switch Parameters are in different parameter sets, so you can only use either one of them but not both.
This action does not restore these returned sites or site collection. It only returns their properties so that you can see what sites or site collections have been deleted. To restore the site or site collections, forward the results to the Restore-SPODeletedSite cmdlet in the pipeline.
You must be a SharePoint Online administrator and be a site collection administrator for the deleted site collections to run the cmdlet.
For permissions and the most current information about Windows PowerShell for SharePoint Online, see the online documentation at Intro to SharePoint Online Management Shell.
Example 1
PowerShell
Get-SPODeletedSite -IncludePersonalSite
The command in this example returns all deleted site collections from the Recycle Bin including Personal Sites.

Restore Command: 
Restore-SPODeletedSite -Identity <SiteCollectionURL>

SharePoint Online sites and using PowerShell

1.  To retrieve all SharePoint Online sites and export the data using PowerShell

# Connect to SPO admin center

Connect-SPOService -Url "https://<yourtenant>-admin.sharepoint.com"

# Retrieve all site collections and export to CSV

Get-SPOSite -Limit All | Select Title,Url,Template,StorageQuota,LastContentModifiedTime,Owner | Export-Csv -Path "C:\Temp\AllSharePointSites.csv" -NoTypeInformation

2. PowerShell script to get all licensed Microsoft 365 users:

# Install the MSOnline module if not already installed

Install-Module -Name MSOnline -Force

# Import the module

Import-Module MSOnline

# Connect to Microsoft 365

Connect-MsolService

# Get all users with any assigned license and export to CSV

$LicensedUsers = Get-MsolUser -All | Where-Object { $_.IsLicensed -eq $true }

$LicensedUsers | Select DisplayName, UserPrincipalName, Licenses | Export-Csv -Path "C:\Temp\LicensedUsers.csv" -NoTypeInformation

POWERSHELL COMMANDS ON SHAREPOINT ONLINE SITES

 POWERSHELL COMMANDS ON SHAREPOINT ONLINE SITES

PowerShell commands for SharePoint Online (SPO) greatly simplify administration tasks such as site management, permissions handling, and reporting. The SharePoint Online Management Shell provides a collection of cmdlets (commands) starting with "SPO" or "PnP" (for PnP PowerShell) that administrators use to automate and streamline management.

Commonly Used PowerShell Commands on SharePoint Online Sites

1. Connect to SharePoint Online Admin Center

   powershell
   Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
   

   Establishes a session with the SharePoint Online admin center.

2. Get List of Site Collections

   powershell
   Get-SPOSite
   

   Retrieves all SharePoint Online site collections in your tenant.

3. Get Detailed Site Information

   powershell
   Get-SPOSite -Identity https://contoso.sharepoint.com/sites/siteName -Detailed
   

   Provides detailed properties of a specific site.

4. Create a New Site Collection

   powershell
   New-SPOSite -Url https://contoso.sharepoint.com/sites/newsite -Owner user@contoso.com -StorageQuota 1024 -Template STS#0 -Title "New Site"
   

   Creates a new site with specified owner, storage quota, template, and title.

5. Update Site Collection Properties

   powershell
   Set-SPOSite -Identity https://contoso.sharepoint.com/sites/siteName -StorageQuota 2048 -Title "Updated Title"
   

   Modifies settings like storage quota and title for an existing site.

6. Remove a Site Collection

   powershell
   Remove-SPOSite -Identity https://contoso.sharepoint.com/sites/oldsite
   

   Deletes a specified site collection.

7. Manage Site Collection User Permissions

   • Add user to site owners group:

     powershell
     Add-SPOUser -Site https://contoso.sharepoint.com/sites/siteName -LoginName user@contoso.com -Group "Site Owners"
     

   • Remove user from a group:

     powershell
     Remove-SPOUser -Site https://contoso.sharepoint.com/sites/siteName -LoginName user@contoso.com -Group "Site Members"
     

8. Get Site Collection Storage Usage

   powershell
   Get-SPOSite | Select URL, StorageUsageCurrent | Format-Table
   

   Lists site URLs and their current storage usage.

9. Restore a Deleted Site

   powershell
   Restore-SPODeletedSite -Identity https://contoso.sharepoint.com/sites/deletedsite
   

10. Using PnP PowerShell for More Granular Tasks

    • Connect to site:

      powershell
      Connect-PnPOnline -Url https://contoso.sharepoint.com/sites/siteName -Interactive
      

    • Get all lists:

      powershell
      Get-PnPList
      

    • Add user to SharePoint group:

      powershell
      Add-PnPGroupMember -Identity "Site Members" -LoginName user@contoso.com