-
Notifications
You must be signed in to change notification settings - Fork 124
Data-35020: Auto-Labeling Enforcement Mode Enabled #774
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
sandeepjha000
wants to merge
5
commits into
main
Choose a base branch
from
feature-35020
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
6d0f6a5
Initial commit for Test-Assessment.35020 files
sandeepjha000 8ba754a
updated remediation actions and comments
sandeepjha000 8a7dcdc
fixing bug in Summary table workload converage
sandeepjha000 860ba23
show workload coverage against each policy
sandeepjha000 6a8156f
updated code post spec update
sandeepjha000 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| Auto-labeling policies can operate in two modes: simulation mode (testing and monitoring) and enforcement mode (active labeling). Organizations that configure auto-labeling policies but leave them in simulation mode indefinitely gain no actual protection or compliance benefits because content is never actually labeled. Simulation mode is a testing mechanism intended to validate policy accuracy before enabling active classification, not a permanent deployment state. When auto-labeling policies remain in simulation mode, sensitive data continues to circulate unclassified, leaving data loss prevention policies unable to detect and protect high-risk content. Users experience no behavior change from the policy's existence, and the organization derives no value from the investment in policy design and configuration. Additionally, simulation mode limits visibility into real-world labeling effectiveness, making it difficult to identify and correct false positive or negative scenarios before enforcement. At least one auto-labeling policy must be active in enforcement mode to ensure that sensitive information is consistently and automatically labeled across Microsoft 365 workloads (Outlook emails, Exchange mailboxes, SharePoint sites, OneDrive accounts, Teams channels, and Power BI). Transitioning policies from simulation to enforcement mode, after validation testing, activates the protective intent of the policy and begins reducing the attack surface by ensuring sensitive content is classified and subject to associated protection rules. | ||
|
|
||
| **Remediation action** | ||
|
|
||
| 1. **Access auto-labeling policies**: | ||
| - [Navigate to Auto-labeling policies](https://purview.microsoft.com/informationprotection/autolabeling) in the Microsoft Purview portal. | ||
| - [Apply sensitivity labels automatically](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) provides step-by-step access instructions. | ||
| 2. **Identify policies in simulation mode**: | ||
| - Review the list of auto-labeling policies. Locate policies with Mode: Simulation. These policies are actively monitoring but not labeling content. | ||
| - [Apply sensitivity labels automatically](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) explains simulation mode functionality. | ||
| 3. **Review simulation statistics**: Before switching to enforcement mode, examine the simulation statistics for the past 1-2 weeks to confirm the policy correctly identifies sensitive content. Look for the number of items matched and verify the match count is reasonable for your organization's data. | ||
| 4. **Validate accuracy and adjust conditions**: If simulation statistics show excessive false positives or misses, refine the sensitive information type detection rules or conditions in the policy. | ||
| - [Fine-tune sensitive information type detection](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) documents condition tuning. | ||
| 5. **Plan enforcement activation**: Determine which policies should move to enforcement mode first. Prioritize policies for your most sensitive or most common data types (e.g., credit card numbers, customer records) to maximize initial impact. | ||
| 6. **Switch policy to enforcement mode**: In the policy details page, select the option to enable enforcement or change the mode from "Simulation" to "Enable". Confirm the action as this begins active labeling. | ||
| - [Turn on enforcement for auto-labeling policies](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) documents the specific steps. | ||
| 7. **Monitor enforcement results**: After activating enforcement, regularly review the policy statistics to confirm labeling is occurring as expected. Monitor for unexpected labeling patterns or user reports of incorrectly labeled content. Make additional refinements as needed based on real-world results. | ||
|
|
||
| <!--- Results ---> | ||
| %TestResult% |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,149 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Auto-Labeling Enforcement Mode Enabled | ||
| #> | ||
|
|
||
| function Test-Assessment-35020 { | ||
| [ZtTest( | ||
| Category = 'Information Protection', | ||
| ImplementationCost = 'Low', | ||
| MinimumLicense = ('Microsoft 365 E5'), | ||
| Pillar = 'Data', | ||
| RiskLevel = 'High', | ||
| SfiPillar = 'Protect tenants and production systems', | ||
| TenantType = ('Workforce','External'), | ||
| TestId = 35020, | ||
| Title = 'Auto-labeling enforcement mode enabled', | ||
| UserImpact = 'Low' | ||
| )] | ||
| [CmdletBinding()] | ||
| param() | ||
|
|
||
| #region Data Collection | ||
| Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose | ||
| $activity = 'Checking auto-labeling enforcement mode configuration' | ||
|
|
||
| # Q1: Get all auto-labeling policies | ||
| Write-ZtProgress -Activity $activity -Status 'Getting auto-labeling policies' | ||
|
|
||
| $errorMsg = $null | ||
| $allPolicies = @() | ||
|
|
||
| try { | ||
| $allPolicies = Get-AutoSensitivityLabelPolicy -ErrorAction Stop | ||
| } | ||
| catch { | ||
| $errorMsg = $_ | ||
| Write-PSFMessage "Error querying auto-labeling policies: $_" -Level Error | ||
| } | ||
| #endregion Data Collection | ||
|
|
||
| #region Assessment Logic | ||
| $enforcementPolicies = @() | ||
| $simulationPolicies = @() | ||
| $disabledPolicies = @() | ||
| $passed = $false | ||
| $customStatus = $null | ||
|
|
||
| if ($errorMsg) { | ||
| $testResultMarkdown = "⚠️ Unable to determine auto-labeling enforcement mode status due to permissions issues or query failure.`n`n" | ||
| $customStatus = 'Investigate' | ||
| } | ||
| else { | ||
| Write-PSFMessage "Found $($allPolicies.Count) auto-labeling policies" -Level Verbose | ||
|
|
||
| # Categorize policies by status and mode | ||
| foreach ($policy in $allPolicies) { | ||
| # Categorize policies by Mode property | ||
| # Possible Mode values per documentation: Enable, TestWithNotifications, TestWithoutNotifications, Disable | ||
| # Reference: https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-autosensitivitylabelpolicy?view=exchange-ps#-mode | ||
|
|
||
| if ($policy.Enabled -eq $true -and $policy.Mode -eq 'Enable') { | ||
| $enforcementPolicies += $policy | ||
| } | ||
| elseif ($policy.Enabled -eq $true -and ($policy.Mode -eq 'TestWithoutNotifications' -or $policy.Mode -eq 'TestWithNotifications')) { | ||
| $simulationPolicies += $policy | ||
| } | ||
| elseif ($policy.Enabled -eq $false) { | ||
| $disabledPolicies += $policy | ||
| } | ||
| } | ||
|
|
||
| # Determine pass/fail status | ||
| if ($enforcementPolicies.Count -gt 0) { | ||
| $passed = $true | ||
| $testResultMarkdown = "✅ At least one auto-labeling policy is enabled and actively labeling content in enforcement mode.`n`n%TestResult%" | ||
| } | ||
| else { | ||
| $passed = $false | ||
|
|
||
| if ($allPolicies.Count -eq 0) { | ||
| $testResultMarkdown = "❌ No auto-labeling policies were found in your tenant.`n`n%TestResult%" | ||
| } | ||
| else { | ||
| $testResultMarkdown = "❌ No auto-labeling policies are in enforcement mode. All policies are either disabled or in simulation mode.`n`n%TestResult%" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| #endregion Assessment Logic | ||
|
|
||
| #region Report Generation | ||
| $mdInfo = '' | ||
|
|
||
| # Show enforcement policies table if any exist | ||
| if ($enforcementPolicies.Count -gt 0) { | ||
| $mdInfo += "`n`n### [Auto-labeling policies in enforcement mode](https://purview.microsoft.com/informationprotection/autolabeling)`n" | ||
| $mdInfo += "| Policy name | Enabled status | Mode | Workload(s) targeted | Policy description | Date activated | Last modified |`n" | ||
| $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" | ||
|
|
||
| foreach ($policy in $enforcementPolicies) { | ||
| $policyName = Get-SafeMarkdown -Text $policy.Name | ||
| $enabledStatus = $policy.Enabled | ||
| $workload = if ($policy.Workload) { $policy.Workload } else { 'N/A' } | ||
sandeepjha000 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| $description = if ($policy.Comment) { Get-SafeMarkdown -Text $policy.Comment } else { 'N/A' } | ||
| $created = if ($policy.WhenCreatedUTC) { $policy.WhenCreatedUTC.ToString('yyyy-MM-dd') } else { 'N/A' } | ||
| $modified = if ($policy.WhenChangedUTC) { $policy.WhenChangedUTC.ToString('yyyy-MM-dd') } else { 'N/A' } | ||
| $mdInfo += "| $policyName | $enabledStatus | $($policy.Mode) | $workload | $description | $created | $modified |`n" | ||
| } | ||
| } | ||
|
|
||
| # Build summary metrics | ||
| if ($allPolicies.Count -gt 0) { | ||
| # Calculate aggregated workload coverage across all enforcement policies | ||
| $allWorkloads = ($enforcementPolicies | ForEach-Object { $_.Workload }) -join ' ' | ||
| $exchangeCovered = if ($allWorkloads -match 'Exchange') { 'Yes' } else { 'No' } | ||
| $sharepointCovered = if ($allWorkloads -match 'SharePoint') { 'Yes' } else { 'No' } | ||
| $onedriveCovered = if ($allWorkloads -match 'OneDrive') { 'Yes' } else { 'No' } | ||
| $teamsCovered = if ($allWorkloads -match 'Teams') { 'Yes' } else { 'No' } | ||
| $powerbiCovered = if ($allWorkloads -match 'PowerBI') { 'Yes' } else { 'No' } | ||
|
|
||
| $mdInfo += "`n`n### Summary:`n`n" | ||
| $mdInfo += "- **Total Policies in Enforcement Mode:** $($enforcementPolicies.Count)`n" | ||
| $mdInfo += "- **Total Policies in Simulation Mode:** $($simulationPolicies.Count)`n" | ||
| $mdInfo += "- **Total Policies Disabled:** $($disabledPolicies.Count)`n" | ||
| $mdInfo += "- **Workloads Covered by Enforcement Policies:**`n" | ||
| $mdInfo += " - **Exchange/Outlook:** $exchangeCovered`n" | ||
| $mdInfo += " - **SharePoint:** $sharepointCovered`n" | ||
| $mdInfo += " - **OneDrive:** $onedriveCovered`n" | ||
| $mdInfo += " - **Teams:** $teamsCovered`n" | ||
| $mdInfo += " - **Power BI:** $powerbiCovered`n" | ||
| } | ||
|
|
||
| $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo | ||
| #endregion Report Generation | ||
|
|
||
| $params = @{ | ||
| TestId = '35020' | ||
| Title = 'Auto-labeling enforcement mode enabled' | ||
| Status = $passed | ||
| Result = $testResultMarkdown | ||
| } | ||
|
|
||
| # Add CustomStatus if status is 'Investigate' | ||
| if ($null -ne $customStatus) { | ||
| $params.CustomStatus = $customStatus | ||
| } | ||
|
|
||
| Add-ZtTestResultDetail @params | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.