• Dan Schultz

SPO Admin Rights & DLP [Updated|Resolved]

Updated: Jul 4


Update: You can sidestep the Compliance Center GUI inconsistencies below, by using the Set-DlpCompliancePolicy cmdlet. I have confirmed that you can successfully run, without site-admin permissions, a command like this:


Set-DlpCompliancePolicy -Identity "SPO ABA and CCN Policy" -AddSharePointLocation "https://contoso.sharepoint.com/Procurement","https://contoso.sharepoint.com/" -Mode TestWithNotifications

There are additional options for the -Mode parameter, as well as options to remove SPO locations, and add & remove OneDrive locations.


One weird wrinkle in the framework is apparent if you review your added locations in the DLP policy GUI: you can remove the locations from the policy, even though you wouldn't have been able to add them via the GUI.


Another is that a site's members or owners can add a site to a DLP policy. This provides a workaround to using PowerShell, if you prefer the GUI: just add yourself or your DLP manager as a site member, as each SPO site is created. That's still not a least-privilege solution, though it doesn't pile on admin rights unnecessarily.


Original Issue

I have an open case with Microsoft about an unexpected wrinkle in O365 DLP. SharePoint Online locations (sites) based on some of the available templates can't be added to a DLP policy unless the person setting the policy is an administrator for that site. Here's how it breaks out as of this writing:


I can add sites which use these templates:

  • Team site (classic experience)

  • Project web app site

I cannot add sites which use these templates:

  • Team site

  • Team site (no O365 Group)

  • Communications site

  • eDiscovery site

If the members of your DLP team aren't also Global or SPO admins already, this is a hard pill to swallow. Granting site-admin permissions across the board runs afoul of both the least-privilege principle and the separation of admin duties. Think about it in Exchange terms: if your DLP team had to have "Full Access" mailbox permissions simply to include (all) mailboxes in a policy, you'd be sounding the alarm.


In my testing, OneDrive for Business locations don't require the elevated permissions.


I'll keep you posted as Microsoft addresses the issue. I suspect that this will require a significant change within the O365 framework, and will take a while for them to work out a solution.

Recent Posts

See All

More Control Over OneDrive for Biz!

OneDrive for Business customers -- including mine -- have spoken and Microsoft has listened. New features recently rolled out include the ability to limit ODFB file synchronization to computers joined

Global Office 365 Deployment

ExchangeMaster

© 2020 Dan Schultz