Migrate Legacy Exchange Data Loss Prevention Policies to Compliance Center using Wizard and Playbook

Published Sep 16 2021 08:30 AM 2,277 Views
Microsoft

Prior to DLP in Microsoft 365 compliance center, most organizations protected data using the transport rules aka mail flow rules created in Exchange admin center. You can use transport rules to identify and act on messages that flow through the Exchange Online organization. With the evolution of a centralized console for all the workloads, it’s recommended to move the existing Exchange admin center-DLP policies to DLP in Microsoft 365 Compliance Center. To learn more about Data loss prevention, please refer DLP.

Advantages of migrating to Compliance Center:

  • Unified admin console which is easy to maintain
  • Single policy across all workloads (Exchange, SPO, ODB, Teams, Devices, MCAS, etc.)
  • Protection of data at rest and in transit.
  • Near real-time alerts
  • Easy navigation to other compliance product features and capabilities
  • More advanced classification and labeling
  • Rich built-in alerting and incident management experience

 

Why now?

With the rich experience of Microsoft compliance portal and for easy maintenance of all the DLP policies across workloads at a common place, it's advisable to migrate all the legacy ETR(EAC-DLP) policies into Microsoft Compliance portal (DLP-EXO). We plan to deprecate the EAC-DLP experience in Exchange admin center between April-June 2022. Hence, this is the right time to re-validate the existing legacy rules, consolidate, and rationalize, and migrate to Unified console. To help in migrating the EAC-DLP policies, we are providing a migration wizard which will bring over the policies to Microsoft 365 compliance center.

Migration Process & Playbook:

To fast up the migration process, we have an in-built Wizard within the compliance portal, that will help to migrate all the policies in a simple flow of few clicks. The entire process has been explained in the Playbook. Please view the playbook at aka.ms/mipc/oss

 

PavanKB_0-1631763835007.png

 

 

The attached Playbook helps in identifying the activities in each of the below phases along with insights and best practices.

 

 

In summary, this playbook will help to:

  • Understand the migration process.
  • Understand the unified console and interface.
  • Develop a strategy for the migration.
  • Ensure a smooth migration process.
  • Find resources to support the migration process

 

For more up-to-date information, please refer to the documentation here.

Frequently asked questions:

 

  1. Are ETR (mail flow rules) being deprecated?

No changes planned for mail flow rules. Only Exchange DLP will be deprecated (Dates, yet to announce)

  1. Will the migration wizard impact my existing DLP policies in Exchange?

No. The migration wizard only creates new policies in Compliance Center.
You can choose to disable the Exchange policies using the wizard or independently

  1. Why am I not seeing the migration wizard banner?

Migration wizard banner will be displayed only if you have active Exchange DLP policies

  1. What should I do if there are any failures in migration?

Check details in the migration report to understand the root cause. Make required edits in Exchange policy and retry migration using the wizard

  1. For testing purposes, can I enable both the EAC-DLP rule and the DLP-EXO rule?

Yes. As soon as, the results are satisfied, make the EAC-DLP rules to disable state.

  1. Why am I getting 2 incident reports?

This is expected in case both Exchange and Microsoft365 DLP policies are in enabled state

  1. What should I do if my rules are using unsupported conditions?

Create a separate mail flow rule for conditions like SCLOver which are not supported in Unified DLP (Microsoft 365 DLP), remove the unsupported condition from the transport rule and perform the migration.

  1. Discrepancy in Exchange and Microsoft365 DLP policy evaluation

If policies are enforced in both Exchange and Microsoft365 DLP, please refer to this document to understand the expected behavior

Additional Resources 

Join Microsoft Information Protection Preview ring

Microsoft Information Protection Tech Communities

Microsoft Information Protection Yammer

MIP & Compliance One-Stop Shop

%3CLINGO-SUB%20id%3D%22lingo-sub-2754785%22%20slang%3D%22en-US%22%3EMigrate%20Legacy%20Exchange%20Data%20Loss%20Prevention%20Policies%20to%20Compliance%20Center%20using%20Wizard%20and%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2754785%22%20slang%3D%22en-US%22%3E%3CP%3EPrior%20to%20DLP%20in%20Microsoft%20365%20compliance%20center%2C%20most%20organizations%20protected%20data%20using%20the%20transport%20rules%20aka%20mail%20flow%20rules%20created%20in%20Exchange%20admin%20center.%20You%20can%20use%20transport%20rules%20to%20identify%20and%20act%20on%20messages%20that%20flow%20through%20the%20Exchange%20Online%20organization.%20With%20the%20evolution%20of%20a%20centralized%20console%20for%20all%20the%20workloads%2C%20it%E2%80%99s%20recommended%20to%20move%20the%20existing%20Exchange%20admin%20center-DLP%20policies%20to%20DLP%20in%20Microsoft%20365%20Compliance%20Center.%20To%20learn%20more%20about%20Data%20loss%20prevention%2C%20please%20refer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdlp-learn-about-dlp%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDLP%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdvantages%20of%20migrating%20to%20Compliance%20Center%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnified%20admin%20console%20which%20is%20easy%20to%20maintain%3C%2FLI%3E%0A%3CLI%3ESingle%20policy%20across%20all%20workloads%20(Exchange%2C%20SPO%2C%20ODB%2C%20Teams%2C%20Devices%2C%20MCAS%2C%20etc.)%3C%2FLI%3E%0A%3CLI%3EProtection%20of%20data%20at%20rest%20and%20in%20transit.%3C%2FLI%3E%0A%3CLI%3ENear%20real-time%20alerts%3C%2FLI%3E%0A%3CLI%3EEasy%20navigation%20to%20other%20compliance%20product%20features%20and%20capabilities%3C%2FLI%3E%0A%3CLI%3EMore%20advanced%20classification%20and%20labeling%3C%2FLI%3E%0A%3CLI%3ERich%20built-in%20alerting%20and%20incident%20management%20experience%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhy%20now%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWith%20the%20rich%20experience%20of%20Microsoft%20compliance%20portal%20and%20for%20easy%20maintenance%20of%20all%20the%20DLP%20policies%20across%20workloads%20at%20a%20common%20place%2C%20it's%20advisable%20to%20migrate%20all%20the%20legacy%20ETR(EAC-DLP)%20policies%20into%20%3CA%20href%3D%22https%3A%2F%2Fcompliance.microsoft.com%2Fdatalossprevention%3Fviewid%3Dpolicies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Compliance%20portal%3C%2FA%3E%20(DLP-EXO).%20We%20plan%20to%20deprecate%20the%20EAC-DLP%20experience%20in%20Exchange%20admin%20center%20between%20April-June%202022.%20Hence%2C%20this%20is%20the%20right%20time%20to%20re-validate%20the%20existing%20legacy%20rules%2C%20consolidate%2C%20and%20rationalize%2C%20and%20migrate%20to%20Unified%20console.%20To%20help%20in%20migrating%20the%20EAC-DLP%20policies%2C%20we%20are%20providing%20a%20migration%20wizard%20which%20will%20bring%20over%20the%20policies%20to%20Microsoft%20365%20compliance%20center.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMigration%20Process%20%26amp%3B%20Playbook%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20fast%20up%20the%20migration%20process%2C%20we%20have%20an%20in-built%20Wizard%20within%20the%20compliance%20portal%2C%20that%20will%20help%20to%20migrate%20all%20the%20policies%20in%20a%20simple%20flow%20of%20few%20clicks.%20The%20entire%20process%20has%20been%20explained%20in%20the%20Playbook.%20Please%20view%20the%20playbook%20at%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.github.io%2FComplianceCxE%2Fplaybooks%2Fetr2dlp%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eaka.ms%2Fmipc%2Foss%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PavanKB_0-1631763835007.png%22%20style%3D%22width%3A%20463px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310723iFA84A2E7C0B125A9%2Fimage-dimensions%2F463x162%3Fv%3Dv2%22%20width%3D%22463%22%20height%3D%22162%22%20role%3D%22button%22%20title%3D%22PavanKB_0-1631763835007.png%22%20alt%3D%22PavanKB_0-1631763835007.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20attached%20Playbook%20helps%20in%20identifying%20the%20activities%20in%20each%20of%20the%20below%20phases%20along%20with%20insights%20and%20best%20practices.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorPavanKB_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20summary%2C%20this%20playbook%20will%20help%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnderstand%20the%20migration%20process.%3C%2FLI%3E%0A%3CLI%3EUnderstand%20the%20unified%20console%20and%20interface.%3C%2FLI%3E%0A%3CLI%3EDevelop%20a%20strategy%20for%20the%20migration.%3C%2FLI%3E%0A%3CLI%3EEnsure%20a%20smooth%20migration%20process.%3C%2FLI%3E%0A%3CLI%3EFind%20resources%20to%20support%20the%20migration%20process%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20up-to-date%20information%2C%20please%20refer%20to%20the%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdlp-migrate-exo-policy-to-unified-dlp%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFrequently%20asked%20questions%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAre%20ETR%20(mail%20flow%20rules)%20being%20deprecated%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3ENo%20changes%20planned%20for%20mail%20flow%20rules.%20Only%20Exchange%20DLP%20will%20be%20deprecated%20(Dates%2C%20yet%20to%20announce)%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EWill%20the%20migration%20wizard%20impact%20my%20existing%20DLP%20policies%20in%20Exchange%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3ENo.%20The%20migration%20wizard%20only%20creates%20new%20policies%20in%20Compliance%20Center.%3CBR%20%2F%3EYou%20can%20choose%20to%20disable%20the%20Exchange%20policies%20using%20the%20wizard%20or%20independently%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EWhy%20am%20I%20not%20seeing%20the%20migration%20wizard%20banner%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3EMigration%20wizard%20banner%20will%20be%20displayed%20only%20if%20you%20have%20active%20Exchange%20DLP%20policies%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EWhat%20should%20I%20do%20if%20there%20are%20any%20failures%20in%20migration%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3ECheck%20details%20in%20the%20migration%20report%20to%20understand%20the%20root%20cause.%20Make%20required%20edits%20in%20Exchange%20policy%20and%20retry%20migration%20using%20the%20wizard%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EFor%20testing%20purposes%2C%20can%20I%20enable%20both%20the%20EAC-DLP%20rule%20and%20the%20DLP-EXO%20rule%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3EYes.%20As%20soon%20as%2C%20the%20results%20are%20satisfied%2C%20make%20the%20EAC-DLP%20rules%20to%20disable%20state.%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%226%22%3E%0A%3CLI%3EWhy%20am%20I%20getting%202%20incident%20reports%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3EThis%20is%20expected%20in%20case%20both%20Exchange%20and%20Microsoft365%20DLP%20policies%20are%20in%20enabled%20state%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%227%22%3E%0A%3CLI%3EWhat%20should%20I%20do%20if%20my%20rules%20are%20using%20unsupported%20conditions%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3ECreate%20a%20separate%20mail%20flow%20rule%20for%20conditions%20like%20SCLOver%20which%20are%20not%20supported%20in%20Unified%20DLP%20(Microsoft%20365%20DLP)%2C%20remove%20the%20unsupported%20condition%20from%20the%20transport%20rule%20and%20perform%20the%20migration.%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%228%22%3E%0A%3CLI%3EDiscrepancy%20in%20Exchange%20and%20Microsoft365%20DLP%20policy%20evaluation%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3EIf%20policies%20are%20enforced%20in%20both%20Exchange%20and%20Microsoft365%20DLP%2C%20please%20refer%20to%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fhow-dlp-works-between-admin-centers%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CEM%3Ethis%20document%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20to%20understand%20the%20expected%20behavior%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20Resources%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmipc%2Fpreviews%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EJoin%20Microsoft%20Information%20Protection%20Preview%20ring%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmipc%2Ftechcommunity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Information%20Protection%20Tech%20Communities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.yammer.com%2Faskipteam%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EMicrosoft%20Information%20Protection%20Yammer%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmipc%2Foss%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EMIP%20%26amp%3B%20Compliance%20One-Stop%20Shop%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2754785%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20evolution%20of%20a%20centralized%20console%20for%20all%20the%20workloads%2C%20it%E2%80%99s%20recommended%20to%20move%20the%20existing%20Exchange%20admin%20center-DLP%20policies%20to%20DLP%20in%20Microsoft%20365%20Compliance%20Center.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PavanKB_0-1631763835007.png%22%20style%3D%22width%3A%20463px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310723iFA84A2E7C0B125A9%2Fimage-dimensions%2F463x162%3Fv%3Dv2%22%20width%3D%22463%22%20height%3D%22162%22%20role%3D%22button%22%20title%3D%22PavanKB_0-1631763835007.png%22%20alt%3D%22PavanKB_0-1631763835007.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2754785%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 16 2021 08:30 AM
Updated by:
www.000webhost.com