Office 365 QA/Dev Tenant – Part 3

Documenting settings and items to carry over to the QA tenant can be daunting. In the SCC there are 65 GET commands alone. Now that does not mean that every setting or every compliance case or every item needs to be carried over. However, if it is something that is important to your organization and it needs to be tested, then by all means document and copy these settings to the QA Office 365 tenant.

Import Items

In terms of what to copy, some of the more important configuration items will be:

  • Labels and Label Policies
  • Compliance Cases
  • Device Policies
  • DLP Rules and Policies
  • Compliance Holds
  • Retention Compliance Policies and Rules
  • Security configuration

Again, the list isn’t meant to be comprehensive, but there are items that we can cover with PowerShell and hopefully are able to document enough to reproduce them in the QA tenant.

Sample Information Gathering

In this section we’ll cover two examples of items that can be documented in your Office 365 tenant. These two examples were pulled from a larger set scripts. The intended purpose is to provide a sample guide on how information can be gathered in preparation for copying the information to a new tenant.

Labels and Label Policies

Let’s start by working with two cmdlets – ‘Get-Label’ and ‘Get-LabelPolicy’

Each of your labels contains numerous fields and we can decide to pull just some or all of them. Perhaps the easiest way to handle this data is to export all of the labels and label policies to CSV files. This would make rebuilding and referencing configuration setups much easier. To do so, we need the Export-CSV cmdlet as well as using the ‘-NoTypInformation’ parameter which cleans up the head output of the CSV file. Each would be documented like so:

Get-Label | Export-Csv c:\Labels.csv -NoTypeInformation
Get-LabelPolicy | Export-Csv c:\LabelPolicies.csv -NoTypeInformation

Now we have CSV files that look like this:

Sensitive Information types

….. will also need to be documented from the Security and Compliance Center and as they are part of the Labels section of the SCC, we’ll document that here:

Get-DLPSensitiveInformationType will display all Sensitive Information Types that have been defined in the Security and Compliance Center. This includes all the types that are predefined by Microsoft:
If there are any others that are defined and we need to document just those, we need to filter out the Microsoft ones. We can do so by looking at all DLP Sensitive Information Types and filter for any that do not have Microsoft Corporation as its publisher:

Get-DlpSensitiveInformationType | where {$_.Publisher -ne 'Microsoft Corporation'}

From here we can now use the information above to export the XML files which make up the custom sensitive information types. It is also possible you may have these XML files stored somewhere, but if you do we can export them using guidance from this article:

First we can start off with our list of sensitive information types:

Id Name Publisher Type
— —- ——— —-
1fc4e0c3-62cd-4886-8a58-ec8bbb793eec test Damian Scoles Fingerprint
aef38428-a35d-489a-8568-bc1440643ab1 Community Bank Account Number Damian Scoles Entity
791b1558-a0aa-49e4-bc31-e03b24d43e73 ConfidentialInformation Damian Scoles Entity

Using the ID above, we can then store the entire item in a variable like so:

$RuleCollections = Get-DlpSensitiveInformationTypeRulePackage 6B4E981B-0D62-4423-B660-86603107AF7E<BR>

The we can take the $RuleCollection variable and use it to extract the XML values like so:

$Destination = "c:\SCC\XML\ExportedRule.xml"
Set-Content -path $Destination -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection

If we look over the XML file it produced, we see this:
If we want to get each of the Sensitive Information Types and export them to separate XML files to be references later, we can choose this simple PowerShell code:

$SensitiveInformationTypes = Get-DlpSensitiveInformationType | Where {$_.Publisher -ne 'Microsoft Corporation'}
Foreach ($SensitiveInformationType in $SensitiveInformationTypes) {
	$Identity = $SensitiveInformationTypes.Id
	$RuleCollections = Get-DlpSensitiveInformationTypeRulePackage $Identity
	$Destination = "c:\SCC\XML\ExportedRule-"+"$Identity"+".xml"
	Set-Content -path $Destination -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection

To help keep clear what each of these types does, we can export them to a CSV file for later evaluation:

$CSV = Get-DlpSensitiveInformationType | Where {$_.Publisher -ne 'Microsoft Corporation'} | "Export-CSV -noType c:\scc\xml\all.csv"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s