Discover and control standardized forms in Microsoft 365 with Document Fingerprinting

Most organizations have one or more standard digital forms that might be (at least intermittently) handled in Microsoft 365 services. They often serve to enable standardized data collection and archival as part of business processes for request approvals, data entry and other purposes. In many cases, these forms can contain at least partly unpredictable types of sensitive information that shouldn't be intentionally or accidentally exposed to unauthorized parties.

Microsoft Purview helps mitigate this risk by giving you the option to implement custom sensitive information types (SITs) based on something called Document Fingerprints. A fingerprint of a form lets you identify filled instances of the form across Microsoft 365 and endpoints regardless of the filled contents of each unique instance of the form.

Right now, SITs based on document fingerprints can be leveraged in Data Loss Prevention policy rules for Exchange Online and in Exchange Online mail flow rules.

This capability will be expanded in the upcoming weeks (UPDATE: now pushed back to December CY2022 for the preview and March CY2023 for GA) to also work in SharePoint Online, OneDrive, Teams - and crucially, on endpoints in various scenarios (printing, transfer to USB, third party web services etc.) through Endpoint DLP.

Let's cook up a demo to illustrate this concept.

Step 1 - Create a fingerprint-based SIT

I threw together a simple mockup of a PDF form for this demonstration. Here's what it looks like:

With our form file ready and accessible on a local computer, we'll take the following steps, illustrated in the following screenshot, and described below:

1. Connect to the Security & Compliance PowerShell with a sufficiently privileged admin account
2. Gather the contents of an unfilled standardized form as raw data
3. Create a fingerprint from the gathered data
4. Create a custom Sensitive Information Type using the fingerprint

A few notes:

• File type support for fingerprint creation isn't limited to PDFs. It works with the same file types as Exchange Online mail flow rule content inspection. Word, Excel, PowerPoint, and HTML file types are supported, as are many others.
• Document fingerprints themselves aren't managed independently in Microsoft 365 and will only be stored with the Sensitive Information Type once one is created using them. This means the steps to create a fingerprint-based SIT must be taken within a single PowerShell session.
• When creating a new fingerprint from a form, the form isn't stored in Microsoft 365. Instead, a hash of its contents is created, which is then used by the DLP engine. You can read a more in-depth technical deep dive in Docs if you wish.
• You are only allowed one fingerprint per unique source form. If you try to create a sensitive information type using a new fingerprint that is identical to one you defined before, the old one will be used instead. This is good since it helps keep things manageable and avoid unnecessary duplication of fingerprints.
• You can also use more than one fingerprint to create a single custom Sensitive Information Type. This allows you to bundle several related document fingerprints into a single SIT that you can then leverage to effectively implement the necessary controls and protections. As an idea, you could add fingerprints for a single form but for more than one different supported file type (like .docx and .pdf versions of the same form) in one SIT to make sure the form is detected.

After creating the fingerprint-based SIT in PowerShell, we can also verify the results in the Purview portal. There we'll see our new SIT with the type identified as Fingerprint.

Currently all matches for a Fingerprint-based SIT get the confidence level of Low. This is good to notice for later.

Step 2 - Leverage the SIT

Now that we have our SIT, let's put it to work by using it in a Data Loss Prevention policy to control external sharing of any forms matching the fingerprint.

For brevity, I'll assume you're familiar with the general concept of Data Loss Prevention and move on to defining a DLP policy rule. Let's create a DLP policy scoped to Exchange Online and build a new rule in the policy.

For conditions, we will set the rule to look for documents containing the fingerprint-based SIT that are also shared with external recipients. Low confidence (as I noted previously) and a minimum instance count of one are enough here.

For actions, let's make the DLP rule restrict external recipients from receiving emails containing any documents matching the fingerprint. This will still let internal sharing take place to avoid disrupting business processes.

For user notifications, we will compose customized notification email and policy tip texts to make sure affected end users understand why restrictions are being applied.

If we wanted to, we could also allow internal users to override the restrictions by providing a justification. In our case, this is not necessary.

With that, we can save the DLP rule and create + turn on the policy to allow testing.

Step 3 - Evaluate the outcome

I recommend waiting for ~30 minutes after policy creation before testing to make sure the necessary backend processes have had time to run on Microsoft's end.

We can verify the effects of our policy by creating a filled version of our fingerprinted document and by then attempting to send it to an external recipient. Here's the one I used - it's a bit tongue-in-cheek, forgive me. ??

I opened Outlook on the Web and composed an email targeted to an external recipient. Then, I attached the filled form. In a few seconds, the custom policy tip got triggered, informing me of company policy regarding the attached form.

If I neglected the policy tip and sent the email anyway, DLP restrictions took over. The email was blocked from being sent to the external recipient and in a few moments, I received a custom email notification saying as much.

The suggested replies from Microsoft gave me a chuckle - "I was hacked", indeed. ??

This and any other DLP rule match events are easily searchable through the Activity Explorer in the Purview portal. Here's an example of how a similar Fingerprint SIT based DLP rule match looks like there:

You can use these logged DLP rule matches to identify recurring real-life external sharing scenarios for fingerprinted forms before implementing any restrictions to make sure your DLP implementation doesn't mess with production processes or otherwise unnecessarily disrupt user experiences.

Conclusion

Document fingerprinting is a powerful discovery tool even if you don't leverage it to apply Data Loss Prevention, Mail Flow rules or other technical controls. I can recommend any organization to get started by fingerprinting their commonly used, standardized forms as Sensitive Info Types, so it becomes possible to start building visibility to the locations and movements of these forms in your Microsoft 365 tenant. As I like to say: you cannot protect what you don't know about.

The imminently available enhancements and boosted workload support - for SharePoint Online and Endpoints especially, I feel - will serve to provide further value to any organization using (or thinking of using) this capability.

As an idea to illustrate upcoming possibilities, you should soon be able to leverage Endpoint DLP to restrict users with managed workstations from transferring fingerprinted forms to unapproved (or any!) USB drives and third-party network services, while also controlling whether these forms can be printed out to paper.

That's all for now - have a nice summer! ??