Real World Solutions – The Case of DLP Event Tracking

the case if

In one of my projects, the customer is planning on using Office 365 DLP.  However, they have a third party company who manages the front-line investigation for violations.  The customer needs a way to allow a non-employee enough access to do their initial discovery and track it.

The first attempt was to use the out-of-box alerts in the Security & Compliance center.


There were a few challenges with this feature – the main one being no appearant way to restrict access to the DLP event only.  The other was no way to input comments or use this as a tracking system.

It got me thinking (or as we say in consulting doing ideation) on how to solve this. One good solution for tracking things is SharePoint.  So, we need a way to get the alert information (either in email, or through the event API) to SharePoint.  Not wanting to create a whole application to make this work – there must be a way for a power-user to wire up applications.  And of course, there is – Microsoft Flow.  Microsoft Flow is a cloud-based service that makes it practical and simple for line-of-business users to build workflows that automate time-consuming business tasks and processes across applications and services. It’s comparible to a service like IFTTT (If This Then That), but tightly integrated with Office 365.

With Flow being the glue – the overall solution is:

  1. Configure the DLP policy to send notifications to a mailbox
  2. Create a custom SharePoint list to track DLP events
  3. Configure Flow to populate the list with the DLP event information from email

Now I’ll walk through each step to understand the configuration.

Configuring the DLP Policy

The first step is to configure your DLP rule to send a notification email to a mailbox. In this example, in the Security & Compliance Center, I edited an existing DLP policy.

DLP notification

Note you can control the information that is included if you do not want some content to be in the alert.

Configure SharePoint

Next, we’ll configure the SharePoint list.  Again, I’m assuming you have basic knowledge of creating a SharePoint teamsite.  For our example, I only added a ‘status’ field – which is a choice of open, investigating, resolved, and closed.  I could see adding fields for comments, or more date fields for tracking time to resolution.  The point here is we’ll be able to pre-populate some of the field using flow. Additonally, you can setup the security and permissions for your analysts.

sharepoint list settings

Configure Flow

On the newly created list, click the ‘Flow’ button to create a new flow. I find it easiest to choose ‘See your flows’.  From the Manage your flows page, you can ‘create from blank’.

flow button

From there click on ‘search hundreds of connectors and triggers’.

I’ll break down the flow in to its parts.

  1. When new mail arrives (Outlook).  Ensure you change the Has Attachments and Include Attachments to ‘Yes’.

when new email arrives

2. Export email.  You would think we would be able to use the attachments flow functionality out of the box.  However, the item that is attached to the system generated notification is an embedded message (NOT an eml).  The attachment connector does not currently know how to parse this – so the workaround is to use the preview Export email feature.

export email

3. Create Item (SharePoint).  This step creates the list item in the custom list we defined.  It will recognize any custom properties you created – in this case ‘Status Value’.  I set the new list item to ‘Open’ by default.  You can also see in the Title property – we can combine functions with text as well.  For example, the utcNow() function could be used to set a date property…or you could set an SLA and calculate the estimated time for closure.

create item

4. Add Attachment (SharePoint)

The final step is adding the email attachment to the list item’s attachment.  The key is the File Content field – make sure you choose the Body from the Export flow.

add attachment

We need to include the Body coming from the Export Email, not the body coming from the new email trigger.

export body

Thats it, the next time the notification mailbox recieves an email, the Flow will tigger.

The Results

You can see in the screenshot someone sent an email with a DLP violation.  This results in a new item in my SharePoint list, with the status set to open, and the original attachment is included on the list item.


I’m excited that we’re able to solve this for the customer – this is a really elegant, and relatively easy solution that didn’t require custom code.

Consulting 101


Lately, I’ve been working with a lot of new hires – many are college hires with zero real world experience. I occasionally get an opportunity to mentor them, or sometimes it’s a consultant struggling on the job.  Mentoring people is something I have done on and off during my almost 20 year career at Microsoft and I enjoy it.  The good news is that I’ve made a lot of mistakes in my career, so you don’t have to, and I share them without hesitation.

Here are the top 3 things I tell new consultants to master first.

1. Deliver on What You Promise


This is easily my #1 rule.  If you make a promise to do something, do it.  Don’t try to make the mistake of over promising with just the hope of delivering.  If you fail to deliver, it destroys trust and confidence people have in you.  You are far better off setting realistic expectations and meeting them.  Its fine to set a ‘stretch goal’ and be clear its not what you are committing to.  If you find that you are likely unable to meet your commitment – let everyone know as soon as possible to reset expectations.  You probably can do this once.

2. Don’t Go Dark


This easily goes in the top three delivery sins.  For some reason a consultant just disappears – they don’t tell the customer, their manager, or the project manager. Emergencies do happen, that is understandable, but I’m referring to someone who does this repeatedly.  I’ve not had a customer ever complain of over-communication in this scenario.  These days we have to manage multiple active projects, so its important to set expectations up front like availability, working hours, response time for emails, etc.  I can only guess why this happens – for me its usually due to an uncomfortable situation.  Not responding or being clear actually just makes matter worse.  People may not like your answer, but they will be much more upset if you don’t respond and they think you are in agreement.

3. Documentation

docuementsThe final tip is to document everything.  You never know what the future holds –  project owners change,  things fail well after the project ends, personality conflicts, and honest miscommunications. The only thing you will have to defend a decision or work you did will be a written record. As much as I hate to write status reports – these are critical to chronicle decisions, risks, work completed and other project information.  If you have a decision made over a phone call or in a meeting, follow up with an email summarizing and ask for confirmation this was what was said or agreed to.  Plan for the time it takes to deliver some form of documentation for any work you do.  Sometimes on really short engagements its easy to walk away without ever handing the customer any documentation. Even if it’s some up notes from meetings, clean them up and socialize them.

I learned this the hard way on a project that went sideways, and when they brought in “the Wolf” to fix things – I had no documentation or status reports.  I could have had all of my hours stripped away – which ultimately would have made me miss my delivery targets and put my job in jeopardy.

Get Started

That’s it.  If you can at least do these three things you will have established good habits that will serve you well.  Once you are consistently delivering – we’ll cover some other habits in a future post.

Bonus Homework

I just completed a course on Coursera: Presentation skills: Speechwriting and Storytelling (a great class by Alexei Kapterev, who authored ‘Death by PowerPoint’).  In one of the section resources was a link to a video of Mike Monteiro’s Keynote from a design conference (forewarned, Mike uses colorful language).  In his presentation he talks about the top mistakes designers make – and many of these are really applicable to consulting as well.  Once you make it past my top three – I would check his content for some more great tips.