-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathAssert-SensitivityLabelsAndPolicies.ps1
139 lines (112 loc) · 5.34 KB
/
Assert-SensitivityLabelsAndPolicies.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
<#
.DESCRIPTION
Provisions sensitivity labels and the supporting DLP and ETR policies to provide EPMS support under the PSPF.
.NOTES
Assumes the Exchange.ManageAsApp privilege is consented to the app registration, and the Global Administrator role or appropriate privilege
is also allocated to the app registration.
.EXAMPLE
.\Assert-SensitivityLabelsAndPolicies `
-certificateThumbprint 'CFE601DF99EC017EAA19D8853004873B5B46DBBA' `
-appId "07f8ec11-b3e4-4484-8af4-1b02c42f7d4a" `
-tenant "contoso.onmicrosoft.com"
.LINK
https://github.com/rhyspaterson/mip-epms
#>
#Requires -Modules ExchangeOnlineManagement
param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[string] $appId,
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[string] $certificateThumbprint,
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[string] $tenant,
[Parameter(Mandatory=$false, ValueFromPipeline=$true)]
[switch] $RemoveExistingLabelsAndPolicies,
[Parameter(Mandatory=$false, ValueFromPipeline=$true)]
[switch] $WaitForPendingDeletions
)
# Import our common functions.
Try {
. .\functions\functions.ps1
. .\functions\configuration.ps1
} Catch {
Throw 'Could not import pre-requisites ($_.Exception).'
}
# Connect to EXO and SCC via certificate and app registration. Discnnect any existing sessions for good measure.
Assert-ServiceConnection -CertificateThumbprint $certificateThumbprint -AppId $appId -Tenant $tenant
# Trash everything prior, useful in building the full configuration state.
if ($RemoveExistingLabelsAndPolicies) {
Write-Log -Message "Removing all exisitng labels and policies" -Level 'Warning'
Remove-AllLabelsAndPolicies
}
# Wait for pending deletions, useful if you want to re-use the same name for some objects.
if ($WaitForPendingDeletions) {
Write-Log -Message "Waiting for pending label and policy deletions. This can take a very long time."
$deletionStatus = Get-PendingLabelAndPolicyDeletionStatus
while ($deletionStatus -ne 'completed') {
$deletionStatus = Get-PendingLabelAndPolicyDeletionStatus
Write-Log -Message "Deletion status still pending. Querying again in 30 seconds."
Start-Sleep 30
}
}
$labels = Get-EPMSLabels
$labelPolicies = Get-EPMSLabelPolicies
# Enumerate the configuration and provision our labels, auto-labelling policies, and dlp policies.
foreach ($label in $labels) {
Write-Log -Message "Enumerating label: $($label.Identifier)" -Level 'Success'
# Configure the sensitivity labels.
Assert-EPMSLabel `
-LabelDisplayName $label.LabelDisplayName `
-Tooltip $label.Tooltip `
-DocumentMarkingText $label.DocumentMarkingText `
-Hierarchy $label.Hierarchy `
-ParentLabelDisplayName $label.ParentLabel `
-EncryptionEnabled $label.Encrypted
if (-not($label.Hierarchy -eq 'IsParent')) {
# Configure the auto-labeling policies and rules to apply labels to inbound mail.
Assert-AutoSensitivityLabelPolicyAndRule `
-Identifier $label.Identifier `
-LabelDisplayName $label.LabelDisplayName `
-HeaderRegex $label.HeaderRegex
# Configure DLP rule to intelligently append the EPMS marking into the subject line.
Assert-DlpCompliancePolicyAndRule `
-Identifier $label.Identifier `
-LabelDisplayName $label.LabelDisplayName `
-SubjectRegex $label.SubjectRegex `
-SubjectExample $label.SubjectExample
# Configure ETR to write the x-protective-marking header based on the sensitivity label.
Assert-HeaderTransportRule `
-Identifier $label.Identifier `
-LabelDisplayName $label.LabelDisplayName `
-HeaderExample $label.HeaderExample
# If we're applying encryption, configure rights management on the label. Use the group that the associated policy filters to.
if ($label.Encrypted) {
Assert-LabelEncryption `
-LabelDisplayName $label.LabelDisplayName `
-DeployTo (($labelPolicies | Where-Object { $_.Identifier -eq $label.LabelPolicy }).DeployTo)
}
}
Write-Log -Message ""
}
# Enumerate the configuration and provision our client side/manual labelling policies.
foreach ($policy in $labelPolicies) {
Write-Log -Message "Enumerating policy: $($policy.Identifier)" -Level 'Success'
# Configure the sensitivity label policy.
Assert-EPMSLabelPolicy `
-DisplayName $policy.DisplayName `
-Labels (($labels | Where-Object { $_.LabelPolicy -eq $policy.Identifier}).LabelDisplayName) `
-DeployTo $policy.DeployTo
Write-Log -Message ""
}
# Now that the child labels are attached, strip the temporary ' [parent]' name from our parent labels so they look pretty.
foreach ($label in $labels | Where-Object {$_.Hierarchy -eq 'IsParent'}) {
Write-Log -Message "Validating display name of parent label $($label.LabelDisplayName)."
Remove-StringFromLabelName `
-LabelDisplayName $label.LabelDisplayName `
-RegularExpression "\s\[Parent\]$"
}
# Create the ETR to strip encryption for mail sent to trusted domains.
$authorisedDomains = Get-EPMSDomains
Assert-DecryptionTransportRule -TrustedDomains $authorisedDomains
# Disconnect!
Assert-ServiceConnection -Disconnect