Skip to content

Fix: remove StopPolicyProcessing from custom AI app DLP rules#16

Open
inwafula wants to merge 1 commit into
microsoft:mainfrom
inwafula:fix/remove-stop-policy-processing-from-aiapp-rules
Open

Fix: remove StopPolicyProcessing from custom AI app DLP rules#16
inwafula wants to merge 1 commit into
microsoft:mainfrom
inwafula:fix/remove-stop-policy-processing-from-aiapp-rules

Conversation

@inwafula

Copy link
Copy Markdown

Summary

Remove StopPolicyProcessing = $true from the rule parameters in both AI-app DLP samples. This parameter is only supported for Exchange and Teams workloads. When the policy uses EnforcementPlanes = @(""Application"") (the only mode these samples cover), New-DlpComplianceRule rejects the parameter with:

Using the 'StopPolicyProcessing' parameter is supported only for Exchange, Teams. Either remove this parameter or turn on only Exchange, Teams.

The rule-creation step therefore fails every time either sample is run as-published. The policy gets created successfully (step 3) but the rule creation (step 4) fails, leaving a policy with no rules and no DLP enforcement — a silent failure that's easy to miss until you exercise the custom AI app and find no upload/download blocking happens.

Files changed

  • DLPforCustomAIApps/Create-DlpPolicyForCustomAIApps.ps1 — line 160
  • AWSBedrock/create_purview_dlp_policy_customer_sample.ps1 — line 152

Reproduction (before the fix)

New-DlpComplianceRule -Name '...' -Policy '...' @ruleParams
# |Microsoft.Exchange.Management.UnifiedPolicy.ErrorIncorrectSupportedPredicateLocationsException|
# Using the 'StopPolicyProcessing' parameter is supported only for Exchange, Teams.

Verification (after the fix)

Get-DlpComplianceRule -Identity 'Block PII upload and download on AWS-App v2' |
    Select-Object -ExpandProperty RestrictAccess
# Setting      Value
# UploadText   Block
# DownloadText Block

protectionScopes/compute for the user now returns an evaluateInline scope for downloadText against the scoped Entra app, which lets the Microsoft Graph processContent call return policyActions containing restrictAccess on response content that matches the configured SITs.

Scope of change

  • No behavioral change for any other parameter.
  • No changes to the README, function signatures, or sample configuration knobs.
  • One line removed in each of two files; no additions.

StopPolicyProcessing is only supported for Exchange and Teams workloads.
When the DLP policy uses EnforcementPlanes = @("Application") (the entire
purpose of these samples), New-DlpComplianceRule rejects the parameter with:

  Using the 'StopPolicyProcessing' parameter is supported only for Exchange, Teams.
  Either remove this parameter or turn on only Exchange, Teams.

This causes the rule-creation step to fail every time either sample is run
as-published. The policy gets created (step 3 succeeds) but the rule
creation (step 4) fails, leaving a policy with no rules and therefore no
DLP enforcement -- a silent failure that's easy to miss until you test the
custom AI app and find no upload/download blocking happens.

Reproduced against tenant in us-east-1 with the AWSBedrock sample and an
Entra app registration. Removing the line allows New-DlpComplianceRule to
succeed and produces the intended UploadText=Block + DownloadText=Block
rule under the Application enforcement plane (verified with
protectionScopes/compute returning an evaluateInline scope for
downloadText after the fix).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant