Fix: remove StopPolicyProcessing from custom AI app DLP rules#16
Open
inwafula wants to merge 1 commit into
Open
Fix: remove StopPolicyProcessing from custom AI app DLP rules#16inwafula wants to merge 1 commit into
inwafula wants to merge 1 commit into
Conversation
StopPolicyProcessing is only supported for Exchange and Teams workloads.
When the DLP policy uses EnforcementPlanes = @("Application") (the entire
purpose of these samples), New-DlpComplianceRule rejects the parameter with:
Using the 'StopPolicyProcessing' parameter is supported only for Exchange, Teams.
Either remove this parameter or turn on only Exchange, Teams.
This causes the rule-creation step to fail every time either sample is run
as-published. The policy gets created (step 3 succeeds) but the rule
creation (step 4) fails, leaving a policy with no rules and therefore no
DLP enforcement -- a silent failure that's easy to miss until you test the
custom AI app and find no upload/download blocking happens.
Reproduced against tenant in us-east-1 with the AWSBedrock sample and an
Entra app registration. Removing the line allows New-DlpComplianceRule to
succeed and produces the intended UploadText=Block + DownloadText=Block
rule under the Application enforcement plane (verified with
protectionScopes/compute returning an evaluateInline scope for
downloadText after the fix).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove
StopPolicyProcessing = $truefrom the rule parameters in both AI-app DLP samples. This parameter is only supported for Exchange and Teams workloads. When the policy usesEnforcementPlanes = @(""Application"")(the only mode these samples cover),New-DlpComplianceRulerejects the parameter with:The rule-creation step therefore fails every time either sample is run as-published. The policy gets created successfully (step 3) but the rule creation (step 4) fails, leaving a policy with no rules and no DLP enforcement — a silent failure that's easy to miss until you exercise the custom AI app and find no upload/download blocking happens.
Files changed
DLPforCustomAIApps/Create-DlpPolicyForCustomAIApps.ps1— line 160AWSBedrock/create_purview_dlp_policy_customer_sample.ps1— line 152Reproduction (before the fix)
Verification (after the fix)
protectionScopes/computefor the user now returns anevaluateInlinescope fordownloadTextagainst the scoped Entra app, which lets the Microsoft GraphprocessContentcall returnpolicyActionscontainingrestrictAccesson response content that matches the configured SITs.Scope of change