manage_dlp_policies
Configure Data Loss Prevention policies to protect sensitive information in Exchange, SharePoint, OneDrive, and Teams by creating, updating, and managing rules and settings.
Instructions
Manage Data Loss Prevention policies to protect sensitive data across Exchange, SharePoint, OneDrive, and Teams.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | DLP policy management action | |
| policyId | No | DLP policy ID | |
| name | No | Policy name | |
| description | No | Policy description | |
| locations | No | Policy locations | |
| rules | No | Policy rules configuration | |
| settings | No | Policy settings |
Implementation Reference
- src/handlers/dlp-handler.ts:6-79 (handler)Core handler function implementing DLP policy management (list, get, create, update, delete, test) using Microsoft Graph beta API endpoints.export async function handleDLPPolicies( graphClient: Client, args: DLPPolicyArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list': // List all DLP policies apiPath = '/beta/security/dataLossPreventionPolicies'; result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for get action'); } apiPath = `/beta/security/dataLossPreventionPolicies/${args.policyId}`; result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.name) { throw new McpError(ErrorCode.InvalidParams, 'name is required for create action'); } apiPath = '/beta/security/dataLossPreventionPolicies'; const createPayload = { displayName: args.name, description: args.description || '', status: args.settings?.enabled ? 'enabled' : 'disabled', // locations: args.locations, // Locations are part of rules, not top-level policy // mode: args.settings?.mode, // Mode is also part of rules // priority: args.settings?.priority, // Priority is also part of rules }; result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for update action'); } apiPath = `/beta/security/dataLossPreventionPolicies/${args.policyId}`; const updatePayload = { displayName: args.name, description: args.description, status: args.settings?.enabled ? 'enabled' : 'disabled', }; result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for delete action'); } apiPath = `/beta/security/dataLossPreventionPolicies/${args.policyId}`; await graphClient.api(apiPath).delete(); result = { message: 'DLP policy deleted successfully' }; break; case 'test': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for test action'); } // This would typically involve creating a test case result = { message: 'DLP policy test initiated', policyId: args.policyId }; break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/server.ts:677-697 (registration)MCP server registration of 'manage_dlp_policies' tool, linking dlpPolicySchema input validation to handleDLPPolicies execution with lazy credential validation.// DLP Policy Management - Lazy loading enabled for tool discovery this.server.tool( "manage_dlp_policies", "Manage Data Loss Prevention policies to protect sensitive data across Exchange, SharePoint, OneDrive, and Teams.", dlpPolicySchema.shape, {"readOnlyHint":false,"destructiveHint":true,"idempotentHint":false}, wrapToolHandler(async (args: DLPPolicyArgs) => { this.validateCredentials(); try { return await handleDLPPolicies(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/tool-definitions.ts:209-239 (schema)Zod input schema defining parameters for DLP policy operations including action, policyId, rules, conditions, actions, and settings.export const dlpPolicySchema = z.object({ action: z.enum(['list', 'get', 'create', 'update', 'delete', 'test']).describe('DLP policy management action'), policyId: z.string().optional().describe('DLP policy ID'), name: z.string().optional().describe('Policy name'), description: z.string().optional().describe('Policy description'), locations: z.array(z.enum(['Exchange', 'SharePoint', 'OneDrive', 'Teams', 'Endpoint'])).optional().describe('Policy locations'), rules: z.array(z.object({ name: z.string().describe('Rule name'), conditions: z.array(z.object({ type: z.enum(['ContentContains', 'SensitiveInfoType', 'DocumentProperty', 'MessageProperty']).describe('Condition type'), value: z.string().describe('Condition value'), operator: z.enum(['Equals', 'Contains', 'StartsWith', 'EndsWith', 'RegexMatch']).optional().describe('Condition operator'), caseSensitive: z.boolean().optional().describe('Case sensitive matching'), })).describe('Rule conditions'), actions: z.array(z.object({ type: z.enum(['Block', 'BlockWithOverride', 'Notify', 'Audit', 'Quarantine']).describe('Action type'), settings: z.object({ notificationMessage: z.string().optional().describe('Notification message'), blockMessage: z.string().optional().describe('Block message'), allowOverride: z.boolean().optional().describe('Allow override'), overrideJustificationRequired: z.boolean().optional().describe('Override justification required'), }).optional().describe('Action settings'), })).describe('Rule actions'), enabled: z.boolean().optional().describe('Whether rule is enabled'), priority: z.number().optional().describe('Rule priority'), })).optional().describe('Policy rules configuration'), settings: z.object({ mode: z.enum(['Test', 'TestWithNotifications', 'Enforce']).optional().describe('Policy mode'), priority: z.number().optional().describe('Policy priority'), enabled: z.boolean().optional().describe('Whether policy is enabled'), }).optional().describe('Policy settings'), });
- src/types/dlp-types.ts:2-14 (helper)TypeScript interface defining the input arguments structure for DLP policy handler, used for type safety and IDE support.export interface DLPPolicyArgs { action: 'list' | 'get' | 'create' | 'update' | 'delete' | 'test'; policyId?: string; name?: string; description?: string; locations?: ('Exchange' | 'SharePoint' | 'OneDrive' | 'Teams' | 'Endpoint')[]; rules?: DLPRule[]; settings?: { mode?: 'Test' | 'TestWithNotifications' | 'Enforce'; priority?: number; enabled?: boolean; }; }
- src/tool-metadata.ts:110-113 (helper)Tool metadata providing description, title, and annotations (readOnlyHint, destructiveHint, etc.) for the manage_dlp_policies tool.manage_dlp_policies: { description: "Manage Data Loss Prevention policies to protect sensitive data across Exchange, SharePoint, OneDrive, and Teams.", title: "DLP Policy Manager", annotations: { title: "DLP Policy Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }