How to create a custom DLP rule in Office365

Yesterday, I was helping to a customer in order to create a new custom DLP policy to protect Spanish Identity Card Number (DNI) across the email communications.
I could not find any help in internet, so that´s why I decided to post how I did it.

  • First I created a custom policy using an XML unicode file
  • I use the script “Create-XML-1.3.ps1″ downloaded from Technet here:

The script will create the entire file, top to bottom, but you can use the code listed below as a XML template

The Regular Expression match pattern used to catch DNI on email communications was: ([0-9]{8,8}[A-Za-z])

You can use the following tools if you are not familiar with regular expressions:

  • I keep the file “demo.xml” in the path “C:\temp” in my computer
  • Then I connect to “Office 365 Security & Compliance Center” from a PowerShell using the following instructions

$cred= get-credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session

  • Then I use the following cmdlet to import my custom xml file to Office 365:

New-DlpSensitiveInformationTypeRulePackage -FileData ([Byte[]]$(Get-Content -Path “C:\temp\demo.xml” -EncodingByte -ReadCount 0))

Aditionally you can use the following cmdlets to manage Data Loss Prevetions Rule Packages using PowerShell.

  • New-DlpSensitiveInformationRulePackage
  • Get-DlpSensitiveInformationRulePackage
  • Set-DlpSensitiveInformationRulePackage
  • Remove-DlpSensitiveInformationRulePackage

Note this cmdlets are only available in the Office 365 Security & Compliance Center.
XML File used to Match DNI:


Manage Shared Mailboxes in Exchange 2013

Two new attributes have been implemented with CU9 in Exchange 2013  to manage Shared Mailboxes.

  • MessageCopyForSentAsEnabled
  • MessageCopyForSendOnBehalfEnabled

These attributes are not enabled by default, then the default behavior when a user with “Send us” or “Send on Behalf” permissions to a shared mailbox send a message, the Sent Item goes to the User Mailbox and not to the Shared Mailbox.

It means another user with permissions on the Shared Mailbox cannot see the email sent on behalf of the mailbox.The new shared mailbox attributes allow to copy a message on a Shared Mailbox sent by a User Mailbox.

To enable this feature in the way to modify the Shared Mailbox behavior run the following cmdlet:

set-mailbox -id xxx -MessageCopyForSentAsEnabled $True 
set-mailbox -id xxx  -MessageCopyForSendOnBehalfEnabled $True

You may get the following error when you try to enable this feature:

“A parameter cannot be found that matches parameter name ‘MessageCopyForSentAsEnabled’.”

To solve this you can run the setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms command from the CU9 installation media.

I can´t add a new subdomain in Office365

I tryed today to add a new subdomain in Office 365 and I get the following error:
“ is a subdomain of a domain that was added by using the Microsoft Online Services
Module for Windows PowerShell so you´ll need to also use Windows PowerShell to add
To Microsoft Online Services”

When I try to add subdomain from Windows Powershell i get the following error.
“Unable to add this domain. It is a subdomain and its authentication type is different from
the authentication type of the root domain”
New-MsolDomain -Name

New-MSOLFederatedDomain -DomainName
“Failed to connect to Active Directory Federation Services 2.0 on the local machine.
Please try running Set-MsolADFSContext before running this command again”

I ran the following cmdlet from my ADFS server on premises.

Set-MsolADFSContext –Computer (FQDN of my ADFS server)
Then I ran the following cmdlet
New-MSOLFederatedDomain -DomainName


Under a Coexistence scenario with Exchange 2007-Exchange 2013
Some users are reporting they cannot access OWA.
When a user tries to log on to Outlook Web Access (OWA) 2013 and the user mailbox is stored in an Exchange 2007 Database the browser displays the following message and user is not able to access to his mailbox.

After investigation I found it´s a client side caching issue.
Clear the Internet Explorer cache (cookies and web site data) and restart the browser.

Lógica de Transporte Exchange 2013

El rol de HUB TRANSPORT de versiones anteriores (Exchange 2007 y Exchange 2010) ha sido segmentado y separado en diferentes servicios que ahora se encuentran repartidos entre los roles de CAS y MAILBOX.

  • CAS:
    • Front End Transport Service
    • Transport Service
    • Mailbox Transport Service

Este cambio en el modelo de arquitectura de Exchange 2013 ha provocado cambios en el servicio de transporte que afectan a las decisiones de enrutamiento que determinan que hacer con un mensaje en función de la información acerca de su destino.

Este nuevo modelo sigue la lógica que se detalla en el siguiente diagrama.

Customize OWA logon page in Exchange 2013

The Outlook Web App sign-in, language selection, and error pages are created based on graphics and .css files in the themes resources folder in the Client Access Server.

Any modifications to those pages will be seen by all users.

Here you have an example about what you can do.

Browse to the Following Location in your Client Access Server


and modify the following files to customize Web form.

  • owa_text_blue.png
  • olk_logo_white.png
  • Sign_in_arrow.png
  • Favicon_ico.png
  • logon.css

Redirect Owa in Exchange 2013

May you want to configure OWA to automatically redirect users from top level directory to /owa virtual directory and force redirection to SSL, here you have what you need to do.
This procedure has been tested under IIS 8.5 with Exchange 2013 CU8.
1.Open IIS manager in Exchange server.
2.Open “SSL settings” feature under “Default Web Site” and “Exchange Back End” website.

3.Uncheck  “Require SSL” checkbox on both websites and click Apply to save changes

4.Then, open “Http Redirect” feature under “Default Web Site” and “Exchange Back End” web Site.

5. Ensure “Redirect request to this destination” checkBox is marked and type your redirect url.
6.Ensure “Only redirect request to content in this directory “ checkbox is also marked and “Status code found (302)” is also selected.
7.Click on “Apply” to save changes.

8.As we don´t need to redirect sub folders to /owa directory we should uncheck the HTTP Redirect option from all the sub directories under “Default Web Site” and “Exchange Back End” Website.

9.If you want to access to ExchangeControl Panel (ecp) only from a secure connection ensure to set SSL settings on /ecp virtual directory only.