Utilities/DLPValidationUtility.ps1


using module "..\MCCA.psm1"
$ExchangeString = "Exchange"
$SharePointString = "SharePoint"
$OneDriveString = "OneDrive"
$TeamsString = "Teams"
$DevicesString = "Devices"

Function Get-DLPPolicyValidation {
    Param
    (
        $SensitiveTypes,
        $Config,
        $LogFile,
        $Name
    )
    $ConfigObjectList = @()
    try {
        $SensitiveTypesWorkloadMapping = @()
        foreach ($SIT in $SensitiveTypes.keys) {
                
            $SensitiveTypesWorkloadMapping += New-Object -TypeName PSObject @{
                Name              = $SIT
                $ExchangeString   = $false
                $SharePointString = $false
                $OneDriveString   = $false
                $TeamsString      = $false
                $DevicesString    = $false
            
            }
        }
        #Getting Custom SIT
        if($($Config["GetDLPCustomSIT"]) -ne "Error")
        {
            $CustomSIT = $($Config["GetDLPCustomSIT"]).Name
            $CustomSITHashTable = @{}
            foreach($SIT in $CustomSIT)
            {
                $CustomSITHashTable[$SIT] = $null
            }

        }

        ForEach ($CompliancePolicy in $Config["GetDlpCompliancePolicy"]) {   
            $PolicySensitiveType = New-Object System.Collections.Generic.HashSet[String]          
            $PolicySensitiveType = Get-PolicySensitiveType -Config $Config -CompliancePolicy $CompliancePolicy -SensitiveTypes $SensitiveTypes
            if($($Config["GetDLPCustomSIT"]) -ne "Error")
            {
                $CustomSensitiveType = Get-PolicySensitiveType -Config $Config -CompliancePolicy $CompliancePolicy -SensitiveTypes $CustomSITHashTable
                $CustomSensitiveTypeText = $null
                foreach ($SIT in $CustomSensitiveType) {
                    if ($null -ne $CustomSensitiveTypeText) {
                        $CustomSensitiveTypeText += ", $SIT"
                    }
                    else {
                        $CustomSensitiveTypeText += "$SIT"
                    }
                }
            }
            if (($CompliancePolicy.Mode -ieq "enable") ) {
                $WorkloadsStatus = Get-AllLocationenabled -CompliancePolicy $CompliancePolicy 
                $EnabledWorkload = $null
                $DisabledWorkload = ""       
                $PolicySensitiveTypeText = $null
                foreach ($Workload in ($WorkloadsStatus.Keys | Sort-Object -CaseSensitive)) {
                    if ($WorkloadsStatus[$Workload] -eq $true) {
                        if ( $null -ne $EnabledWorkload) {
                            $EnabledWorkload += ", $($Workload)"
                        }
                        else {
                            $EnabledWorkload += "$($Workload)"
                        }
                        foreach ($SIT in $PolicySensitiveType) {
                            if ($SITToChange = $SensitiveTypesWorkloadMapping | Where-Object { $_.Name -eq $SIT }) {
                                $SITToChange.$($Workload) = $true
                            }                        
                        }
                                     
                    }
                    else {
                        $DisabledWorkload += "$($Workload) "                 
                    }           
                }
                
                foreach ($SIT in $PolicySensitiveType) {
                    if ($null -ne $PolicySensitiveTypeText) {
                        $PolicySensitiveTypeText += ", $SIT"
                    }
                    else {
                        $PolicySensitiveTypeText += "$SIT"
                    }
                }
            
               
                If ($PolicySensitiveType.Count -ne 0 ) {   
                    $ConfigObject = [MCCACheckConfig]::new()
                    $Workload = $CompliancePolicy.Workload
                    $ConfigObject.Object = "$($CompliancePolicy.Name)"
                    if($null -eq $CustomSensitiveTypeText)
                    {
                        $ConfigObject.ConfigItem = "$PolicySensitiveTypeText"
                    
                    }
                    else
                    {
                        $ConfigObject.ConfigItem = "$PolicySensitiveTypeText<br><strong>Custom SIT</strong> : $CustomSensitiveTypeText"
                    }
                    $ConfigData = ""
                    $ConfigObjectResult = @{}
                    $ConfigObjectResult = Set-ExchangeNotAllLocationEnabledConfigObject -ConfigObjectResult $ConfigObjectResult -CompliancePolicy $CompliancePolicy
                    $ConfigObjectResult = Set-SharePointNotAllLocationEnabledConfigObject -ConfigObjectResult $ConfigObjectResult -CompliancePolicy $CompliancePolicy
                    $ConfigObjectResult = Set-OneDriveNotAllLocationEnabledConfigObject  -ConfigObjectResult $ConfigObjectResult -CompliancePolicy $CompliancePolicy
                    $ConfigObjectResult = Set-TeamsNotAllLocationEnabledConfigObject  -ConfigObjectResult $ConfigObjectResult -CompliancePolicy $CompliancePolicy
                    $ConfigObjectResult = Set-DevicesNotAllLocationEnabledConfigObject  -ConfigObjectResult $ConfigObjectResult -CompliancePolicy $CompliancePolicy
                    $ConfigData = "<strong>Enabled Workloads </strong>: $($EnabledWorkload)<BR/>"
                    foreach ($ConfigResult in $ConfigObjectResult.keys) {
                        $ConfigData += "<strong>$ConfigResult </strong>: $($ConfigObjectResult[$ConfigResult])<BR/>"
                            
                    }
                    $NotInOrganizationAccessScope = $Config["GetDlpComplianceRule"] | Where-Object {$_.AccessScope -eq "NotInOrganization" -and $_.ParentPolicyName -eq "$($CompliancePolicy.Name)"} 
                    if($null -ne $NotInOrganizationAccessScope)
                    {
                        $ConfigData += "<strong>Access Scope</strong>: For users outside organization<BR/>"
                       
                    }else{
                        $ConfigData += "<strong>Access Scope</strong>: For users inside organization<BR/>"
                    }
                    $ConfigObject.ConfigData = "$ConfigData"
                    $ConfigObject.SetResult([MCCAConfigLevel]::Informational, "Pass")   
                    $ConfigObjectList += $ConfigObject
    
                }
                
            }   
            else {
                If ($PolicySensitiveType.Count -ne 0 ) {   
                    $ConfigObject = [MCCACheckConfig]::new()
                    $Workload = $CompliancePolicy.Workload
                    $ConfigObject.Object = "$($CompliancePolicy.Name)"
                    $PolicySensitiveTypeText = $null
                    foreach ($SIT in $PolicySensitiveType) {
                        if ($null -ne $PolicySensitiveTypeText) {
                            $PolicySensitiveTypeText += ", $SIT"
                        }
                        else {
                            $PolicySensitiveTypeText += "$SIT"
                        }
                    }
                    if($null -eq $CustomSensitiveTypeText)
                    {
                        $ConfigObject.ConfigItem = "$PolicySensitiveTypeText"
                    
                    }
                    else
                    {
                        $ConfigObject.ConfigItem = "$PolicySensitiveTypeText<br><strong>Custom SIT</strong> : $CustomSensitiveTypeText"
                    }
                    $Mode = $($CompliancePolicy.Mode)
                    if ( $Mode -eq "TestWithoutNotifications") {
                        $Mode = "test without notifications"
                    }
                    elseif ($Mode -eq "Disable") {
                        $Mode = "disabled"
                    }
                    elseif ( $Mode -eq "TestWithNotifications") {
                        $Mode = "test with notifications"
                    }
                   
                    $ConfigObject.ConfigData = "<B>Policy is in $Mode state.<B>"
                    $ConfigObject.SetResult([MCCAConfigLevel]::Informational, "Pass")   
    
                    $ConfigObjectList += $ConfigObject
                }
            }
               
        }
        $ConfigObjectList = Get-SensitiveTypesNotEnabled -SensitiveTypesWorkloadMapping $SensitiveTypesWorkloadMapping -ConfigObjectList $ConfigObjectList -LogFile $LogFile
         
    }
    catch {
        Write-Host "Error:$(Get-Date) There was an issue while running MCCA. Please try running the tool again after some time." -ForegroundColor:Red
        $ErrorMessage = $_.ToString()
        $StackTraceInfo = $_.ScriptStackTrace
        Write-Log -IsError -ErrorMessage $ErrorMessage -StackTraceInfo $StackTraceInfo -LogFile $LogFile -ErrorAction:SilentlyContinue
        
    }
    Return $ConfigObjectList
}

Function Get-NoPolicyRemediationAction {
    [CmdletBinding()]
    Param
    (
        $Name,
        $PendingSensitiveTypes
      
    )
    $RemediationActionScript = ""

    $PendingSensitiveTypesList = $PendingSensitiveTypes.split(",") 
    $LowCountSenstiveinfodetails = ""
    $HighCountSenstiveinfodetails = ""

    foreach ($PendingSensitiveType in $PendingSensitiveTypesList) {
        $PendingSensitiveTypetrim = $PendingSensitiveType.trim() 
        if ( $LowCountSenstiveinfodetails -eq "") {
            $LowCountSenstiveinfodetails += "@{Name =" + [char]34
            $HighCountSenstiveinfodetails += "@{Name =" + [char]34

        }
        else {
            $LowCountSenstiveinfodetails += ",@{Name =" + [char]34
            $HighCountSenstiveinfodetails += ",@{Name =" + [char]34

        }
        $LowCountSenstiveinfodetails += $PendingSensitiveTypetrim + [char]34
        $LowCountSenstiveinfodetails += ";minCount = ""1"""
        $LowCountSenstiveinfodetails += ";maxCount = ""5""}"
        $HighCountSenstiveinfodetails += $PendingSensitiveTypetrim + [char]34
        $HighCountSenstiveinfodetails += ";minCount = ""6""}"
    }
                

    $NewPolicyTemplateData = Get-Content "$PSScriptRoot\..\Templates\NewDLPPolicyTemplate.txt"
    if ($null -eq $NewPolicyTemplateData -or $NewPolicyTemplateData -eq "") {
        Write-Host "$(Get-Date) Template file does not exist/is corrupt in $PSScriptRoot\..\Templates\NewDLPPolicyTemplate.txt. Remediation wont be generated" -ForegroundColor Orange           
    }
    else {
        $NewPolicyTemplateData = $NewPolicyTemplateData.Replace("<NewPolicyName>", "$Name")
        $NewPolicyTemplateData = $NewPolicyTemplateData.Replace("<HighSensitiveInfoDetails>", "$HighCountSenstiveinfodetails")
        $NewPolicyTemplateData = $NewPolicyTemplateData.Replace("<LowSensitiveInfoDetails>", "$LowCountSenstiveinfodetails")
        $LowRuleName = "Low Volume $Name"
        if ($LowRuleName.length -gt 60) { $LowRuleName = $LowRuleName.substring(0, 60) }
        $HighRuleName = "High Volume $Name"
        if ($HighRuleName.length -gt 60) { $HighRuleName = $HighRuleName.substring(0, 60) }
        $NewPolicyTemplateData = $NewPolicyTemplateData.Replace("<HighVolumeRuleName>", "$HighRuleName")
        $NewPolicyTemplateData = $NewPolicyTemplateData.Replace("<LowVolumeRuleName>", "$LowRuleName")
  
        $RemediationActionScript += $NewPolicyTemplateData
        Write-Host "$(Get-Date) Generating Remediation Action for $Name" -ForegroundColor Yellow 
    }
              
    Return $RemediationActionScript
}
Function Get-PolicySensitiveType {
    Param
    (
        $Config,
        $CompliancePolicy,
        $SensitiveTypes
    )
    $PolicySensitiveTypes = New-Object System.Collections.Generic.HashSet[String]          
    foreach ($ComplianceRule in $Config["GetDlpComplianceRule"]) {

        if ($ComplianceRule.Mode -ieq "enforce" -and $CompliancePolicy.name -eq $($ComplianceRule.ParentPolicyName) ) {
            $SensitiveInformationContent = $ComplianceRule.ContentContainsSensitiveInformation

            foreach ($SensitiveType in $($SensitiveTypes.keys)) {
                if ($SensitiveInformationContent.Values -contains $SensitiveType) {
                    if (!$PolicySensitiveTypes.Contains($SensitiveType)) {
                        $PolicySensitiveTypes.Add("$SensitiveType") |  Out-Null 

                    }

                }
                if ($($SensitiveInformationContent.keys) -contains "groups") {
                    foreach ($SensitiveInformationGroupList in $SensitiveInformationContent) {
                        $SensitiveInformationGroups = $SensitiveInformationGroupList["groups"]
                        foreach ($SensitiveInformationGroupDefined in $SensitiveInformationGroups) {
                            $SensitiveInformationGroupDefinedValues = $SensitiveInformationGroupDefined.Values 
                            foreach ($SensitiveInformationGroupValue in $SensitiveInformationGroupDefinedValues) {
                                foreach ($SensitiveInformationGroupVal in $SensitiveInformationGroupValue) {
                                    if ($SensitiveInformationGroupVal.Values -contains $SensitiveType ) {
                                        if (!$PolicySensitiveTypes.Contains($SensitiveType)) {
                                            $PolicySensitiveTypes.Add("$SensitiveType") |  Out-Null 

                                        }
                                    }
      
                                }
     
                            }
                        }
                    }
    
                }
            }
                            

                           
        }
    }

    Return $PolicySensitiveTypes
}

Function Get-SensitiveTypesNotEnabled {
    Param
    (
        $SensitiveTypesWorkloadMapping,
        $LogFile,
        $ConfigObjectList
    )   

     
    $PendingSensitiveType = $null
    $PartialCoveredSIT = $null
    $PartialCoveredWorkload = $null
    foreach ($SensitiveTypes in $SensitiveTypesWorkloadMapping) {
        if (($SensitiveTypes.$ExchangeString -eq $false ) -and ($SensitiveTypes.$SharePointString -eq $false ) -and 
            ($SensitiveTypes.$TeamsString -eq $false ) -and ($SensitiveTypes.$OneDriveString -eq $false ) -and ($SensitiveTypes.$DevicesString -eq $false ) ) {
            $PendingSensitiveType = Get-PartialSIT -PartialCoveredSIT $PendingSensitiveType -SensitiveTypesName $($SensitiveTypes.Name)

        }
        else {

            if ($SensitiveTypes.$ExchangeString -eq $false ) {
                $PartialCoveredSIT = Get-PartialSIT -PartialCoveredSIT $PartialCoveredSIT -SensitiveTypesName $($SensitiveTypes.Name)
                $PartialCoveredWorkload = Get-PartialSITWorkLoad -PartialCoveredWorkload $PartialCoveredWorkload -WorkloadName $ExchangeString
            }
    
            if ($SensitiveTypes.$SharePointString -eq $false ) {
                $PartialCoveredSIT = Get-PartialSIT -PartialCoveredSIT $PartialCoveredSIT -SensitiveTypesName $($SensitiveTypes.Name)
                $PartialCoveredWorkload = Get-PartialSITWorkLoad -PartialCoveredWorkload $PartialCoveredWorkload -WorkloadName $SharePointString
    
            } 
            if ($SensitiveTypes.$OneDriveString -eq $false ) {
                $PartialCoveredSIT = Get-PartialSIT -PartialCoveredSIT $PartialCoveredSIT -SensitiveTypesName $($SensitiveTypes.Name)
                $PartialCoveredWorkload = Get-PartialSITWorkLoad -PartialCoveredWorkload $PartialCoveredWorkload -WorkloadName $OneDriveString
            }
            if ($SensitiveTypes.$TeamsString -eq $false ) {
                $PartialCoveredSIT = Get-PartialSIT -PartialCoveredSIT $PartialCoveredSIT -SensitiveTypesName $($SensitiveTypes.Name)
                $PartialCoveredWorkload = Get-PartialSITWorkLoad -PartialCoveredWorkload $PartialCoveredWorkload -WorkloadName $TeamsString
            }
            if ($SensitiveTypes.$DevicesString -eq $false ) {
                $PartialCoveredSIT = Get-PartialSIT -PartialCoveredSIT $PartialCoveredSIT -SensitiveTypesName $($SensitiveTypes.Name)
                $PartialCoveredWorkload = Get-PartialSITWorkLoad -PartialCoveredWorkload $PartialCoveredWorkload -WorkloadName $DevicesString
            }
    
        }

        
     
        
    }
   

   
    if ($null -ne $PartialCoveredSIT) {
        $ConfigObject = [MCCACheckConfig]::new()
        $ConfigObject.Object = "<B>Policy defined but not protected on 1 or more workloads<B>"
        $ConfigObject.ConfigItem = "$PartialCoveredSIT"
        $ConfigObject.ConfigData = "<b>Affected Workloads</B> : $PartialCoveredWorkload"
        $ConfigObject.SetResult([MCCAConfigLevel]::Ok, "Fail")            
        $ConfigObjectList += $ConfigObject
    }
    if ($null -ne $PendingSensitiveType) { 
                   
        $ConfigObject = [MCCACheckConfig]::new()
        $ConfigObject.Object = "<B>No active policy defined<B>"
        $ConfigObject.ConfigItem = "$PendingSensitiveType"
        $ConfigObject.ConfigData = "<b>Affected Workloads</B> : $ExchangeString, $SharePointString, $TeamsString, $OneDriveString, $DevicesString"
        $ConfigObject.InfoText ="It is recommended that you set up DLP policies that block access for users external to your organization for all Sensitive Information Types on all workloads."
        try {
            $ConfigObject.RemediationAction = Get-NoPolicyRemediationAction -Name $Name -PendingSensitiveTypes $PendingSensitiveType -ErrorAction:SilentlyContinue        
        }
        catch {
            Write-Host "Warning:$(Get-Date) There was an issue in generating remediation script. Please review the script closely before running the same." -ForegroundColor:Yellow
            $ErrorMessage = $_.ToString()
            $StackTraceInfo = $_.ScriptStackTrace
            Write-Log -IsError -ErrorMessage $ErrorMessage -StackTraceInfo $StackTraceInfo -LogFile $LogFile -ErrorAction:SilentlyContinue
        }
        $ConfigObject.SetResult([MCCAConfigLevel]::Ok, "Fail")            
        $ConfigObjectList += $ConfigObject
    }
    
    Return $ConfigObjectList
}
function Get-PartialSIT {
    Param
    (
        $PartialCoveredSIT,
        $SensitiveTypesName

    )
    if ((@($PartialCoveredSIT) -like "*$SensitiveTypesName*").Count -le 0) { 
        if ($null -eq $PartialCoveredSIT) {
            $PartialCoveredSIT += "$SensitiveTypesName"
        
        }
        else {            
            $PartialCoveredSIT += ", $SensitiveTypesName" 
        } 
    }
    return $PartialCoveredSIT
}
function Get-PartialSITWorkLoad {
    Param
    (
        $PartialCoveredWorkload,
        $WorkloadName

    )
    if ((@($PartialCoveredWorkload) -like "*$WorkloadName*").Count -le 0) {
        if ($null -eq $PartialCoveredWorkload) {
            $PartialCoveredWorkload += $WorkloadName
            
        }
        else {            
            $PartialCoveredWorkload += ", $WorkloadName" 
        } 
    }
    return $PartialCoveredWorkload
}


Function Get-AllLocationenabled {
    Param
    (
        $CompliancePolicy
    )
    $ExchangeLocation = $CompliancePolicy.ExchangeLocation
    $SharePointLocation = $CompliancePolicy.SharePointLocation
    $OneDriveLocation = $CompliancePolicy.OneDriveLocation
    $TeamsLocation = $CompliancePolicy.TeamsLocation
    $EndpointDlpLocation = $CompliancePolicy.EndpointDlpLocation   
    $WorkloadsStatus = @{}
    $WorkloadsStatus[$ExchangeString] = $false
    $WorkloadsStatus[$SharePointString] = $false
    $WorkloadsStatus[$OneDriveString] = $false
    $WorkloadsStatus[$TeamsString] = $false
    $WorkloadsStatus[$DevicesString] = $false
    if ((@($ExchangeLocation) -like 'All').Count -gt 0) {
        $WorkloadsStatus[$ExchangeString] = $true
    }
    if ((@($SharePointLocation) -like 'All').Count -gt 0) {
        $WorkloadsStatus[$SharePointString] = $true
    }
    if ((@($OneDriveLocation) -like 'All').Count -gt 0) {
        $WorkloadsStatus[$OneDriveString] = $true
    }
    if ((@($TeamsLocation) -like 'All').Count -gt 0) {
        $WorkloadsStatus[$TeamsString] = $true
    }
    if ((@($EndpointDlpLocation) -like 'All').Count -gt 0) {
        $WorkloadsStatus[$DevicesString] = $true
    }

    Return $WorkloadsStatus

    
}


Function Set-ExchangeNotAllLocationEnabledConfigObject {
    Param
    (
        
        $ConfigObjectResult,
        $CompliancePolicy
    )

    $ExchangeLocation = $CompliancePolicy.ExchangeLocation
    $ExchangeSenderException = $CompliancePolicy.ExchangeSenderException
    $ExchangeSenderMemberOf = $CompliancePolicy.ExchangeSenderMemberOf
    $ExchangeSenderMemberOfException = $CompliancePolicy.ExchangeSenderMemberOfException

    if (((@($ExchangeLocation) -like 'All').Count -lt 1)) {          
        if (@($ExchangeLocation).count -ne 0) {
            
            $ConfigObjectResult["Included Exchange Groups"] += "$ExchangeLocation " 
                    
        }
    }

    if ($ExchangeSenderMemberOf.count -ne 0) {
    
        if ($ConfigObjectResult.contains("Included Exchange Groups")) {
            $ConfigObjectResult["Included Exchange Groups"] += ", $ExchangeSenderMemberOf " 
        }
        else {
            $ConfigObjectResult["Included Exchange Groups"] = "$ExchangeSenderMemberOf " 

        }

    }
    if (($ExchangeSenderMemberOfException.count -ne 0) -or ($ExchangeSenderException.count -ne 0) ) {
        
        $ConfigObjectResult["Excluded Exchange Groups"] += "$ExchangeSenderMemberOfException $ExchangeSenderException " 

    }
    Return $ConfigObjectResult
                               
}

function Set-SharePointNotAllLocationEnabledConfigObject {
    Param
    (
        $ConfigObjectResult,
        $CompliancePolicy
     
    )
    $SharePointLocation = $CompliancePolicy.SharePointLocation
    $SharePointLocationException = $CompliancePolicy.SharePointLocationException
    $SharePointOnPremisesLocationException = $CompliancePolicy.SharePointOnPremisesLocationException

    if (((@($SharePointLocation) -like 'All').Count -lt 1)) {  
        if (@($SharePointLocation).count -ne 0) {
            
            $ConfigObjectResult["Included SP Sites"] += "$SharePointLocation " 
        }
    }
    
    if (($SharePointLocationException.count -ne 0) -or ($SharePointOnPremisesLocationException.count -ne 0)) { 
        
        $ConfigObjectResult["Excluded SP Sites"] += "$SharePointLocationException $SharePointOnPremisesLocationException " 
    }
    
    Return $ConfigObjectResult
                               
}

function Set-TeamsNotAllLocationEnabledConfigObject { 
    Param
    (
        $ConfigObjectResult,
        $CompliancePolicy
    )

    $TeamsLocation = $CompliancePolicy.TeamsLocation
    $TeamsLocationException = $CompliancePolicy.TeamsLocationException
   
    if (((@($TeamsLocation) -like 'All').Count -lt 1)) {  
        if (@($TeamsLocation).count -ne 0) {
            
            $ConfigObjectResult["Included Teams Account"] += "$TeamsLocation" 
        }
    }
   
    if (($TeamsLocationException.count -ne 0)) {
        
        $ConfigObjectResult["Excluded Teams Account"] += "$TeamsLocationException" 
    }
    Return $ConfigObjectResult
                               
}
function Set-OneDriveNotAllLocationEnabledConfigObject {
    Param
    (
        $ConfigObject,
        $PolicySensitiveType,
        $CompliancePolicy
        
    )
    $OneDriveLocation = $CompliancePolicy.OneDriveLocation
    $OneDriveLocationException = $CompliancePolicy.OneDriveLocationException
    $ExceptIfOneDriveSharedByMemberOf = $CompliancePolicy.ExceptIfOneDriveSharedByMemberOf

    if (((@($OneDriveLocation) -like 'All').Count -lt 1)) {  
        if (@($OneDriveLocation).count -ne 0) {
            
            $ConfigObjectResult["Included OneDrive Account"] += "$OneDriveLocation" 
        }

    }
 
    if (($OneDriveLocationException.count -ne 0) -or ($ExceptIfOneDriveSharedByMemberOf.count -ne 0)) {
        
        $ConfigObjectResult["Excluded OneDrive Account"] += "$OneDriveLocationException $ExceptIfOneDriveSharedByMemberOf" 
        
    }
    Return $ConfigObjectResult
                               
}
function Set-DevicesNotAllLocationEnabledConfigObject {
    Param
    (
        $ConfigObject,
        $PolicySensitiveType,
        $CompliancePolicy
        
    )
    $EndpointDlpLocation = $CompliancePolicy.EndpointDlpLocation
    $EndpointDlpLocationException = $CompliancePolicy.EndpointDlpLocationException

    if (((@($EndpointDlpLocation) -like 'All').Count -lt 1)) {  
        if (@($EndpointDlpLocation).count -ne 0) {
            
            $ConfigObjectResult["Included Devices User/Groups"] += "$EndpointDlpLocation" 
        }

    }
 
    if (($EndpointDlpLocationException.count -ne 0)) {
        
        $ConfigObjectResult["Excluded Devices User/Groups"] += "$EndpointDlpLocationException" 
        
    }
    Return $ConfigObjectResult
                               
}