Forum Discussion
Solved
Can I block upload of data based on DLP Policy and/or Sensitivity Label?
Hi everyone, Is there a way to block users from uploading files to the cloud that are identified as Sensitive Information Type/DLP or marked with a Sensitivity Label (SL) via OneDrive Sync and Te...
Hi CSI90,
Thank you for posting your question here. No need for third-party on this one! This is a common as and you can solve this with Endpoint DLP by setting teams and OneDrive as restricted apps under the Endpoint DLP Settings page in the Microsoft Purview admin center.
With Endpoint DLP settings you can set these as restricted apps as well as blocking the service domains for them to prevent the web uploads from managed devices. I like to use the Session Control policies in Microsoft Defender for Cloud Apps that you mentioned on the unmanaged devices usually, but you can use it for all devices for this scenario as well.
You can create restricted app groups and service domain groups in the Endpoint DLP settings page to give you the option to set different controls for grouped applications within your Endpoint DLP policy. For example, maybe you do want to block uploads to OneDrive and Teams but maybe you want to allow an override with a valid business reason, but Slack, GitHub, and Google Drive are blocked no matter what. However, because OneDrive and Teams are syncing the files, they will continue to try and upload any file even if it is initially blocked so you'll need to make sure you check enable and check the auto-quarantine box for the restricted apps.
Once you set your restricted apps and service domains, you'll just need to create an endpoint DLP policy (scoped to devices) that is looking for files containing the SITs and Sensitivity Labels you want to prevent from being uploaded and make sure you set the blocking actions for service domains and restricted apps.
I also like to add a fail-safe with Microsoft Defender for Cloud Apps by creating a File Police that looks for any file stored in OneDrive or SharePoint (will also cover Teams files) containing the SITs and/or labels you don't want stored there. you can leave this as an alert only policy or you can enforce governance actions like sending the file to an admin quarantine folder and storing a placeholder file in the original location.
I wrote a blog a little while ago that covers all of this in detail, as I said it's a common ask for clients, that should help you with configuring all of this exactly as you need.
MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)
Here's some more that may help as well:
Microsoft Purview DLP – Part 2 – Endpoint DLP – Cloudy Security (cloudy-sec.com)
File Policies with MDCA – Cloudy Security (cloudy-sec.com)
Microsoft Purview Sensitivity Labels – Part 3 – Cloudy Security (cloudy-sec.com)
miller34mike
Microsoft
MicrosoftHi CSI90,
Thank you for posting your question here. No need for third-party on this one! This is a common as and you can solve this with Endpoint DLP by setting teams and OneDrive as restricted apps under the Endpoint DLP Settings page in the Microsoft Purview admin center.
With Endpoint DLP settings you can set these as restricted apps as well as blocking the service domains for them to prevent the web uploads from managed devices. I like to use the Session Control policies in Microsoft Defender for Cloud Apps that you mentioned on the unmanaged devices usually, but you can use it for all devices for this scenario as well.
You can create restricted app groups and service domain groups in the Endpoint DLP settings page to give you the option to set different controls for grouped applications within your Endpoint DLP policy. For example, maybe you do want to block uploads to OneDrive and Teams but maybe you want to allow an override with a valid business reason, but Slack, GitHub, and Google Drive are blocked no matter what. However, because OneDrive and Teams are syncing the files, they will continue to try and upload any file even if it is initially blocked so you'll need to make sure you check enable and check the auto-quarantine box for the restricted apps.
Once you set your restricted apps and service domains, you'll just need to create an endpoint DLP policy (scoped to devices) that is looking for files containing the SITs and Sensitivity Labels you want to prevent from being uploaded and make sure you set the blocking actions for service domains and restricted apps.
I also like to add a fail-safe with Microsoft Defender for Cloud Apps by creating a File Police that looks for any file stored in OneDrive or SharePoint (will also cover Teams files) containing the SITs and/or labels you don't want stored there. you can leave this as an alert only policy or you can enforce governance actions like sending the file to an admin quarantine folder and storing a placeholder file in the original location.
I wrote a blog a little while ago that covers all of this in detail, as I said it's a common ask for clients, that should help you with configuring all of this exactly as you need.
MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)
Here's some more that may help as well:
Microsoft Purview DLP – Part 2 – Endpoint DLP – Cloudy Security (cloudy-sec.com)
File Policies with MDCA – Cloudy Security (cloudy-sec.com)
Microsoft Purview Sensitivity Labels – Part 3 – Cloudy Security (cloudy-sec.com)
Thanks for the quick and detailed reply, it will take me a moment to go through all this but its very helpful!
