Forum Discussion

FahadAhmed's avatar
FahadAhmed
Brass Contributor
Aug 22, 2023
Solved

DLP policy to block access to external organization however allow access for some external domains

Hi, we have successfully setup a DLP policy to block sensitive information from going outside using "Block access to external organization", however we want to allow a few domains to receive those f...
dlp
  • miller34mike's avatar
    miller34mike
    Aug 23, 2023

    Hi, FahadAhmed,

     

    Thank you for posting your question here.

     

    With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.

     

    In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.

     

     

     

     

     

PiaSegment's avatar
PiaSegment
Copper Contributor
Sep 13, 2023
And what if we need an exception for use in DLP for Teams chat, SharePoint and OneDrive blocking externals?
miller34mike's avatar
miller34mike
Icon for Microsoft rankMicrosoft
Sep 13, 2023

PiaSegment 

 

Hello! Great question.

 

Teams DLP, when selected by itself, DOES allow for building an exception based on the external recipient. However, for OneDrive and SharePoint, you do not get this option. For this, I recommend considering a B2B approach for you trusted, external partners. B2B will allow better granular controls on SharePoint for allowing access to your B2B-enabled partners.

 

Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn

  • Derek_Osborne's avatar
    Derek_Osborne
    Copper Contributor
    Sep 15, 2023

    miller34mike  Hello Mike! How would you recommend blocking all other domains but our own, with the Endpoint selection enabled? Such as web app upload through Chrome or Firefox? I notice the recipient domain is also not available when Endpoint is enabled.

    • Derek_Osborne's avatar
      Derek_Osborne
      Copper Contributor
      Sep 15, 2023
      When i say endpoint, I mean "devices"
      • miller34mike's avatar
        miller34mike
        Icon for Microsoft rankMicrosoft
        Sep 26, 2023

        Derek_Osborne 

         

        Thank you for posting your question here!

         

        To do this, you'll need to leverage the Endpoint DLP Settings page

         

        Once there, select the dropdown for "Browser and Domain restrictions to sensitive data"

         

        Under "Service domains", make sure the dropdown is set to "Allow"

         

         

        You'll then need to add the specific domains you want to allow file uploads to, such as your companies SharePoint Online domain, which may look like "contoso.sharepoint.com" or your OneDrive sites like "contoso-my.sharepoint.com".

         

        However, even though you CAN do this, I strongly encourage you have the "Why?" conversation with your organization first. Include stakeholders around the company in this discussion so you can be sure that you understand your standard business practices first. While this can help reduce data exfiltration, you can also impede business with these controls.

         

Resources