Forum Discussion

Brass Contributor

Jul 12, 2023

Solved

Allow + Encrypt data for specific users accessing data using Third Party solution and block all

Hi, We have a requirement where we want to allow certain group of users to access data using a third party file sharing app. Any data accessed (uploaded/downloaded) for certain group of users should...

purview

miller34mike
Jul 15, 2023
Hi, FahadAhmed,

Thank you for posting your question here. Just to confirm I am understanding the need here, the scenario is:

For most users, you need to block this third-party file sharing app from having sensitive data uploaded
There is a select group of users that do need to be able to upload to this third-party app, but you want the data to be encrypted.
To achieve this, you will need to configure restricted service domains and restricted apps within the Endpoint DLP Settings page to set the file-sharing app as restricted. For example, if I wanted to block sensitive files from being uploaded to Google Drive, a common personal 3rd-party storage app, I would:

Under browser and domain restrictions to sensitive data, under service domains, I need to add "drive.google.com" as a blocked domain.
Make sure the toggle next to service domains is set to "Block"

To add the desktop app as blocked as well, you'll need to drop-down the restricted app and app groups option and add the application as restricted app
Please note, since google drive is a synchronization app, you'll want to enable the auto-quarantine feature as well to ensure your users do not receive continuous notifications

Now that you set the Endpoint DLP Settings, you'll want to create the actual DLP policies. For this scenario, you will need two policies. The reason for needing two policies is that users/group inclusions or exclusions happen at the policy level for Endpoint DLP and since you have a select group of users that need different actions for this file-sharing app, you'll need a separate policy for them than the rest of the organization.

Policy 1:
Use a custom template
Turn off all locations except Devices
Even though this is target to devices, the policy is still identity-based
The locations page is where you will want to specifically EXCLUDE the group of users that CAN upload data to this sharing app
Create a custom rule
Specify your desired conditions, such as in the example below
This is where you specify what data cannot be uploaded to this app
For the actions, you'll need to set the "Audit or restrict activities on devices" option then make sure you set the Service domain and browsers activities and the restricted app activities options to both be blocked

Specify any of the additional options as desired
Save the policy
Recommend saving it in test mode first, without policy tips, and then monitoring your DLP alerts and Activity Explorer to watch for matches and ensure the policy is working as intended

Policy 2:
Use a custom template
Turn off all locations except Devices
Specifically include the group that you excluded in policy 1
Create a custom rule
Specify your desired conditions, these should match policy 1
For the actions, you'll need to set the "Audit or restrict activities on devices" option then make sure you set the Service domain and browsers activities and the restricted app activities options to both be audit
Specify any of the additional options as desired
Save the policy
Recommend saving it in test mode first, without policy tips, and then monitoring your DLP alerts and Activity Explorer to watch for matches and ensure the policy is working as intended

Policy 2 is really only needed if you wish to at least know when the approved group uploads data to the application, which I recommend. To read more about Endpoint DLP, you can check out my blog here.

You can also leverage app discovery policies in MDCA to notify you if a daily amount of data is uploaded to the application by leveraging app tags and tagging the app if it is listed as a discovered SaaS app in MDCA. You'd then filter the app discovery policy to look for that app tag and set your threshold for daily uploads.

Also, is this third-party app one that you have paid for and can administratively manage? If so, there may be some additional options available to you that I can offer as well, through Microsoft Defender for Cloud Apps.

miller34mike

Iron Contributor

Jul 15, 2023

Hi, FahadAhmed,

Thank you for posting your question here. Just to confirm I am understanding the need here, the scenario is:

For most users, you need to block this third-party file sharing app from having sensitive data uploaded
There is a select group of users that do need to be able to upload to this third-party app, but you want the data to be encrypted.

To achieve this, you will need to configure restricted service domains and restricted apps within the Endpoint DLP Settings page to set the file-sharing app as restricted. For example, if I wanted to block sensitive files from being uploaded to Google Drive, a common personal 3rd-party storage app, I would:

Under browser and domain restrictions to sensitive data, under service domains, I need to add "drive.google.com" as a blocked domain.
- Make sure the toggle next to service domains is set to "Block"
To add the desktop app as blocked as well, you'll need to drop-down the restricted app and app groups option and add the application as restricted app
- Please note, since google drive is a synchronization app, you'll want to enable the auto-quarantine feature as well to ensure your users do not receive continuous notifications

Now that you set the Endpoint DLP Settings, you'll want to create the actual DLP policies. For this scenario, you will need two policies. The reason for needing two policies is that users/group inclusions or exclusions happen at the policy level for Endpoint DLP and since you have a select group of users that need different actions for this file-sharing app, you'll need a separate policy for them than the rest of the organization.

Policy 1:
- Use a custom template
- Turn off all locations except Devices
  - Even though this is target to devices, the policy is still identity-based
  - The locations page is where you will want to specifically EXCLUDE the group of users that CAN upload data to this sharing app
- Create a custom rule
  - Specify your desired conditions, such as in the example below
    - This is where you specify what data cannot be uploaded to this app
  - For the actions, you'll need to set the "Audit or restrict activities on devices" option then make sure you set the Service domain and browsers activities and the restricted app activities options to both be blocked
  - Specify any of the additional options as desired
- Save the policy
  - Recommend saving it in test mode first, without policy tips, and then monitoring your DLP alerts and Activity Explorer to watch for matches and ensure the policy is working as intended

Policy 2:
- Use a custom template
- Turn off all locations except Devices
  - Specifically include the group that you excluded in policy 1
- Create a custom rule
  - Specify your desired conditions, these should match policy 1
  - For the actions, you'll need to set the "Audit or restrict activities on devices" option then make sure you set the Service domain and browsers activities and the restricted app activities options to both be audit
  - Specify any of the additional options as desired
- Save the policy
  - Recommend saving it in test mode first, without policy tips, and then monitoring your DLP alerts and Activity Explorer to watch for matches and ensure the policy is working as intended

Policy 2 is really only needed if you wish to at least know when the approved group uploads data to the application, which I recommend. To read more about Endpoint DLP, you can check out my blog here.

You can also leverage app discovery policies in MDCA to notify you if a daily amount of data is uploaded to the application by leveraging app tags and tagging the app if it is listed as a discovered SaaS app in MDCA. You'd then filter the app discovery policy to look for that app tag and set your threshold for daily uploads.

Also, is this third-party app one that you have paid for and can administratively manage? If so, there may be some additional options available to you that I can offer as well, through Microsoft Defender for Cloud Apps.