Forum Discussion

Rk10's avatar
Rk10
Copper Contributor
Jun 16, 2026

Best approach for contractor block policy

Hello there I need some assistance with your best approach for vendor block policy. I am thinking to create one policy with three rules 

  • Block all vendors with the block AD group
  • Vendors to allow emails to approved domains only 
  • vendors to send email to external to organisation with ability to send to approve domains

 

Do you think this is a good approach by breaking down into three different rules ? Also I am bit confused with the conditions on the rule 2 and rule 3.

what would you your approach with complete breakdown ?

3 Replies

  • Rk10's avatar
    Rk10
    Copper Contributor

    cder​ thanks for your response I should be more specific in my original question 

    Business Requirement

    I want a contractor external sharing control policy in Purview with three sharing rules in policy or can be one rule 

    Contractor Type

    Behaviour

    ExternalOnly

    Can share externally to any domain

    WhitelistOnly

    Can share only to approved domains (e.g. gmail.com, yahoo.com)

    BlockAll

    Cannot share externally at all

     

    • BlockAll = Base AD group for all contractors by default
    • WhitelistOnly = Exception AD group 
    • ExternalOnly = Exception AD group

    So any contractor or vendor joins will be added to BlockAll group. And then if that vendor wants to send  to approved domains he will be added to whitelisted domains AD group and if the vendor wants to send outside that whitelisted domains he will be added to ExternalyOnly group. 

    please note we need to have that Block rule for all contractors. So I want able to remove block rule at all even they want to send to whitelisted domain they will end up with block default rule + whitelisted rule 

    similar if they want to send external, the AD still have Block rule + external only 

  • My understanding of your rules: 
    Rule 2 : allow vendors to receive emails from approved domain only.
    Rule 3 : allow vendors to send emails to approved domain only.

    If my understanding is correct, I don't think you can achieve R2 with DLP.
    I'd recommend using Exchange Mail Flow Rules (Transport Rules) to block both incoming and outgoing messages.
    If you do want to use Purview DLP, for R3 you can create a rule and set the conditions as below: 

    1. Click Add condition and select Content is shared from Microsoft 365 > choose with people outside my organization.
    2. Click Add group, then change the logic switch wrapper to NOT.
    3. Inside that NOT group, click Add condition and select Recipient domain is. Type in your approved domain names. 

    DLP give you the option to notify the vendors inside Outlook/OWA before they send an unapproved email using policy tips or send  notifications / alerts  when there's a policy violation.  

    • cder's avatar
      cder
      MCT

      This is how to configure both rules using Exchange Online Mail Flow Rules. 
      Log into the Exchange Admin Center and follow these configuration steps:
      Create the Mail Flow Rule: Navigate to Mail flow > Rules > Add a rule > Create a new rule

      Rule 2

      Rule 3