Forum Discussion
Best approach for contractor block policy
Hello there I need some assistance with your best approach for vendor block policy. I am thinking to create one policy with three rules
- Block all vendors with the block AD group
- Vendors to allow emails to approved domains only
- vendors to send email to external to organisation with ability to send to approve domains
Do you think this is a good approach by breaking down into three different rules ? Also I am bit confused with the conditions on the rule 2 and rule 3.
what would you your approach with complete breakdown ?
3 Replies
- Rk10Copper Contributor
cder thanks for your response I should be more specific in my original question
Business Requirement
I want a contractor external sharing control policy in Purview with three sharing rules in policy or can be one rule
Contractor Type
Behaviour
ExternalOnly
Can share externally to any domain
WhitelistOnly
Can share only to approved domains (e.g. gmail.com, yahoo.com)
BlockAll
Cannot share externally at all
- BlockAll = Base AD group for all contractors by default
- WhitelistOnly = Exception AD group
- ExternalOnly = Exception AD group
So any contractor or vendor joins will be added to BlockAll group. And then if that vendor wants to send to approved domains he will be added to whitelisted domains AD group and if the vendor wants to send outside that whitelisted domains he will be added to ExternalyOnly group.
please note we need to have that Block rule for all contractors. So I want able to remove block rule at all even they want to send to whitelisted domain they will end up with block default rule + whitelisted rule
similar if they want to send external, the AD still have Block rule + external only
My understanding of your rules:
Rule 2 : allow vendors to receive emails from approved domain only.
Rule 3 : allow vendors to send emails to approved domain only.
If my understanding is correct, I don't think you can achieve R2 with DLP.
I'd recommend using Exchange Mail Flow Rules (Transport Rules) to block both incoming and outgoing messages.
If you do want to use Purview DLP, for R3 you can create a rule and set the conditions as below:- Click Add condition and select Content is shared from Microsoft 365 > choose with people outside my organization.
- Click Add group, then change the logic switch wrapper to NOT.
- Inside that NOT group, click Add condition and select Recipient domain is. Type in your approved domain names.
DLP give you the option to notify the vendors inside Outlook/OWA before they send an unapproved email using policy tips or send notifications / alerts when there's a policy violation.
This is how to configure both rules using Exchange Online Mail Flow Rules.
Log into the Exchange Admin Center and follow these configuration steps:
Create the Mail Flow Rule: Navigate to Mail flow > Rules > Add a rule > Create a new rule
Rule 2Rule 3