Forum Discussion
DLP policy to block access to external organization however allow access for some external domains
Hi, FahadAhmed,
Thank you for posting your question here.
With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.
In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.
Thank you for posting your question here!
To do this, you'll need to leverage the Endpoint DLP Settings page
Once there, select the dropdown for "Browser and Domain restrictions to sensitive data"
Under "Service domains", make sure the dropdown is set to "Allow"
You'll then need to add the specific domains you want to allow file uploads to, such as your companies SharePoint Online domain, which may look like "contoso.sharepoint.com" or your OneDrive sites like "contoso-my.sharepoint.com".
However, even though you CAN do this, I strongly encourage you have the "Why?" conversation with your organization first. Include stakeholders around the company in this discussion so you can be sure that you understand your standard business practices first. While this can help reduce data exfiltration, you can also impede business with these controls.
Hello Mike!
Understood thank you so much for the response, I thought that might be the place, but was not sure. This issue we are encountering is preventing us moving forward with our migration to E5. We are experiencing some odd behavior in that Exchange email is working as intended, and alerting us however, the Devices portion under that same policy is only logging under activity explorer tagged as “audit” for the enforcement mode. Using the same test PHI/PII documents. Both our Exchange email and Devices reside under the same policy, with the same users in scope for each.
We are currently testing FireFox with the Purview extension installed. The only way I am able to get browser based DLP to trigger an alert and not just audit under activity explorer is by putting the domain we are testing as “blocked” under the Service domain section that you had provided guidance on.
This would leave me to believe it is a policy action issue but I am unsure what we are missing if anything, see below our policy actions:
miller34mikeWe may have found the issue, our last seen time is current, but the policy hasn't synced since 9/15, have you seen this before? Please advise if possible.