Forum Discussion
Purview policy allow few internal users and few external users only
I have a requirement to implement policy in Microsoft Purview DLP.
Allow only few internal users to send documents via email, teams, share-point etc. based on sensitive info type matching policy. and block all other internal users. Also I want to allow few external users (which does not belong to organization) to receive those documents.
How can I make that policy?
- miller34mikeMicrosoft
Thank you for posting your question here. I understand you're looking to leverage DLP to ensure most users cannot share files/emails containing certain sensitive data externally and that you need to ensure a select group of users can share the sensitive files/emails with a select group of external users.
You can achieve this with Exchange (will also cover any attachment) and Teams (chat and channel messages only) DLP policies, but will need to consider other options when it comes to SharePoint and OneDrive files, which also applies to any files stored in Teams. I'll explain these options in more details down below.
I'll try to explain in the best detail I can down below, but feel free to check out my blogs on labels and DLP for more details, if you'd like.
Blogs – Cloudy Security (cloudy-sec.com)
First, lets take a look at your DLP options. Before you create your first policy, it's worth noting that while you need to scope DLP to Exchange and Teams, I recommend doing a separate policy for each location. If you scope a DLP policy to multiple locations, you will only be given the conditions and actions options that are available in each selected location, limiting your capabilities. You should also note that user and group exclusions happen at the policy level for DLP. While you can create multiple rules in a policy, you cannot have 1 rule scoped to one group of users and another rule scoped to another group of users.
With that said, to achieve your goal, I recommend two policies per location. I'll give an example of the two policies down below, which you will create for each location.
Your first policy will be the general policy applied to most users that blocks external sharing, and should exclude the group of users that do need permission to share externally with select users.
- Exchange Policy 1
- Template or custom policy > Custom policy
- Name > set as desired
- Locations > Select Exchange only, set the exclusion to be the group users that SHOULD be allowed to share externally
- Configure a custom rule:
- Conditions:
- Content is shared from Microsoft 365 > with people outside my organization
- AND
- Content contains > Select sensitive info types as desired
- Actions:
- Restrict access or encrypt the content in Microsoft 365 locations > Block only people outside your organization
- Set any other setting in the rule as desired, such as policy tips or override options
- Conditions:
- Enable the policy or set it to test mode
- Exchange policy 2:
- Template or custom policy > Custom policy
- Name > set as desired
- Locations > Select Exchange only, set the INCLUSION to be the group users that SHOULD be allowed to share externally
- Configure a custom rule:
- Conditions:
- Content is shared from Microsoft 365 > with people outside my organization
- AND
- Content contains > Select sensitive info types as desired
- Now select the "Add group" option and you will be able to build in a "NOT" statement to provide the exclusion for the specific recipients
- Select the "recipient domain is" or the "recipient is" option
- Use the domain if you specific company you need to exclude from the block, which will be less administrative overhead
- Actions:
- Restrict access or encrypt the content in Microsoft 365 locations > Block only people outside your organization
- Set any other setting in the rule as desired, such as policy tips or override options
- Conditions:
- Enable the policy or set it to test mode
Now, regarding SharePoint and OneDrive. Neither of these have the option to specify specific domains/users as a condition. Which means your specific scenario cannot be achieved by DLP alone when it comes to SharePoint and OneDrive, but you're not optionless either.
One option to consider, if the specific external users are a part of a trusted company, I would recommend exploring B2B configurations. This would allow you to configure access for the B2B users from the external company on an Extranet site in SharePoint, which could be created specifically for the sensitive data that needs to be shared.
If B2B cannot be configured, you could also look at leveraging a sensitivity label that has been set to include specific email addresses or domains, as well as all users and groups in your organization. You can also give the "specific email addresses or domains" a lower level of access on the files than you do the "all users and groups in your organization".
If you create the label, you then can leverage it as a condition in a SharePoint and OneDrive DLP policy. In that scenario, You would configure the policies similar to the ones up above, except the "NOT" option in the second policy would be to say "Content contains > Sensitivity Label > label you configured". Now, this policy wouldn't stop the users from sharing from someone other than your trusted list of external users, but the label on the file would prevent it from being opened by anyone that was not explicitly given access when you configured the encryption settings on the label.
- Exchange Policy 1