Forum Discussion
Sensitivity label based DLP policy for Microsoft Teams
I want to create DLP a policy when a document is sensitivity labeled lets say "Restricted" it should be blocked on Microsoft Teams, Onedrive and Sharepoint.
When I created policy in Microsoft Purview DLP and select teams for policy scope, in condition, Sensitivity label option does not appear. It appears only as sensitive info types.
How can I create policy for Microsoft Teams to block documents sharing based on sensitivity labels?
- miller34mikeMicrosoft
Thank you for posting your question here.
Are you wanting to prevent the file labeled "Restricted" from being saved in these repositories completely, or from being shared from within them?
Either way, you cannot select labels for Teams DLP because Teams DLP applies to the content or sender/recipient of the message itself, not files. The reason for this is because on the back-end, files are not actually stored in Teams. Any file shared through a Teams individual or group chat is stored in a OneDrive folder for the user that shared the file. All Teams use SharePoint as the back-end file storage.
So, with that said, the way to achieve your goal is by creating a DLP for OneDrive and SharePoint, not Teams. This policy will then cover any files "within" Teams.
I think the below articles will really help better understand each location for DLP and if you're interested in stopping files from being stored in these locations altogether, the third link will walk you through this configuration!
Microsoft Purview DLP – Part 3 – Microsoft Teams – Cloudy Security (cloudy-sec.com)
Microsoft Purview Data Loss Prevention – Part 1 – Cloudy Security (cloudy-sec.com)
MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)