Forum Discussion

securityxpert1122's avatar
securityxpert1122
Copper Contributor
Sep 11, 2023

Sensitivity label based DLP policy for Microsoft Teams

I want to create DLP a policy  when a document is sensitivity labeled lets say "Restricted" it should be blocked on Microsoft Teams, Onedrive and Sharepoint.    When I created policy in Microsoft P...
microsoft purview
miller34mike's avatar
miller34mike
Iron Contributor
Sep 12, 2023

securityxpert1122 

 

Thank you for posting your question here.

 

Are you wanting to prevent the file labeled "Restricted" from being saved in these repositories completely, or from being shared from within them?

 

Either way, you cannot select labels for Teams DLP because Teams DLP applies to the content or sender/recipient of the message itself, not files. The reason for this is because on the back-end, files are not actually stored in Teams. Any file shared through a Teams individual or group chat is stored in a OneDrive folder for the user that shared the file. All Teams use SharePoint as the back-end file storage.

 

So, with that said, the way to achieve your goal is by creating a DLP for OneDrive and SharePoint, not Teams. This policy will then cover any files "within" Teams.

 

I think the below articles will really help better understand each location for DLP and if you're interested in stopping files from being stored in these locations altogether, the third link will walk you through this configuration!

 

Microsoft Purview DLP – Part 3 – Microsoft Teams – Cloudy Security (cloudy-sec.com)

 

Microsoft Purview Data Loss Prevention – Part 1 – Cloudy Security (cloudy-sec.com)

 

MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)

Resources