Service Domain restrictions

Hi Melvin,

What you’re seeing is mostly expected behavior with Endpoint DLP and service domain restrictions in Microsoft Edge.

1. Yes, Microsoft 365 dynamic groups are supported for Endpoint DLP policy scoping. Keep in mind that membership evaluation is not real-time, so policy application can lag behind group changes.
   https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#policy-scope
2. You cannot truly target all file types. Endpoint DLP only evaluates supported file types. Leaving the file type list empty does not mean “everything”; unsupported file formats are ignored by design. The recommended approach is to include all supported types relevant to your risk profile and accept that full coverage is not possible.
   https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#supported-file-types
3. This behavior is expected. Endpoint DLP blocks file transfer operations (upload, drag-and-drop) because those are treated as file events. Clipboard paste into a web application is treated as user input, not a file transfer, so it is not blocked by service domain restrictions. Even in Edge, paste actions into SaaS apps are not equivalent to file uploads from a DLP enforcement perspective.
   https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#what-endpoint-dlp-can-and-cannot-do
4. Yes, this is expected. Endpoint DLP evaluates files when they are created, saved, or modified. Files that already existed before the policy was applied may not be fully enforced until they are touched again.
   https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#how-endpoint-dlp-works

Hope this answers your questions! 🙂