Forum Discussion
Service Domain restrictions
I’m currently implementing an Endpoint DLP policy to enforce service domain restrictions. The goal is to prevent users from uploading documents to non-corporate domains and only allow uploads to a specific allow-list (authorized domains), we only use Microsoft Edge
I have the basic configuration working, but I have a few questions about behaviors I’m seeing:
- Dynamic Groups: Is it supported to use Microsoft 365 Dynamic Groups for the policy scope/assignment?
- File Types: How can I make the policy target all file types? Currently, I'm managing this via a defined list of extensions, but I'd like to cover everything.
- Copy/Paste vs. Upload (The main issue): When I drag and drop or use the "Upload" button from File Explorer to a blocked domain, the action is blocked as expected. However, if I copy and paste the file (or content) directly into the website, it bypasses the block and uploads successfully. Why does this happen?
- Policy Activation: It seems documents only pick up the policy restrictions after they are modified. Is this the expected behavior?
Any recommendations or insights on what I might be missing would be appreciated. Thanks!
2 Replies
Hi Melvin,
What you’re seeing is mostly expected behavior with Endpoint DLP and service domain restrictions in Microsoft Edge.
- Yes, Microsoft 365 dynamic groups are supported for Endpoint DLP policy scoping. Keep in mind that membership evaluation is not real-time, so policy application can lag behind group changes.
https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#policy-scope - You cannot truly target all file types. Endpoint DLP only evaluates supported file types. Leaving the file type list empty does not mean “everything”; unsupported file formats are ignored by design. The recommended approach is to include all supported types relevant to your risk profile and accept that full coverage is not possible.
https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#supported-file-types - This behavior is expected. Endpoint DLP blocks file transfer operations (upload, drag-and-drop) because those are treated as file events. Clipboard paste into a web application is treated as user input, not a file transfer, so it is not blocked by service domain restrictions. Even in Edge, paste actions into SaaS apps are not equivalent to file uploads from a DLP enforcement perspective.
https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#what-endpoint-dlp-can-and-cannot-do - Yes, this is expected. Endpoint DLP evaluates files when they are created, saved, or modified. Files that already existed before the policy was applied may not be fully enforced until they are touched again.
https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about#how-endpoint-dlp-works
Hope this answers your questions! 🙂
- Yes, Microsoft 365 dynamic groups are supported for Endpoint DLP policy scoping. Keep in mind that membership evaluation is not real-time, so policy application can lag behind group changes.
- Yes, Microsoft 365 dynamic groups are supported for Endpoint DLP scoping. Just be aware that membership changes are not real-time, so policy application can lag.
- You can’t truly target “all file types.” Endpoint DLP works on supported file types only.
- This is expected behavior. Endpoint DLP blocks file transfer operations (upload, drag-and-drop) but does not block clipboard-based paste into web apps. Once content is pasted, it’s treated as user input, not a file transfer. This is a known limitation.
- Yes, expected. Endpoint DLP evaluates files when they are created, saved, or modified. Existing files may not be fully enforced until they are touched.
