Forum Discussion

JakeNy92's avatar
JakeNy92
Copper Contributor
Oct 20, 2023

SP DLP Block only people outside your organization is blocking internal user access

Hi,

We recently implemented DLP policies to detect and block sensitive data types in SharePoint. The policies are accurately detecting the senitive info types and alerting; however, they are then blocking access from our other internal users and restricting the OneNote to only the owner. 

 

I have double checked the DLP policy and under Actions it is set to "Block only people outside your organization". But when sensitive info types are detencted all internal users receive a notification "You no longer haver permission to access this notebook. We'll sync again if permissions are restored." 

 

Is there any reason the external only block would be applying to internal users as well? 

 

Thanks so much!

  • Hi JakeNy92,

    There are a some possible reasons why your DLP "block only people outside your organization policy" is blocking internal user access:

    • The policy is misconfigured. Double-check the policy settings to make sure that the "Block only people outside your organization" action is selected.
    • The policy is applied to a location that is shared with external users. If the policy is applied to a SharePoint site or OneDrive folder that is shared with external users, then the block will apply to both internal and external users.
    • The policy is applied to a location that contains sensitive data that is also accessed by internal users. If the policy is applied to a location that contains sensitive data that is also accessed by internal users, then the block may apply to internal users if they do not have the appropriate permissions to access the data.


    You can try the following steps:

    • Verify that the policy is configured correctly.
    • Check to see if the policy is applied to any locations that are shared with external users. If so, you can either remove the policy from those locations or change the policy settings so that they do not apply to external users.
    • Check to see if the policy is applied to any locations that contain sensitive data that is also accessed by internal users. If so, you can either remove the policy from those locations or change the policy settings so that they do not apply to internal users with the appropriate permissions.
    • Make sure that the policy is applied to the correct locations. You can verify this by checking the policy settings.
    • Make sure that the policy is configured correctly. You can verify this by checking the policy settings and testing the policy with a sample set of data.
    • Make sure that the policy is not conflicting with other DLP policies. You can check for conflicts by reviewing the list of DLP policies that are applied to each location.
    • Make sure that the policy is not blocking access to data that is needed by internal users. You can verify this by checking the policy settings and testing the policy with a sample set of data.

    Data Loss Prevention policy reference: https://learn.microsoft.com/en-us/purview/dlp-policy-reference

    Troubleshoot SharePoint DLP policies: https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/data-loss-prevention/data-loss-prevention-tips

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi JakeNy92,

    There are a some possible reasons why your DLP "block only people outside your organization policy" is blocking internal user access:

    • The policy is misconfigured. Double-check the policy settings to make sure that the "Block only people outside your organization" action is selected.
    • The policy is applied to a location that is shared with external users. If the policy is applied to a SharePoint site or OneDrive folder that is shared with external users, then the block will apply to both internal and external users.
    • The policy is applied to a location that contains sensitive data that is also accessed by internal users. If the policy is applied to a location that contains sensitive data that is also accessed by internal users, then the block may apply to internal users if they do not have the appropriate permissions to access the data.


    You can try the following steps:

    • Verify that the policy is configured correctly.
    • Check to see if the policy is applied to any locations that are shared with external users. If so, you can either remove the policy from those locations or change the policy settings so that they do not apply to external users.
    • Check to see if the policy is applied to any locations that contain sensitive data that is also accessed by internal users. If so, you can either remove the policy from those locations or change the policy settings so that they do not apply to internal users with the appropriate permissions.
    • Make sure that the policy is applied to the correct locations. You can verify this by checking the policy settings.
    • Make sure that the policy is configured correctly. You can verify this by checking the policy settings and testing the policy with a sample set of data.
    • Make sure that the policy is not conflicting with other DLP policies. You can check for conflicts by reviewing the list of DLP policies that are applied to each location.
    • Make sure that the policy is not blocking access to data that is needed by internal users. You can verify this by checking the policy settings and testing the policy with a sample set of data.

    Data Loss Prevention policy reference: https://learn.microsoft.com/en-us/purview/dlp-policy-reference

    Troubleshoot SharePoint DLP policies: https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/data-loss-prevention/data-loss-prevention-tips

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • JakeNy92's avatar
      JakeNy92
      Copper Contributor

      LeonPavesic 

      Thank you so much for your response. You posted the below as possible reasons. This policy is indeed applied to a location that is shared with external users on a SharePoint site. Do you have a link to any documentation from MIcrosoft that talks about this specifically? I am unable to find anything that supports the statement that it will block both internal and external users. I'm sure you are correct because that is the behavior I am seeing - but wanted to know if MS has written anything about it. That would rend the block external only option void in SP or OneDrive. 

      • The policy is applied to a location that is shared with external users. If the policy is applied to a SharePoint site or OneDrive folder that is shared with external users, then the block will apply to both internal and external users.

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor

        Hi JakeNy92,

        According to the Microsoft documentation, Block only people outside your organization is a supported action for DLP policies in SharePoint and OneDrive.

        However, the documentation does not explicitly state (or even i can't find that) that the block will also apply to internal users if the policy is applied to a location that is shared with external users.

         

        I believe that this is because the DLP policy is applied to the site itself, regardless of who has access to the site. When a user tries to access a document that is blocked by the DLP policy, they will receive a message stating that they do not have permission to access the document.

        If you need to prevent internal users from being blocked by a DLP policy, you can either remove the policy from the shared location or change the policy settings so that they do not apply to internal users.



        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic
        (LinkedIn)

Resources