Forum Discussion
DanSec
Apr 05, 2023Copper Contributor
Blocking file uploads to all sites, unless safelisted
We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solutio...
miller34mike
Microsoft
Jun 05, 2023Hi DanSec
Since you're wanting to set a "safe list" which will block uploads to anything not on this list, you'll likely want to leverage the service domains feature under Endpoint DLP settings in the Microsoft Purview portal.
You can set the service domains to be an "Allow" list to achieve this and will need an Endpoint DLP policy configure once you've set the list. The policy itself can have your specific user exclusions set (Endpoint DLP is still identity based).
While DLP is typically based on sensitive information, you can set the policy to block uploads based on file types and/or file extensions. As you mentioned, you can also scope it to block based on a specific sensitivity label applied to the file.
The737
Jun 06, 2023Brass Contributor
miller34mike, I tried creating a custom DLP policy under https://compliance.microsoft.com. Scoped it to devices and MCAS, yet I can't see any action that allows me to block the upload to the web page. What am I doing wrong?
- miller34mikeJun 06, 2023
Microsoft
Hi The737
This is due to selecting both Devices and MDCA. When you scope to multiple locations, you only get the options that are available in both locations.
To set and Endpoint policy to block service domain uploads you will need to set the policy to Devices only and then within the rule, you will see service domain uploads.
To see this option, select actions > Audit or restrict activities on devices and it will be the first checkbox that you can select.
MDCA from a DLP perspective would not help you in this scenario.
To set your allowed list of service domains, which means everything else gets blocked, go to compliance.microsoft.com > Data loss prevention > Endpoint DLP settings and find the drop-down for Browser and domain restrictions to sensitive data. Make sure the drop-down for block/allow is set to allow and then set your appropriate sites.
- parveensprefJan 18, 2024Copper ContributorI have create DLP policy with following condition but its seems not working with
- miller34mikeJan 18, 2024
Microsoft
sorry to hear you’re having issues with this DLP policy.
Have you completed the prerequisites for the device that you’re testing this policy with? There a few different onboarding steps that need to be completed. You can confirm these are done using the blog linked below.
If the prerequisites are met and you’re still having issues then we will do a couple of different tests to narrow down the issue.
https://cloudy-sec.com/2023/04/22/microsoft-purview-dlp-part-2-endpoint-dlp/
- The737Jun 06, 2023Brass ContributorThanks, that seems to have worked. Created the policy, giving it some time to see if it has the desired behaviour and I'll come back to update the thread.
- miller34mikeJun 07, 2023
Microsoft