Forum Discussion

Copper Contributor

Apr 05, 2023

Blocking file uploads to all sites, unless safelisted

We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solutio...

miller34mike

Steel Contributor

Jun 06, 2023

Hi The737

This is due to selecting both Devices and MDCA. When you scope to multiple locations, you only get the options that are available in both locations.

To set and Endpoint policy to block service domain uploads you will need to set the policy to Devices only and then within the rule, you will see service domain uploads.

To see this option, select actions > Audit or restrict activities on devices and it will be the first checkbox that you can select.

MDCA from a DLP perspective would not help you in this scenario.

To set your allowed list of service domains, which means everything else gets blocked, go to compliance.microsoft.com > Data loss prevention > Endpoint DLP settings and find the drop-down for Browser and domain restrictions to sensitive data. Make sure the drop-down for block/allow is set to allow and then set your appropriate sites.

The737

Copper Contributor

Jun 06, 2023

Thanks, that seems to have worked. Created the policy, giving it some time to see if it has the desired behaviour and I'll come back to update the thread.

miller34mike
Steel Contributor
Jun 07, 2023
Hi The737

Great! I look forward to hearing the results of the policy testing!
- The737
  Copper Contributor
  Jun 07, 2023
  miller34mike, it's a no-go unfortunately.
  - miller34mike
    Steel Contributor
    Jun 07, 2023
    The737
    
    Just to confirm, are you performing your testing on a Microsoft Purview Onboarded device and using an Azure AD Identity with an E5 license to log in to the machine?