Forum Discussion
Blocking file uploads to all sites, unless safelisted
Hi DanSec
Since you're wanting to set a "safe list" which will block uploads to anything not on this list, you'll likely want to leverage the service domains feature under Endpoint DLP settings in the Microsoft Purview portal.
You can set the service domains to be an "Allow" list to achieve this and will need an Endpoint DLP policy configure once you've set the list. The policy itself can have your specific user exclusions set (Endpoint DLP is still identity based).
While DLP is typically based on sensitive information, you can set the policy to block uploads based on file types and/or file extensions. As you mentioned, you can also scope it to block based on a specific sensitivity label applied to the file.
Unfortunately although DLP blocks "uploads" I haven't been able to figure out a way to block pastes of attachments. So even though Upload to gmail is blocked, if user opens an email and pastes in a secured file, it will still paste it (even though paste restrictions are also enabled).