Forum Discussion
Block upload of documents to other office 365 tenant
Do you mean sharing documents with other tenants? because upload means they already have access to those tenants as guests maybe and the other tenants should take the action from their sides not yours.
If you're talking about sharing files with another domains/tenant, as i know you can get prevent that using a File Policy in MCAS
Also you can use entire organization instead of Any Any from domain.
Cheers,
My feeling is, the easiest solution would in fact be to encrypt data and have less focus on where the data is going.
You could also use a simple conditional access policy to block auth from unmanaged devices or only allow with from trusted locations. This means even a user in the source tenant can’t take the data away from a managed device and access it - their auth would be blocked by the conditional access policy.
Ultimately, there are a number of ways of preventing data being accessed outside the source tenant. I don’t believe blocking upload to “any M365 tenant” is a realistic option.
Encryption covers many vectors. Upload to any M365 tenant doesn’t even cover all vectors and would be hard / impossible to manage.
- To be clear. You’d have to list every M365 registered domain in the file policy. That would be millions of domains. I don’t think the policy supports that many domains, and I don’t know how you could possibly ascertain a list of all domains that are M365 registered even if it does support that many domains.
for what a list of millions of domains needed to? Instead of contain we can use do not contain.
MZyarah I think we are both wrong. That file policy doesn't even apply to uploads, it's a sharing policy.
And I may be wrong, but I believe a collaborator is defined as a user that has been given explicit access to the data. If the user is not a collaborator, the filter would not apply.
For the policy to work, every file shared would have to be explicitly shared to specific users. If a file is shared without specifying the users it's intended to be shared with, the policy would not apply.
Crucially, that policy does not appear to have any baring on upload of data, because uploading a file is not defined as sharing a file. The file policy in question is specifically a sharing policy - that means it has to be shared - upload does not trigger a sharing policy.
