Forum Discussion

Charles1575's avatar
Charles1575
Copper Contributor
Sep 11, 2023
Solved

Files Policy - Filter if the file is shared to a user that is a member of a specific group?

I am trying to create a files policy and I want to filter on if the external user is part of a AAD group or not? Depending on if the user is a member or not, I would want to take action on the file.

I can't seem to do this... I can filter for if the file is shared to a specific group but not members of a group.

Am I missing something?

  • Keith_Fleming's avatar
    Keith_Fleming
    Sep 11, 2023

    Hi Charles1575, this currently isn't possible with MDA file policies today.  If you are looking at a policy for a Microsoft application, please also check with Purview because you can specify members here.

3 Replies

  • techtalk_nu's avatar
    techtalk_nu
    Copper Contributor
    Sep 12, 2023

    HI Charles1575 

    I agree with Keith. But if you need to determine whether an external user is a "member of or not", consider the following approach:

     

    File Policy: Create a file policy. Within this policy, whitelist specific domains. Based on the domains and the applied sensitivity labels, you can then remove external users. This ensures that only users from trusted domains have access to files with specific sensitivity labels.

     

    Session Policy: Next, create a session policy using the type "Control file download (with inspection)". This policy allows you to set filters based on specific sensitivity labels. Under "Actions", you have the option to either "Block" or "Protect". If the goal is to prevent the download of sensitive files, opt for "Block".
    With these steps, you can ensure that your sensitive files are only accessible to specific users, and any unauthorized attempts to download these files are blocked.

     

    Mathias

  • Keith_Fleming's avatar
    Keith_Fleming
    Icon for Microsoft rankMicrosoft
    Sep 11, 2023

    Hi Charles1575, this currently isn't possible with MDA file policies today.  If you are looking at a policy for a Microsoft application, please also check with Purview because you can specify members here.

    • Charles1575's avatar
      Charles1575
      Copper Contributor
      Sep 12, 2023
      My use case is that I want to remove external users from a shared file if:
      1) The file has specific sensitivity labels
      2) Is not member of a specific group
      That would be for sharepoint online or onedrive files. Is it possible to do that in purview?

Resources