Forum Discussion
Yoav Crombie
Mar 11, 2020Iron Contributor
DLP inspection for content shared with external users in Teams
Is there a way to apply the MS DLP to inspect content shared with external users (not guest). Inspecting content that is shared externally is a be a very common requirement when implementing DLP ...
- Mar 11, 2020Hmmm, afaik it does: see here: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide and section restrict access to content. AFAIK, the other user it has been shared with cannot access it.
In terms of downloading, well, you would probably look to use app protection policies using Intune in order to block downloads on non managed devices
https://docs.microsoft.com/en-gb/mem/intune/protect/data-leak-prevention
Or you could look to apply sensitivity labels, for example on Teams to require the device to be managed
https://microsoft365pro.co.uk/2019/12/10/teams-real-simple-with-pictures-using-sensitivity-labels-to-regulate-the-privacy-and-guest-access-of-a-team/
If you were taking a zero trust policy no device accessing the corporate access or applications would be non-managed.
Best, Chris
Mitchell Bakker
Mar 11, 2020Steel Contributor
Nice post ChrisHoardMVP 👍🏼
Does this also work only on non-managed devices? This to prevent any file downloading on non-managed devices. Tried to set it up, and disabling the "Files" section is working, but for files still in the chat it doesn't apply. You can still open/download these. Any idea?
Mar 11, 2020
Hmmm, afaik it does: see here: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide and section restrict access to content. AFAIK, the other user it has been shared with cannot access it.
In terms of downloading, well, you would probably look to use app protection policies using Intune in order to block downloads on non managed devices
https://docs.microsoft.com/en-gb/mem/intune/protect/data-leak-prevention
Or you could look to apply sensitivity labels, for example on Teams to require the device to be managed
https://microsoft365pro.co.uk/2019/12/10/teams-real-simple-with-pictures-using-sensitivity-labels-to-regulate-the-privacy-and-guest-access-of-a-team/
If you were taking a zero trust policy no device accessing the corporate access or applications would be non-managed.
Best, Chris
In terms of downloading, well, you would probably look to use app protection policies using Intune in order to block downloads on non managed devices
https://docs.microsoft.com/en-gb/mem/intune/protect/data-leak-prevention
Or you could look to apply sensitivity labels, for example on Teams to require the device to be managed
https://microsoft365pro.co.uk/2019/12/10/teams-real-simple-with-pictures-using-sensitivity-labels-to-regulate-the-privacy-and-guest-access-of-a-team/
If you were taking a zero trust policy no device accessing the corporate access or applications would be non-managed.
Best, Chris
- ReuvainJan 17, 2021Copper Contributor
ChrisHoardMVP thanks for your article.
Do you know if the MS DLP cover messages/files sent in a meeting that is hosted by the external?