Forum Discussion

WillNunez's avatar
WillNunez
Copper Contributor
Nov 05, 2022
Solved

Microsoft Teams tenant specific DLP

We are a defence company and have protective labels on our documents. We have endpoint DLP to ensure that protectively marked documents are not uploaded to services that they shouldnt be.   We are...
CASB
dlp
microsoft teams
VasilMichev's avatar
VasilMichev
MVP
Nov 05, 2022
Wouldn't protecting said documents via a sensitivity label/RMS encryption be a better solution? You can define domain-based protection if needed, and you can integrate it with the DLP controls too.
WillNunez's avatar
WillNunez
Copper Contributor
Nov 06, 2022
We use labels and resources is on the roadmap. However some labels have a classification which means they cannot be stored in cloud that hasn't been accredited

Endpoint dlp can prevent application and url level uploading. But with teams for example you can't differentiate between tenancies by url. I want to be able to block uploads of classified files at a tenancy level. I've been told casb by other vendors can do this. I'm trying to work out how it can be done with microsoft
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    MVP
    Nov 06, 2022
    You can use CA with a Conditional Access App Control session policy, connected to Microsoft Defender for Cloud Apps, with the session control type "Control file upload" and action "Block". There are many configuration options in there, such as scoping on sensitivity labels etc., and target "All company" for example.

    Not sure you've seen the new setting in Endpoint DLP for devices where you can select a block of upload if a document isn't already labeled. Meaning no file can be uploaded until it's been labeled. Something to consider as well.
    • WillNunez's avatar
      WillNunez
      Copper Contributor
      Nov 07, 2022
      Thanks for the replies Christian. But a key requirement is differentiating tenancies.

      Eg allow a file to be uploaded to Teams tenant for an organisation but blocked for all other tenants
      • ChristianJBergstrom's avatar
        ChristianJBergstrom
        MVP
        Nov 07, 2022

        Should be possible to scope that in a Defender for Cloud Apps session policy but can take a look at it later on.

         

        WillNunez So I've read the initial post again and understand the use case as you want to prevent uploading of files in third-party tenants. Can't say I have a good solution for this as those users already are members of that organization and adhere to their policies. I would probably use sensitivity labels as mentioned in the first reply or use tenant-restrictions, but for the latter you would break the collaboration and encryption part completely and the users will not be able to open the files. You certainly can prevent external sharing of files with DLP and use Defender for Cloud Apps with several settings controlling your own environment. But I just can't see what can be done here besides what has already been suggested.

         

        Try with the official support and let us know if they have a solution. Thanks.

Resources