Forum Discussion

Copper Contributor

Nov 05, 2022

Solved

Microsoft Teams tenant specific DLP

We are a defence company and have protective labels on our documents. We have endpoint DLP to ensure that protectively marked documents are not uploaded to services that they shouldnt be. We are...

CASB

dlp

microsoft teams

ChristianJBergstrom
Nov 11, 2022
Can’t see any way of preventing that ”gap” other than configuring permissions in the label/labels.

*edit WillNunez just realized this should be possible by instead using Endpoint DLP policy.

https://learn.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-using?view=o365-worldwide#scenario-5-restrict-unintentional-sharing-to-unallowed-cloud-apps-and-services

WillNunez

Copper Contributor

Nov 11, 2022

ChristianJBergstrom

Lets think of a label "ForMyTenancyOnly"

Endpoint DLP can allow uploads to URLs with sharepoint.my-tenancy and my-sharepoint.my tenancy and block all others.

However how to a block/allow when using Teams (tenancy not in URL)? Or when using officeapps saving to Onedrive/sharepoint?

I was hoping CASB is the answer.

Office365 is API linked to Microsoft defender so I know i can write rules that would detect uploads to my tenancy.

The gap is how do i block that label from being uploaded to other domains/tenancy?

If I proxy all traffic through CASB (ie change proxy pacs so that all onedrive/sharepoint/teams) goes through CASB can defender policies differentiate between my domain/tenancy and any other

ChristianJBergstrom

MVP

Nov 11, 2022

Can’t see any way of preventing that ”gap” other than configuring permissions in the label/labels.

*edit WillNunez just realized this should be possible by instead using Endpoint DLP policy.

https://learn.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-using?view=o365-worldwide#scenario-5-restrict-unintentional-sharing-to-unallowed-cloud-apps-and-services