Forum Discussion
Whitelisting domain in DLP policy
- Sep 21, 2018
The article shows you how to configure conditions/exceptions, it doesn't list them all...
VasilMichev I'm curious to see if anyone has answered this successfully yet. Currently, you can't add a domain exception ("recipient domain is..." for SharePoint or OneDrive. It only works for exchange. We have a very similar business case where we need our parent company to be excluded from certain DLP policies that protect us from sharing "internal only" content with external users.
Adrienne Almeida, I am also interested if there is a solution/workaround for the domain exception across different products and not only Exchange.
- Adrienne AlmeidaJul 22, 2019Copper Contributor
Expiscornovus We haven't found one yet, other than allowing users to override policies. I spoke with MS support, and this is by design.
Right now, we're planning to give users the option to override the policy to share with our parent company, and apply some custom auditing (through scripting) to make sure folks are following the rules.
- crichmondAug 01, 2019Copper Contributor
We've found a lot of "by design" within O365 recently of how default settings are configured but there isn't a way to set your own defaults.
We're up against the same situation for DLP rules applied to Sharepoint, Teams, and OneDrive. We have business partners who have contractual agreements, BAAs, NDAs, etc. and such that we have legitimate business justification for sharing potentially sensitive info. It would be nice to whitelist those domains once they are vetted as OK with all the proper documentation in place so our users don't have to provide a business justification on every share. Then we could block file shares for all non-approved recipients.
As we need to do now on allowing overrides, it requires so much more overhead to check all the logs/reports and read the justifications on recipients that really should be allowed.
- Adrienne AlmeidaAug 01, 2019Copper Contributor
crichmond It's a business problem that I hope will be solved in coming updates. Lots of companies have either a parent/child relationship with another company, or a "trusted partner" relationship like you're describing.
We tested using the overrides, but weren't really happy with how that works either. It's not a great user experience. Hopefully they'll enable whitelisting!