Limiting the upload of classified files to sensitive SharePoint Online sites - MCAS file policy

%3CLINGO-SUB%20id%3D%22lingo-sub-795874%22%20slang%3D%22en-US%22%3ELimiting%20the%20upload%20of%20classified%20files%20to%20sensitive%20SharePoint%20Online%20sites%20-%20MCAS%20file%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795874%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20with%20a%20client%20who%20has%20rolled%20out%20AIP%20labels%20and%20is%20looking%20to%20block%20where%20users%20can%20post%20these%20files%20internally.%20Example%3A%20if%20I%20have%20a%20%22sensitive%22%20file%20(based%20on%20its%20label)%2C%20can%20I%20prevent%20it%20from%20being%20uploaded%20to%20a%20SharePoint%20site%20with%20a%20specific%20label%3F%20(using%20site%20classification%20labels%20or%20property%20bag%20values)%26nbsp%3B%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fmodern-experience-site-classification%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fmodern-experience-site-classification%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20able%20to%20configure%20the%20MCAS%20file%20policy%20to%20find%20the%20sensitive%20files%20based%20on%20their%20label%20and%20prevent%20their%20upload%2C%20but%20this%20either%20becomes%20a%20blanket%20policy%20across%20%3CU%3EALL%3C%2FU%3ESharePoint%20%2F%20OneDrive%20sites%2C%20or%20only%20specific%20folders%20that%20I%20have%20to%20%3CU%3Emanually%3C%2FU%3Eselect.%20Is%20there%20a%20faster%20way%20to%20assign%20this%20to%20sites%20based%20on%20their%20classification%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-795874%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802798%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20the%20upload%20of%20classified%20files%20to%20sensitive%20SharePoint%20Online%20sites%20-%20MCAS%20file%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802798%22%20slang%3D%22en-US%22%3EHi%20John%2C%3CBR%20%2F%3ECurrently%20MCAS%20doesnt%20support%20reading%20site%20specific%20labels.%3CBR%20%2F%3EYou%20need%20to%20configure%20the%20policy%20by%20selecting%20the%20sites%20according%20to%20your%20needs.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EDima%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806063%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20the%20upload%20of%20classified%20files%20to%20sensitive%20SharePoint%20Online%20sites%20-%20MCAS%20file%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806063%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F36550%22%20target%3D%22_blank%22%3E%40John%20Hodges%3C%2FA%3E%26nbsp%3BI%20have%20the%20same%20requirement%20from%20a%20customer.%20I%20only%20managed%20to%20get%20this%20work%20for%20browser%20basedd%20access.%20All%20files%20with%20a%20specific%20label%20(Highly%20Confidential)%20can%20be%20blocked%20for%20up%2Fdownload%20but%20only%20withi%20browser%20session%20because%20it%20is%20a%20session%20policy%20(enforced%20by%20conditional%20access).%20But%20it%20also%20notofies%20that%26nbsp%3B%20this%20wont%20work%20for%20desktop%20apps%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127099i0B8A34BDE1CA8C65%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%20in%20%22Access%20policies%22%20i%20cannot%20filter%20based%20on%20file%20labels.%20Are%20there%20any%20plans%20to%20support%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-810368%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20the%20upload%20of%20classified%20files%20to%20sensitive%20SharePoint%20Online%20sites%20-%20MCAS%20file%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-810368%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20here%20-%20We%20are%20also%20looking%20into%20this%20use%20case.%20Any%20valuable%20input%20appreciated%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

I'm working with a client who has rolled out AIP labels and is looking to block where users can post these files internally. Example: if I have a "sensitive" file (based on its label), can I prevent it from being uploaded to a SharePoint site with a specific label? (using site classification labels or property bag values) https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/modern-experience-site-classificat...

 

I've been able to configure the MCAS file policy to find the sensitive files based on their label and prevent their upload, but this either becomes a blanket policy across ALL SharePoint / OneDrive sites, or only specific folders that I have to manually select. Is there a faster way to assign this to sites based on their classification? 

3 Replies
Highlighted
Hi John,
Currently MCAS doesnt support reading site specific labels.
You need to configure the policy by selecting the sites according to your needs.

Regards,
Dima
Highlighted

@John Hodges I have the same requirement from a customer. I only managed to get this work for browser basedd access. All files with a specific label (Highly Confidential) can be blocked for up/download but only withi browser session because it is a session policy (enforced by conditional access). But it also notofies that  this wont work for desktop apps:

clipboard_image_0.png

But in "Access policies" i cannot filter based on file labels. Are there any plans to support this?

Highlighted

Same here - We are also looking into this use case. Any valuable input appreciated :)