Block upload of documents to other office 365 tenant

New Contributor

I wish to block upload of documents to Other Office 365 tenant on a managed device?


Can this be achieved using MCAS

15 Replies
Is it a specific M365 tenant you want to block uploads to, or any/all other tenants? And do you want to block uploads to other M365 tenants but allow uploads to other services, or block all uploads?

We want to block upload to all other office 365 instance apart from the one we own.

Hi @krishnasembee 


Do you mean sharing documents with other tenants? because upload means they already have access to those tenants as guests maybe and the other tenants should take the action from their sides not yours.


If you're talking about sharing files with another domains/tenant, as i know you can get prevent that using a File Policy in MCAS


Also you can use entire organization instead of Any Any from domain.



I think the issue with that file policy is that you have to specify the domain you’re wanting to block. That would not be possible if you’re wanting to block a domain that’s M365 registered.

My feeling is, the easiest solution would in fact be to encrypt data and have less focus on where the data is going.

You could also use a simple conditional access policy to block auth from unmanaged devices or only allow with from trusted locations. This means even a user in the source tenant can’t take the data away from a managed device and access it - their auth would be blocked by the conditional access policy.

Ultimately, there are a number of ways of preventing data being accessed outside the source tenant. I don’t believe blocking upload to “any M365 tenant” is a realistic option.

Encryption covers many vectors. Upload to any M365 tenant doesn’t even cover all vectors and would be hard / impossible to manage.
To be clear. You’d have to list every M365 registered domain in the file policy. That would be millions of domains. I don’t think the policy supports that many domains, and I don’t know how you could possibly ascertain a list of all domains that are M365 registered even if it does support that many domains.

for what a list of millions of domains needed to? Instead of contain we can use do not contain. 



@MZyarah I think we are both wrong.  That file policy doesn't even apply to uploads, it's a sharing policy. 

And I may be wrong, but I believe a collaborator is defined as a user that has been given explicit access to the data.  If the user is not a collaborator, the filter would not apply. 

For the policy to work, every file shared would have to be explicitly shared to specific users.  If a file is shared without specifying the users it's intended to be shared with, the policy would not apply.

Crucially, that policy does not appear to have any baring on upload of data, because uploading a file is not defined as sharing a file.   The file policy in question is specifically a sharing policy - that means it has to be shared - upload does not trigger a sharing policy. 

Which leads me back to encryption - if the data is encrypted, it doesn't matter who it's shared with. If you intend to share it with someone, you have to give them explicit access, which means they can then get an OTP or they're a guest/B2B/B2B user in your tenant.

I am not talking about sharing or collaborating here, I am talking about upload.

on my corporate device, i can log in to any office 365 tenant and upload documents of my tenant, i want to restrict to only single tenant
You're totally right, Because of that I mentioned Sharing is not the same as Uploading in my first comment to the user.


This is not even related to uploading or sharing files, if you don't want your corporate devices access to other tenants you need to use Azure AD tenant restrictions, take a look here.


I hope this will be helpful. 


What about non-cooperate devices?

What if all data is encrypted? What happens to sharing or uploading or any other means of exfiltration?

Sharing, uploading, it doesn't matter if the data is encrypted and only corporate devices can be used to authenticate so they can access the data.

As I know tenant restrictions not applied beyond corporate network perimeter or maybe it can be done with special criteria.

About the Encryption, for me I like to Encrypt the data everywhere however the main question was the MCAS is able to fix this issue!

In the question which not clear enough, I don't think the encryption will solve the requirements.

Let's consider this scenario, you have access for two tenants, one of them provided you with a managed device " mentioned in the main question also".

Now you have Managed Device and access to data in Tenant1 and Only access to data in tenant2 (you can consider the data is encrypted at rest and in transit if you like)

for example, what will prevent the user from opening a web session and browse to the tenant2 OneDrive and copy data from the local/tenant1 data to the second one?

If the encryption help, can you refer me to a doc/blog explaining same thing please.
In that scenario, you use a conditional access policy that states the device must be compliant to authenticate. The user would need a device for each tenant.

Again this now fixes this one very specific issue.

I think we need clearer definition of what the intended outcomes are. I agree, there are many scenarios, without knowing more, I don't believe we can provide an answer.