Limiting the upload of classified files to sensitive SharePoint Online sites - MCAS file policy

Senior Member

I'm working with a client who has rolled out AIP labels and is looking to block where users can post these files internally. Example: if I have a "sensitive" file (based on its label), can I prevent it from being uploaded to a SharePoint site with a specific label? (using site classification labels or property bag values)


I've been able to configure the MCAS file policy to find the sensitive files based on their label and prevent their upload, but this either becomes a blanket policy across ALL SharePoint / OneDrive sites, or only specific folders that I have to manually select. Is there a faster way to assign this to sites based on their classification? 

3 Replies
Hi John,
Currently MCAS doesnt support reading site specific labels.
You need to configure the policy by selecting the sites according to your needs.


@John Hodges I have the same requirement from a customer. I only managed to get this work for browser basedd access. All files with a specific label (Highly Confidential) can be blocked for up/download but only withi browser session because it is a session policy (enforced by conditional access). But it also notofies that  this wont work for desktop apps:


But in "Access policies" i cannot filter based on file labels. Are there any plans to support this?

Same here - We are also looking into this use case. Any valuable input appreciated :)