Can I block upload of data based on DLP Policy and/or Sensitivity Label?

Copper Contributor

Hi everyone,


Is there a way to block users from uploading files to the cloud that are identified as Sensitive Information Type/DLP or marked with a Sensitivity Label (SL) via OneDrive Sync and Teams (Windows app)? I know you can block the web version of Teams through Defender for Cloud, but that is not enough.

This is because some customers don't want their data to be sent or stored in the cloud. This means that the data needs to be blocked before it reaches the cloud.

Users' devices are all managed by Intune and use M365 Apps for Enterprise. Only certain customer data must not be uploaded to the cloud, so we want to use SIT/DLP and SL to identify the data.

The solution can be a third party agent/app that needs to be installed on the device.


Thanks in advance.

3 Replies
best response confirmed by CSI90 (Copper Contributor)

Hi @CSI90,


Thank you for posting your question here. No need for third-party on this one! This is a common as and you can solve this with Endpoint DLP by setting teams and OneDrive as restricted apps under the Endpoint DLP Settings page in the Microsoft Purview admin center.


With Endpoint DLP settings you can set these as restricted apps as well as blocking the service domains for them to prevent the web uploads from managed devices. I like to use the Session Control policies in Microsoft Defender for Cloud Apps that you mentioned on the unmanaged devices usually, but you can use it for all devices for this scenario as well. 


You can create restricted app groups and service domain groups in the Endpoint DLP settings page to give you the option to set different controls for grouped applications within your Endpoint DLP policy. For example, maybe you do want to block uploads to OneDrive and Teams but maybe you want to allow an override with a valid business reason, but Slack, GitHub, and Google Drive are blocked no matter what. However, because OneDrive and Teams are syncing the files, they will continue to try and upload any file even if it is initially blocked so you'll need to make sure you check enable and check the auto-quarantine box for the restricted apps.


Once you set your restricted apps and service domains, you'll just need to create an endpoint DLP policy (scoped to devices) that is looking for files containing the SITs and Sensitivity Labels you want to prevent from being uploaded and make sure you set the blocking actions for service domains and restricted apps.


I also like to add a fail-safe with Microsoft Defender for Cloud Apps by creating a File Police that looks for any file stored in OneDrive or SharePoint (will also cover Teams files) containing the SITs and/or labels you don't want stored there. you can leave this as an alert only policy or you can enforce governance actions like sending the file to an admin quarantine folder and storing a placeholder file in the original location.


I wrote a blog a little while ago that covers all of this in detail, as I said it's a common ask for clients, that should help you with configuring all of this exactly as you need.


MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (


Here's some more that may help as well:

Microsoft Purview DLP – Part 2 – Endpoint DLP – Cloudy Security (


File Policies with MDCA – Cloudy Security (


Microsoft Purview Sensitivity Labels – Part 3 – Cloudy Security (





Thanks for the quick and detailed reply, it will take me a moment to go through all this but its very helpful!

Hello @miller34mike, have you checked your solution with session and file policies after March 31st 2023?

I noted that this solution was working for all file typies with built in DLP inspection method until March 31st 2023. Now, data classification service should continue built in DLP inspection method.

However the new solution with DCS only works for office file types such as .docx, .xlsx etc. but not for .pdf files or .jpg files.

Do you know about a working solution with Purview / MCAS which will prevent documents with specific or missing sensivitiy labels from being uploaded via session policy for browsers and to remove and put to trash via MCAS file policies in case they've been uploaded via desktop app?

Seems DCS is not inspecting PDF files for the labels