Aug 22 2023 11:47 AM
Hi,
we have successfully setup a DLP policy to block sensitive information from going outside using "Block access to external organization", however we want to allow a few domains to receive those files.
How can we whitelist those external domains so they can receive the content?
any thoughts?
Thanks
Fahad
Aug 23 2023 03:17 AM
SolutionHi, @FahadAhmed,
Thank you for posting your question here.
With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.
In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.
Aug 23 2023 07:47 AM - edited Aug 23 2023 07:49 AM
Thank you Mike, this was exactly what I was looking for, appreciate you always sharing screenshots as they provide better understanding.
A note for all, I selected Exchange, One Drive, MS Teams and Sharepoint sites in one policy which was not showing up the "NOT and Recipient Domain option", once I only selected Exchange, then I could see the Recipient Domain options.
Thank you mike once again for the quick response and providing this clarity.
Sep 13 2023 04:55 AM
Sep 13 2023 06:07 AM
Hello! Great question.
Teams DLP, when selected by itself, DOES allow for building an exception based on the external recipient. However, for OneDrive and SharePoint, you do not get this option. For this, I recommend considering a B2B approach for you trusted, external partners. B2B will allow better granular controls on SharePoint for allowing access to your B2B-enabled partners.
Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn
Sep 15 2023 09:16 AM
@miller34mike Hello Mike! How would you recommend blocking all other domains but our own, with the Endpoint selection enabled? Such as web app upload through Chrome or Firefox? I notice the recipient domain is also not available when Endpoint is enabled.
Sep 15 2023 09:26 AM
Sep 26 2023 02:33 AM
Thank you for posting your question here!
To do this, you'll need to leverage the Endpoint DLP Settings page
Once there, select the dropdown for "Browser and Domain restrictions to sensitive data"
Under "Service domains", make sure the dropdown is set to "Allow"
You'll then need to add the specific domains you want to allow file uploads to, such as your companies SharePoint Online domain, which may look like "contoso.sharepoint.com" or your OneDrive sites like "contoso-my.sharepoint.com".
However, even though you CAN do this, I strongly encourage you have the "Why?" conversation with your organization first. Include stakeholders around the company in this discussion so you can be sure that you understand your standard business practices first. While this can help reduce data exfiltration, you can also impede business with these controls.
Sep 27 2023 06:26 AM
Hello Mike!
Understood thank you so much for the response, I thought that might be the place, but was not sure. This issue we are encountering is preventing us moving forward with our migration to E5. We are experiencing some odd behavior in that Exchange email is working as intended, and alerting us however, the Devices portion under that same policy is only logging under activity explorer tagged as “audit” for the enforcement mode. Using the same test PHI/PII documents. Both our Exchange email and Devices reside under the same policy, with the same users in scope for each.
We are currently testing FireFox with the Purview extension installed. The only way I am able to get browser based DLP to trigger an alert and not just audit under activity explorer is by putting the domain we are testing as “blocked” under the Service domain section that you had provided guidance on.
This would leave me to believe it is a policy action issue but I am unsure what we are missing if anything, see below our policy actions:
Sep 27 2023 01:08 PM
@miller34mikeWe may have found the issue, our last seen time is current, but the policy hasn't synced since 9/15, have you seen this before? Please advise if possible.
Aug 23 2023 03:17 AM
SolutionHi, @FahadAhmed,
Thank you for posting your question here.
With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.
In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.