SOLVED

DLP policy to block access to external organization however allow access for some external domains

Brass Contributor

Hi,

we have successfully setup a DLP policy to block sensitive information from going outside using "Block access to external organization", however we want to allow a few domains to receive those files.

 

How can we whitelist those external domains so they can receive the content?

 

any thoughts?

 

Thanks

Fahad

9 Replies
best response confirmed by FahadAhmed (Brass Contributor)
Solution

Hi, @FahadAhmed,

 

Thank you for posting your question here.

 

With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.

 

In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.

 

miller34mike_0-1692785768047.png

 

 

miller34mike_1-1692785823639.png

 

miller34mike_2-1692785835588.png

 

Thank you Mike, this was exactly what I was looking for, appreciate you always sharing screenshots as they provide better understanding.

 

A note for all, I selected Exchange, One Drive, MS Teams and Sharepoint sites in one policy which was not showing up the "NOT and Recipient Domain option", once I only selected Exchange, then I could see the Recipient Domain options.

 

Thank you mike once again for the quick response and providing this clarity.

And what if we need an exception for use in DLP for Teams chat, SharePoint and OneDrive blocking externals?

@PiaSegment 

 

Hello! Great question.

 

Teams DLP, when selected by itself, DOES allow for building an exception based on the external recipient. However, for OneDrive and SharePoint, you do not get this option. For this, I recommend considering a B2B approach for you trusted, external partners. B2B will allow better granular controls on SharePoint for allowing access to your B2B-enabled partners.

 

Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn

@miller34mike  Hello Mike! How would you recommend blocking all other domains but our own, with the Endpoint selection enabled? Such as web app upload through Chrome or Firefox? I notice the recipient domain is also not available when Endpoint is enabled.

@Derek_Osborne 

 

Thank you for posting your question here!

 

To do this, you'll need to leverage the Endpoint DLP Settings page

 

Once there, select the dropdown for "Browser and Domain restrictions to sensitive data"

 

miller34mike_0-1695718708342.png

Under "Service domains", make sure the dropdown is set to "Allow"

 

miller34mike_1-1695720345428.png

 

You'll then need to add the specific domains you want to allow file uploads to, such as your companies SharePoint Online domain, which may look like "contoso.sharepoint.com" or your OneDrive sites like "contoso-my.sharepoint.com".

 

However, even though you CAN do this, I strongly encourage you have the "Why?" conversation with your organization first. Include stakeholders around the company in this discussion so you can be sure that you understand your standard business practices first. While this can help reduce data exfiltration, you can also impede business with these controls.

 

@miller34mike 

Hello Mike!

 

Understood thank you so much for the response, I thought that might be the place, but was not sure. This issue we are encountering is preventing us moving forward with our migration to E5. We are experiencing some odd behavior in that Exchange email is working as intended, and alerting us however, the Devices portion under that same policy is only logging under activity explorer tagged as “audit” for the enforcement mode. Using the same test PHI/PII documents. Both our Exchange email and Devices reside under the same policy, with the same users in scope for each.

 

We are currently testing FireFox with the Purview extension installed. The only way I am able to get browser based DLP to trigger an alert and not just audit under activity explorer is by putting the domain we are testing as “blocked” under the Service domain section that you had provided guidance on.

 

This would leave me to believe it is a policy action issue but I am unsure what we are missing if anything, see below our policy actions:

 

policy1.png

policy2.png

@miller34mikeWe may have found the issue, our last seen time is current, but the policy hasn't synced since 9/15, have you seen this before? Please advise if possible.

 

Derek_Osborne_0-1695845306728.png

 

1 best response

Accepted Solutions
best response confirmed by FahadAhmed (Brass Contributor)
Solution

Hi, @FahadAhmed,

 

Thank you for posting your question here.

 

With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.

 

In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.

 

miller34mike_0-1692785768047.png

 

 

miller34mike_1-1692785823639.png

 

miller34mike_2-1692785835588.png

 

View solution in original post