Forum Discussion

FahadAhmed's avatar
FahadAhmed
Brass Contributor
Aug 22, 2023

DLP policy to block access to external organization however allow access for some external domains

Hi,

we have successfully setup a DLP policy to block sensitive information from going outside using "Block access to external organization", however we want to allow a few domains to receive those files.

 

How can we whitelist those external domains so they can receive the content?

 

any thoughts?

 

Thanks

Fahad

DLP
  • miller34mike's avatar
    miller34mike
    Aug 23, 2023

    Hi, FahadAhmed,

     

    Thank you for posting your question here.

     

    With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.

     

    In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.

     

     

     

     

     

  • miller34mike's avatar
    miller34mike
    Icon for Microsoft rankMicrosoft
    Aug 23, 2023

    Hi, FahadAhmed,

     

    Thank you for posting your question here.

     

    With Exchange-based DLP policies, you can configure an exception for your trusted domains into the conditions of your policy.

     

    In the below image, I set the conditions to be an example of how you can configure this. Please note, to get the "NOT" option, you need to select "Add group" in the conditions builder.

     

     

     

     

     

    • FahadAhmed's avatar
      FahadAhmed
      Brass Contributor
      Aug 23, 2023

      Thank you Mike, this was exactly what I was looking for, appreciate you always sharing screenshots as they provide better understanding.

       

      A note for all, I selected Exchange, One Drive, MS Teams and Sharepoint sites in one policy which was not showing up the "NOT and Recipient Domain option", once I only selected Exchange, then I could see the Recipient Domain options.

       

      Thank you mike once again for the quick response and providing this clarity.

    • PiaSegment's avatar
      PiaSegment
      Copper Contributor
      Sep 13, 2023
      And what if we need an exception for use in DLP for Teams chat, SharePoint and OneDrive blocking externals?
      • miller34mike's avatar
        miller34mike
        Icon for Microsoft rankMicrosoft
        Sep 13, 2023

        PiaSegment 

         

        Hello! Great question.

         

        Teams DLP, when selected by itself, DOES allow for building an exception based on the external recipient. However, for OneDrive and SharePoint, you do not get this option. For this, I recommend considering a B2B approach for you trusted, external partners. B2B will allow better granular controls on SharePoint for allowing access to your B2B-enabled partners.

         

        Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn

Resources