SOLVED

Remove OneDrive/SharePoint save options in Office desktop apps

Copper Contributor

Hey,

 

I have a customer who is needing to prevent the upload/sharing of Highly Confidential labelled documents to any Microsoft cloud services. They have successfully set up Endpoint DLP and MCAS to do just this for desktop applications like Edge, Outlook, Teams, OneDrive client, but have not found a way to prevent files from being saved to OneDrive/SharePoint via the File menu in apps like Word or Excel.

 

Endpoint DLP has the option to block file upload to certain domains e.g. sharepoint.com, but this feature appears to only work in the browser and not within Office applications.

 

I am aware there is GPO to block OneDrive/SharePoint as a location in Office apps but this would then remove the functionality for all files, not just those labelled Highly Confidential.

 

Is there something else that I could configure that could prevent local files from being saved to OD/SP based on label applied? 

 

TIA,

Ethan

1 Reply
best response confirmed by ethanchalmers (Copper Contributor)
Solution

Hi @ethanchalmers,

 

I am not currently aware of an additional purview tool to prevent the upload you're referencing, as you have taken the steps to implement Endpoint DLP and what sounds like Session Control policies in MDCA to prevent uploads through the browser, which are the blocking tools you can leverage, based on specific sensitivity.

 

However, you can also leverage File Policies within MDCA to scan SPO/OD4B for any file labeled as Highly Confidential and then leverage Governance Actions to Quarantine the file, which would remove the file and place a .TXT placeholder file in it's spot, moving the original to a location that is defined within the File Policy. Here's an article on File Policies, if needed.

 

File Policies with MDCA – Cloudy Security (cloudy-sec.com)

1 best response

Accepted Solutions
best response confirmed by ethanchalmers (Copper Contributor)
Solution

Hi @ethanchalmers,

 

I am not currently aware of an additional purview tool to prevent the upload you're referencing, as you have taken the steps to implement Endpoint DLP and what sounds like Session Control policies in MDCA to prevent uploads through the browser, which are the blocking tools you can leverage, based on specific sensitivity.

 

However, you can also leverage File Policies within MDCA to scan SPO/OD4B for any file labeled as Highly Confidential and then leverage Governance Actions to Quarantine the file, which would remove the file and place a .TXT placeholder file in it's spot, moving the original to a location that is defined within the File Policy. Here's an article on File Policies, if needed.

 

File Policies with MDCA – Cloudy Security (cloudy-sec.com)

View solution in original post