Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Remove OneDrive/SharePoint save options in Office desktop apps

Copper Contributor



I have a customer who is needing to prevent the upload/sharing of Highly Confidential labelled documents to any Microsoft cloud services. They have successfully set up Endpoint DLP and MCAS to do just this for desktop applications like Edge, Outlook, Teams, OneDrive client, but have not found a way to prevent files from being saved to OneDrive/SharePoint via the File menu in apps like Word or Excel.


Endpoint DLP has the option to block file upload to certain domains e.g., but this feature appears to only work in the browser and not within Office applications.


I am aware there is GPO to block OneDrive/SharePoint as a location in Office apps but this would then remove the functionality for all files, not just those labelled Highly Confidential.


Is there something else that I could configure that could prevent local files from being saved to OD/SP based on label applied? 




1 Reply

Hi @ethanchalmers,


I am not currently aware of an additional purview tool to prevent the upload you're referencing, as you have taken the steps to implement Endpoint DLP and what sounds like Session Control policies in MDCA to prevent uploads through the browser, which are the blocking tools you can leverage, based on specific sensitivity.


However, you can also leverage File Policies within MDCA to scan SPO/OD4B for any file labeled as Highly Confidential and then leverage Governance Actions to Quarantine the file, which would remove the file and place a .TXT placeholder file in it's spot, moving the original to a location that is defined within the File Policy. Here's an article on File Policies, if needed.


File Policies with MDCA – Cloudy Security (