%3CLINGO-SUB%20id%3D%22lingo-sub-1507434%22%20slang%3D%22en-US%22%3EAnnouncing%20GA%3A%20Mark%20new%20files%20as%20%22sensitive%20by%20default%22%20in%20OneDrive%20%26amp%3B%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EWhat%20does%20this%20feature%20do%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20new%20files%20are%20added%20to%20SharePoint%20or%20OneDrive%20in%20Microsoft%20365%2C%20it%20takes%20a%20while%20for%20them%20to%20be%20crawled%20and%20indexed.%20It%20takes%20additional%20time%20for%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22Original%20URL%3A%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdata-loss-prevention-policies.%20Click%20or%20tap%20if%20you%20trust%20this%20link.%22%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fmicrosoft-365%252Fcompliance%252Fdata-loss-prevention-policies%26amp%3Bdata%3D04%257C01%257Csanjoyan.mustafi%2540microsoft.com%257C9672e292bff84b1bba8c08d822c64f6a%257C72f988bf86f141af91ab2d7cd011db47%257C0%257C0%257C637297582437069337%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dd9vm3YAXuUz9I8Xnsb3c26NHXYf1tmP0PLJZMTr0cOI%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-auth%3D%22Verified%22%3EOffice%20Data%20Loss%20Prevention%20(DLP)%20policy%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20scan%20the%20content%20and%20apply%20rules%20to%20help%20protect%20sensitive%20content.%20If%20external%20sharing%20is%20turned%20on%2C%20sensitive%20content%20could%20be%20shared%20and%20accessed%20by%20guests%20before%20the%20Office%20DLP%20rule%20finishes%20processing.%3C%2FP%3E%0A%3CP%3EInstead%20of%20turning%20off%20external%20sharing%20entirely%2C%20you%20can%20address%20this%20issue%20by%20using%20a%20new%20PowerShell%20cmdlet.%20The%20cmdlet%20prevents%20guests%20from%20accessing%20newly%20added%20files%20until%20at%20least%20one%20Office%20DLP%20policy%20scans%20the%20content%20of%20the%20file.%20If%20the%20file%20has%20no%20sensitive%20content%20based%20on%20the%20DLP%20policy%2C%20then%20guests%20can%20access%20the%20file.%20If%20the%20policy%20identifies%20sensitive%20content%2C%20then%20guests%20will%20not%20be%20able%20to%20access%20the%20file.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22Original%20URL%3A%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsensitive-by-default.%20Click%20or%20tap%20if%20you%20trust%20this%20link.%22%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fsharepoint%252Fsensitive-by-default%26amp%3Bdata%3D04%257C01%257Csanjoyan.mustafi%2540microsoft.com%257C9672e292bff84b1bba8c08d822c64f6a%257C72f988bf86f141af91ab2d7cd011db47%257C0%257C0%257C637297582437079335%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3D38PP6Oqn4nifpPfiXn8F%252Fm255%252B8IGj%252FNs9U%252BNXiWa9Q%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-auth%3D%22Verified%22%3ERead%20here%20for%20more%20details%3C%2FA%3E.%20It%20is%20worth%20mentioning%20that%20we%20have%20the%20scan%20performance%20much%20better%20so%20that%20external%20users%20do%20have%20have%20to%20wait%20long%20before%20accessing%20a%20non-sensitive%20file.%20In%2095%25%20of%20the%20cases%20the%20entire%20process%20should%20be%20done%20in%20less%20than%205%20minutes%3CSPAN%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23808080%22%3E%3CSTRONG%3EQuick%20reference%20to%20the%20PowerShell%20switch%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23808080%22%3E%3CEM%3ESet-SPOTenant%E2%80%AF-MarkNewFilesSensitiveByDefault%20BlockExternalSharing%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1567466%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20GA%3A%20Mark%20new%20files%20as%20%22sensitive%20by%20default%22%20in%20OneDrive%20%26amp%3B%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20just%20a%20question%20for%20clarity.%20What%20is%20the%20user%20experience%20for%20this%3F%26nbsp%3B.%20If%20a%20user%20uploads%20a%20file%20and%20then%20immediately%20externally%20shares%20it%2C%20is%20it%20%3A-%3C%2FP%3E%3CP%3Eblocked%20and%20prevented%20from%20being%20shared%20until%20a%20DLP%20scans%20it%20or%3C%2FP%3E%3CP%3EThe%20external%20user%20is%20unable%20to%20access%20the%20file%20and%20must%20wait%20until%20the%20DLP%20scan%20has%20run.%20What%20error%20message%20does%20the%20external%20user%20get%20to%20say%20that%20the%20file%20cannot%20be%20accessed%20until%20it's%20been%20scanned%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ENigel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780617%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20GA%3A%20Mark%20new%20files%20as%20%22sensitive%20by%20default%22%20in%20OneDrive%20%26amp%3B%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548842%22%20target%3D%22_blank%22%3E%40NigelG%3C%2FA%3E%26nbsp%3B%20The%20file%20is%20blocked%20immediately%20till%20DLP%20scan%20is%20complete%3C%2FP%3E%3C%2FLINGO-BODY%3E

What does this feature do?

When new files are added to SharePoint or OneDrive in Microsoft 365, it takes a while for them to be crawled and indexed. It takes additional time for the Office Data Loss Prevention (DLP) policy to scan the content and apply rules to help protect sensitive content. If external sharing is turned on, sensitive content could be shared and accessed by guests before the Office DLP rule finishes processing.

Instead of turning off external sharing entirely, you can address this issue by using a new PowerShell cmdlet. The cmdlet prevents guests from accessing newly added files until at least one Office DLP policy scans the content of the file. If the file has no sensitive content based on the DLP policy, then guests can access the file. If the policy identifies sensitive content, then guests will not be able to access the file. Read here for more details. It is worth mentioning that we have the scan performance much better so that external users do have have to wait long before accessing a non-sensitive file. In 95% of the cases the entire process should be done in less than 5 minutes

 

Quick reference to the PowerShell switch:

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

2 Comments
Occasional Visitor

Hi, just a question for clarity. What is the user experience for this? . If a user uploads a file and then immediately externally shares it, is it :-

blocked and prevented from being shared until a DLP scans it or

The external user is unable to access the file and must wait until the DLP scan has run. What error message does the external user get to say that the file cannot be accessed until it's been scanned?

Thanks

Nigel

@NigelG  The file is blocked immediately till DLP scan is complete