I am trying to implement Office 365 DLP policy to prevent external sharing of documents in SharePoint based on the AIP Classification. I can add a notification or block access for internally shared documents but the rule doesn't match when scope is set to NotInOrganisation.
I followed this article to promote the AIP classification to SharePoint:
http://www.eekels.net/promoting-azure-information-protection-labels-to-sharepoint-metadata-column/
I then followed this article to create a DLP policy through PowerShell that detect if the property was equal to "Secret" and scope is NotInOrganization. I then share the document in SharePoint but access is not blocked, if I change the scope to InOrganization it is detected and blocked:
https://support.office.com/en-us/article/Create-a-DLP-policy-to-protect-documents-with-FCI-or-other-...
Anyone know why this wouldn't work? Can someone else test it so I can validate it isn't just in my tenant.
