SOLVED

DLP inspection for content shared with external users in Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-1222029%22%20slang%3D%22en-US%22%3EDLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222029%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20apply%20the%20MS%20DLP%20to%20inspect%20content%20shared%20with%20external%20users%20(not%20guest).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInspecting%20content%20that%20is%20shared%20externally%20is%20a%20be%20a%20very%20common%20requirement%20when%20implementing%20DLP%20policies%20and%20it%20does%20not%20seem%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20tried%20this%20for%20both%20a%20Teams%20external%20users%20as%20well%20as%20a%20Skype%20external%20users%20(though%20might%20be%20that%20the%20Teams%20users%20had%20also%20Skype)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1222029%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222113%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222113%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39236%22%20target%3D%22_blank%22%3E%40Yoav%20Crombie%3C%2FA%3E%2C%20%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20here%20on%20my%20blog%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F09%2F16%2Fteams-real-simple-with-pictures-applying-data-loss-prevention-dlp-to-chat-channel-messages-and-files%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F09%2F16%2Fteams-real-simple-with-pictures-applying-data-loss-prevention-dlp-to-chat-channel-messages-and-files%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENote%3A%20As%20outlined%20here%20on%20Petri%2C%20Teams%20communications%20are%20internal%20whilst%20DLP%20checking%20for%20other%20workloads%20focuses%20on%20outbound%20email%2Fdocument%20sharing.%20The%20DLP%20policy%20must%20therefore%20cover%20content%20shared%20%E2%80%9Conly%20with%20people%20in%20my%20organization%E2%80%9D%20(many%20existing%20policies%20are%20likely%20set%20to%20cover%20content%20shared%20%E2%80%9Cwith%20people%20outside%20my%20organization.%E2%80%9D%20In%20the%20context%20of%20Teams%2C%20this%20means%20teams%20with%20guest%20users).%20It%20is%20recommended%20%E2%80%93%20if%20external%20and%20guest%20access%20is%20on%20to%20set%20two%20DLP%20Policies%20%E2%80%93%20one%20internal%20and%20one%20external.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222190%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222190%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20i%20fully%20understood%20the%20setting%20we%20are%20required%20to%20do%2C%20but%20i%20could%20understand%20the%20bottom%20line%20that%20is%20written%20clearly%20in%20your%20great%20blog%20that%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EDLP%20for%20external%20chat%20sessions%20will%20only%20work%20if%20both%20the%20sender%20and%20the%20receiver%20are%20in%20Teams%20Only%20mode%20and%20using%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoftteams%2Fmanage-external-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Teams%20native%20federation%3C%2FA%3E%3CSPAN%3E.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20other%20words%2C%20if%20the%20other%20side%20is%20not%20Teams%20only%20or%20is%20Skype%26nbsp%3Bfor%20Business%20-%20content%20will%20not%20be%20inspected%20and%20sensitive%26nbsp%3Bdata%20can%26nbsp%3B%20be%20shared.%20Is%20this%20a%20correct%20understanding%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222195%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222195%22%20slang%3D%22en-US%22%3ECorrect%20%3AD%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222359%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222359%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Femoticons%2F1f44d_1f3fc.png%22%20alt%3D%22%3Athumbs_up%3A%22%20title%3D%22%3Athumbs_up%3A%22%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20this%20also%20work%20only%20on%20non-managed%20devices%3F%20This%20to%20prevent%20any%20file%20downloading%20on%20non-managed%20devices.%20Tried%20to%20set%20it%20up%2C%20and%20disabling%20the%20%22Files%22%20section%20is%20working%2C%20but%20for%20files%20still%20in%20the%20chat%20it%20doesn't%20apply.%20You%20can%20still%20open%2Fdownload%20these.%20Any%20idea%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222413%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222413%22%20slang%3D%22en-US%22%3EHmmm%2C%20afaik%20it%20does%3A%20see%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdata-loss-prevention-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdata-loss-prevention-policies%3Fview%3Do365-worldwide%3C%2FA%3E%20and%20section%20restrict%20access%20to%20content.%20AFAIK%2C%20the%20other%20user%20it%20has%20been%20shared%20with%20cannot%20access%20it.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20terms%20of%20downloading%2C%20well%2C%20you%20would%20probably%20look%20to%20use%20app%20protection%20policies%20using%20Intune%20in%20order%20to%20block%20downloads%20on%20non%20managed%20devices%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fdata-leak-prevention%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fdata-leak-prevention%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20you%20could%20look%20to%20apply%20sensitivity%20labels%2C%20for%20example%20on%20Teams%20to%20require%20the%20device%20to%20be%20managed%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F12%2F10%2Fteams-real-simple-with-pictures-using-sensitivity-labels-to-regulate-the-privacy-and-guest-access-of-a-team%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F12%2F10%2Fteams-real-simple-with-pictures-using-sensitivity-labels-to-regulate-the-privacy-and-guest-access-of-a-team%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20were%20taking%20a%20zero%20trust%20policy%20no%20device%20accessing%20the%20corporate%20access%20or%20applications%20would%20be%20non-managed.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2068945%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20inspection%20for%20content%20shared%20with%20external%20users%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2068945%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20article.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20if%20the%20MS%20DLP%20cover%20messages%2Ffiles%20sent%20in%20a%20meeting%20that%20is%20hosted%20by%20the%20external%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Is there a way to apply the MS DLP to inspect content shared with external users (not guest).

 

Inspecting content that is shared externally is a be a very common requirement when implementing DLP policies and it does not seem to work.

 

We have tried this for both a Teams external users as well as a Skype external users (though might be that the Teams users had also Skype)

 

6 Replies
Hi @Yoav Crombie,

See here on my blog

https://microsoft365pro.co.uk/2019/09/16/teams-real-simple-with-pictures-applying-data-loss-preventi...

Note: As outlined here on Petri, Teams communications are internal whilst DLP checking for other workloads focuses on outbound email/document sharing. The DLP policy must therefore cover content shared “only with people in my organization” (many existing policies are likely set to cover content shared “with people outside my organization.” In the context of Teams, this means teams with guest users). It is recommended – if external and guest access is on to set two DLP Policies – one internal and one external.

Hope that answers your question!

Best, Chris

@Christopher Hoard 

 

I am not sure i fully understood the setting we are required to do, but i could understand the bottom line that is written clearly in your great blog that :

 

"DLP for external chat sessions will only work if both the sender and the receiver are in Teams Only mode and using Microsoft Teams native federation."

 

In other words, if the other side is not Teams only or is Skype for Business - content will not be inspected and sensitive data can  be shared. Is this a correct understanding?

Correct :D

Best, Chris

Nice post @Christopher Hoard  👍🏼

Does this also work only on non-managed devices? This to prevent any file downloading on non-managed devices. Tried to set it up, and disabling the "Files" section is working, but for files still in the chat it doesn't apply. You can still open/download these. Any idea?

Best Response confirmed by adam deltinger (MVP)
Solution
Hmmm, afaik it does: see here: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-wo... and section restrict access to content. AFAIK, the other user it has been shared with cannot access it.

In terms of downloading, well, you would probably look to use app protection policies using Intune in order to block downloads on non managed devices

https://docs.microsoft.com/en-gb/mem/intune/protect/data-leak-prevention

Or you could look to apply sensitivity labels, for example on Teams to require the device to be managed

https://microsoft365pro.co.uk/2019/12/10/teams-real-simple-with-pictures-using-sensitivity-labels-to...

If you were taking a zero trust policy no device accessing the corporate access or applications would be non-managed.

Best, Chris

@Christopher Hoard thanks for your article. 

 

Do you know if the MS DLP cover messages/files sent in a meeting that is hosted by the external?