Nov 05 2022 09:42 AM
Nov 05 2022 09:42 AM
We are a defence company and have protective labels on our documents.
We have endpoint DLP to ensure that protectively marked documents are not uploaded to services that they shouldnt be.
We are now in a position where we can store these documents in our tenant but would like to block upload to 3rd party tenants.
URLs do not include the tenant name si we cant use URL filtering on our endpoint DLP or proxy.
Ive been told it can be done using CASB. Ive been looking at Microsoft Cloud defender as a CASB but am struggling to find out how to do it.
1) Tenancy specific DLP. Is CASB the answer ?
2) If it is can microsoft cloud defender be used? (Forcepoint claim their CASB can yet Microsoft seems to score higher with Gartner)
3) if the answer to 1 and 2 is yes....can anyone sign post me on how to do it?
Nov 05 2022 10:27 AM
Nov 06 2022 01:39 AM
Nov 06 2022 01:34 AM
Nov 07 2022 02:54 AM
Nov 07 2022 03:08 AM - edited Nov 07 2022 06:27 AM
Should be possible to scope that in a Defender for Cloud Apps session policy but can take a look at it later on.
@WillNunez So I've read the initial post again and understand the use case as you want to prevent uploading of files in third-party tenants. Can't say I have a good solution for this as those users already are members of that organization and adhere to their policies. I would probably use sensitivity labels as mentioned in the first reply or use tenant-restrictions, but for the latter you would break the collaboration and encryption part completely and the users will not be able to open the files. You certainly can prevent external sharing of files with DLP and use Defender for Cloud Apps with several settings controlling your own environment. But I just can't see what can be done here besides what has already been suggested.
Try with the official support and let us know if they have a solution. Thanks.
Nov 11 2022 01:32 PM
Lets think of a label "ForMyTenancyOnly"
Endpoint DLP can allow uploads to URLs with sharepoint.my-tenancy and my-sharepoint.my tenancy and block all others.
However how to a block/allow when using Teams (tenancy not in URL)? Or when using officeapps saving to Onedrive/sharepoint?
I was hoping CASB is the answer.
Office365 is API linked to Microsoft defender so I know i can write rules that would detect uploads to my tenancy.
The gap is how do i block that label from being uploaded to other domains/tenancy?
If I proxy all traffic through CASB (ie change proxy pacs so that all onedrive/sharepoint/teams) goes through CASB can defender policies differentiate between my domain/tenancy and any other
Nov 11 2022 01:41 PM - edited Nov 30 2022 03:27 PM
Can’t see any way of preventing that ”gap” other than configuring permissions in the label/labels.
*edit @WillNunez just realized this should be possible by instead using Endpoint DLP policy.