cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcing GA: Mark new files as "sensitive by default" in OneDrive & SharePoint
By
Sanjoyan Mustafi
Published Jul 07 2020 05:05 PM 5,567 Views
Sanjoyan Mustafi
Microsoft
‎Jul 07 2020 05:05 PM

Announcing GA: Mark new files as "sensitive by default" in OneDrive & SharePoint

‎Jul 07 2020 05:05 PM

What does this feature do?

When new files are added to SharePoint or OneDrive in Microsoft 365, it takes a while for them to be crawled and indexed. It takes additional time for the Office Data Loss Prevention (DLP) policy to scan the content and apply rules to help protect sensitive content. If external sharing is turned on, sensitive content could be shared and accessed by guests before the Office DLP rule finishes processing.

Instead of turning off external sharing entirely, you can address this issue by using a new PowerShell cmdlet. The cmdlet prevents guests from accessing newly added files until at least one Office DLP policy scans the content of the file. If the file has no sensitive content based on the DLP policy, then guests can access the file. If the policy identifies sensitive content, then guests will not be able to access the file. Read here for more details. It is worth mentioning that we have the scan performance much better so that external users do have have to wait long before accessing a non-sensitive file. In 95% of the cases the entire process should be done in less than 5 minutes

 

Quick reference to the PowerShell switch:

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

6 Comments
Nigel_Heath
Copper Contributor
‎Aug 05 2020 07:55 AM
‎Aug 05 2020 07:55 AM

Hi, just a question for clarity. What is the user experience for this? . If a user uploads a file and then immediately externally shares it, is it :-

blocked and prevented from being shared until a DLP scans it or

The external user is unable to access the file and must wait until the DLP scan has run. What error message does the external user get to say that the file cannot be accessed until it's been scanned?

Thanks

Nigel

Sanjoyan Mustafi
Microsoft
‎Oct 14 2020 10:27 AM
‎Oct 14 2020 10:27 AM

@NigelG  The file is blocked immediately till DLP scan is complete

px091
Iron Contributor
‎Mar 26 2021 11:33 AM
‎Mar 26 2021 11:33 AM

@Sanjoyan Mustafi 

 

I tried this new feature. I run the cmdlet in my tenant Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing
But it does not work as expected. I still can share file with sensitive info to external users as soon as the file is uploaded to SharePoint. I also setup policy location as "include all SharePoint sites and OneDrive accounts and exclude none"

 

Any idea?

 

Thanks in advance

Sanjoyan Mustafi
Microsoft
‎May 12 2021 10:00 AM
‎May 12 2021 10:00 AM

@px091  Please open a  support ticket and share the details with me. I will help. 

luckych730
Copper Contributor
‎Aug 12 2021 07:26 PM
‎Aug 12 2021 07:26 PM
  1. Can the PS command be scoped to a group of test users?
  2. Also can this work with MCAS, if MCAS https://portal.cloudappsecurity.com/  is scanning those files instead of Microsoft Office DLP https://compliance.microsoft.com/datalossprevention
  3. If we have 3 policies 1 for PII, 1 for PHI, 1 for PCI if a file is scanned by either one that validates it as scanned and it removes the sensitivity? So if the policy precedence is for PCI then if there is PHI or PII content what happens?
  4. What are the license restrictions to use this with Microsoft office dlp? 
0 Likes
Like
GeorgeChiuHIG
Copper Contributor
‎Jul 31 2023 10:22 AM
‎Jul 31 2023 10:22 AM

This feature seems to cause document update and thus if document library alert is set, users will get doubt alerts

0 Likes
Like
Version history
Last update:
‎Jul 07 2020 05:05 PM
Updated by: