DLP identify internal SharePoint files with direct access and no sharing

Regular Contributor

I'm testing a DLP policy to detect when a file that has a specific Sensitivity Label is shared inside the organisation. The expectation is that if the user shares the file in SharePoint it will be blocked, the user can then remove the sharing links and it will unblock.

My testing shows that as soon as the Sensitivity label is applied an alert event is generated because users other than the site owner has direct access to the file inherited from the document library. The files is never shared using a sharing link.

Does "internal shared" detection include any access other than the person who added the file or the site owner and not related to sharing links?

4 Replies

Some additional screenshot from SharePoint indicated the file is not shared


Thank you for your post. I have a problem similar to yours.
I have been looking for days for a way to block file sharing to internal users who are not in the same private Teams group.

I have exactly the same DLP but I don't have this blocking.

For the proccess, I have created :

- An internal label
- A label policy
- A SharePoint DLP with the same conditions with the blocking action on "Everyone".

Have you done any other configuration ?

Thanks :)
That's exactly what I did but files are blocking everyone as soon as they are labelled without even sharing the file.
The only difference to your setup is the permissions in that document library are not inheriting from the site and the Member group has no access, just a specific SharePoint group with users.
I have a call with Microsoft open so will update this thread when I have an answer.
Thank you for your answer :)
I have indeed the same results as you indicated.
While waiting for Microsoft to come back, I'll do some more tests and come back to you if I find something.