DLP policy to prevent external sharing documents with properties

%3CLINGO-SUB%20id%3D%22lingo-sub-96689%22%20slang%3D%22en-US%22%3EDLP%20policy%20to%20prevent%20external%20sharing%20documents%20with%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96689%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20implement%20Office%20365%20DLP%20policy%20to%20prevent%20external%20sharing%20of%20documents%20in%20SharePoint%20based%20on%20the%20AIP%20Classification.%26nbsp%3B%20I%20can%20add%20a%20notification%20or%20block%20access%20for%20internally%20shared%20documents%20but%20the%20rule%20doesn't%20match%20when%20scope%20is%20set%20to%20NotInOrganisation.%3C%2FP%3E%3CP%3EI%20followed%20this%20article%20to%20promote%20the%20AIP%20classification%20to%20SharePoint%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.eekels.net%2Fpromoting-azure-information-protection-labels-to-sharepoint-metadata-column%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.eekels.net%2Fpromoting-azure-information-protection-labels-to-sharepoint-metadata-column%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20then%20followed%20this%20article%20to%20create%20a%20DLP%20policy%20through%20PowerShell%20that%20detect%20if%20the%20property%20was%20equal%20to%20%22Secret%22%20and%20scope%20is%20NotInOrganization.%26nbsp%3B%20I%20then%20share%20the%20document%20in%20SharePoint%20but%20access%20is%20not%20blocked%2C%20if%20I%20change%20the%20scope%20to%20InOrganization%20it%20is%20detected%20and%20blocked%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FCreate-a-DLP-policy-to-protect-documents-with-FCI-or-other-properties-1b9e3c6c-4308-4a20-b11e-c37b8013e177%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FCreate-a-DLP-policy-to-protect-documents-with-FCI-or-other-properties-1b9e3c6c-4308-4a20-b11e-c37b8013e177%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20why%20this%20wouldn't%20work%3F%26nbsp%3B%20Can%20someone%20else%20test%20it%20so%20I%20can%20validate%20it%20isn't%20just%20in%20my%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-97117%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policy%20to%20prevent%20external%20sharing%20documents%20with%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-97117%22%20slang%3D%22en-US%22%3E%3CP%3EThus%20my%20suggestion%20to%20try%20with%20a%20different%20criteria%2C%20just%20to%20make%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-97047%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policy%20to%20prevent%20external%20sharing%20documents%20with%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-97047%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20seen%20that%20it%20can%20take%20hours%20before%20the%20rules%20are%20applied%20but%20in%20this%20case%2C%20I%20created%20the%20rule%20on%20Monday%20and%20it%20is%20now%20over%203%20days%20and%20still%20not%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96760%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policy%20to%20prevent%20external%20sharing%20documents%20with%20properties%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96760%22%20slang%3D%22en-US%22%3E%3CP%3EGive%20it%20some%20time.%20Not%20only%20SPO%20needs%20to%20index%20the%20item%2C%20but%20additional%20delay%20is%20added%20due%20to%20the%20DLP%20policy%20deployment.%20The%20SLA%20is%20supposedly%201h%2C%20but%20in%20my%20experience%20that's%20nowhere%20close%20to%20the%20truth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20than%20that%2C%20you%20can%20also%20create%20a%20rule%20with%20different%20criteria%20in%20order%20to%20exclude%20issues%20with%20the%20property%20used.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I am trying to implement Office 365 DLP policy to prevent external sharing of documents in SharePoint based on the AIP Classification.  I can add a notification or block access for internally shared documents but the rule doesn't match when scope is set to NotInOrganisation.

I followed this article to promote the AIP classification to SharePoint:

http://www.eekels.net/promoting-azure-information-protection-labels-to-sharepoint-metadata-column/

I then followed this article to create a DLP policy through PowerShell that detect if the property was equal to "Secret" and scope is NotInOrganization.  I then share the document in SharePoint but access is not blocked, if I change the scope to InOrganization it is detected and blocked:

https://support.office.com/en-us/article/Create-a-DLP-policy-to-protect-documents-with-FCI-or-other-...

 

Anyone know why this wouldn't work?  Can someone else test it so I can validate it isn't just in my tenant.

3 Replies

Give it some time. Not only SPO needs to index the item, but additional delay is added due to the DLP policy deployment. The SLA is supposedly 1h, but in my experience that's nowhere close to the truth.

 

Other than that, you can also create a rule with different criteria in order to exclude issues with the property used.

I have seen that it can take hours before the rules are applied but in this case, I created the rule on Monday and it is now over 3 days and still not working.

Thus my suggestion to try with a different criteria, just to make sure.