Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Guide: Building a Policy to restrict File sharing on a VPN connection using Purview DLP

Brass Contributor

Building a Policy to restrict File sharing on a VPN connection using Microsoft Purview DLP

Scenario: The organisation needs to block any files to be copied by the user from their corporate device to a network share if they are connected from their home network via VPN.

 

Desired outcome: By implementing this DLP policy, any attempt to copy files within the selected file types (or file extension) to the VPN network address (example: 192.168.0.0/16 subnet) will be blocked.

 

There are 2 key steps that is needed to accomplish this.

Step 1: Creating the DLP policy and Configuring the VPN setting in the DLP Settings

To block file sharing to a specific network subnet (e.g. 192.168.0.0/16) using Microsoft Purview Data Loss Prevention (DLP), you can create a DLP policy with the following configuration:

 

  • Configure DLP Policy.
  • Define the sensitive information types or sensitivity labels you want to protect from being shared to the restricted subnet.
  • Under the policy's Locations, Select Devices (Endpoints).

vicwingsing_0-1716068746032.png

  • In the Conditions section, create a blanket detection to include the most common file types by using File type is. Note: You may also add additional file type by adding extra file types by using the option for File extension is

vicwingsing_1-1716068746034.png

  • In the Actions section, go to File activities for all apps (please note that you can put in exceptions if needed) and select Copy to a network share > Then edit the Network restriction to select VPN and Select Block

vicwingsing_2-1716068746039.png

This will block access to file being copied over to the network share that you will put in to Step 2:

Step 2: Updating the VPN settings in the DLP configuration

Add a VPN

  1. Open Microsoft Purview compliance portal > Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > VPN settings.
  2. Select Add or edit VPN addresses.
  3. Provide either the Server address or Network address (example: 192.168.0.0/16)
  4. To get a more accurate reading of the VPN connection. Run Get-VpnConnection on the target device using Powershell to ppull this info.
  5. Select Save.
  6. Close the item.

vicwingsing_3-1716068746040.png

Source: https://learn.microsoft.com/en-gb/purview/dlp-configure-endpoint-settings#vpn-settings

0 Replies