Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Policy Tips in SharePoint Online and OneDrive for Business – at Time of Sharing
Published Oct 12 2017 06:02 PM 20.5K Views

We’re excited to announce a new enhancement to Office 365 Data Loss Prevention Block Access feature is now available.  When your users are sharing sensitive content in SharePoint Online and OneDrive for Business, they’ll be blocked and see a Policy Tip right within the Share dialog in real time during sharing.  You now also have the granularity to prevent users from sharing sensitive documents externally (with guests or external users), while continuing to allow internal users to collaborate and be productive.

 

The option is turned on by default when you create a new SharePoint and/or OneDrive for Business DLP policy and choose the option “Detect when this content is shared: with people outside my organization.”  The behavior of your existing DLP policies won’t change but you can “opt in” to use the new behavior in from the DLP management experience (DLP area in the Office 365 Security and Compliance Center at https://protection.office.com).

 

SCC DLP config 1.png

 

SCC DLP config 2.png

 

 

Here’s an example of what your users will see with this new feature.  OneDrive and SharePoint will also block external users from accessing documents with sensitive content that matched your DLP policies and rules, even if that content was already shared. 


Policy Tips in SPO 1.png

 

Policy Tips in SPO 2_cropped.png

 

Policy Tips in SPO 3_cropped.png

 

To make it easy to get going, here are instructions to switch over your existing DLP policies to this new functionality.  This only works if you already have block access rules in place:

 

1. Connect to Security and Compliance PowerShell: https://technet.microsoft.com/en-us/library/mt587092(v=exchg.160).aspx

2. Copy and paste the following into PowerShell and hit enter:

Get-DlpComplianceRule | Where-Object {$_.BlockAccess -eq 'true' -and $_.BlockAccessScope -ne 'PerUser' -and $_.AccessScope -eq 'NotInOrganization' -and $_.NotifyUser -ne ''} | Set-DLPComplianceRule -BlockAccessScope 'PerUser'

 

Running the above commands will turn any of your DLP policy rules that previously blocked everyone (expect last modifier, owner, and site admin) into a rule that only blocks access to external users.

 

We look forward to your feedback!  For more information on DLP policies you can go to http://aka.ms/dlp.


Office 365 Information Protection, SharePoint Online, and OneDrive for Business teams

4 Comments
Version history
Last update:
‎Oct 12 2017 06:02 PM
Updated by: