Forum Discussion
Use Endpoint DLP to block uploads
Hello,
I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!
16 Replies
Greetings to all,
As of today, I’m wondering if anyone has managed to resolve the issue of uploading documents or files to unauthorized sites. From my experience, I created a policy to block unauthorized domains.
While reviewing the behavior, I noticed that when a DLP (Data Loss Prevention) policy is created, it begins to protect documents that are generated from that point onward. However, documents that are already at rest are not scanned, so the policy ignores them until someone opens or modifies them. At that point, the policy starts to apply and the documents become protected.
The conditions under which these behaviors were observed are as follows:
- File types involved: .docx, .xlsx, .pdf, .txt......
- Documents or attachments are password-protected
- Documents are not labeled or classified with sensitivity labels
Here are the observations I’ve made:
- Uploading a recent document to a restricted domain: Blocked (expected behavior).
- Uploading an old document to a restricted domain: Allowed (should be blocked).
- Dragging a document from File Explorer: Blocked (expected behavior).
- Copying a document from File Explorer to a restricted domain: Allowed (should be blocked).
If anyone has any insights or has found a solution, it would be greatly appreciated.
Best regards.
- i would like to share my experience configuring and testing DLP policy
from what i understand, you need to use the "Content is not labeled" condition inside the DLP policy and you need to define the file extensions which imo is not that helpful because of the numerous amount of file extensions available out there and it's impossible to manually define one by one within the DLP policy
i've also experienced where the action of copy and paste of pictures to restricted domain for example gmail is not blocked but dragging and dropping and manually uploading from gmail were blocked- Hi all,
I also encountered the same problem when using DLP Endpoint to block file uploads, there is no way to completely prevent it, even with domain & browser, DLP Endpoint can not prevent copy & paste files and sending them to websites such as telegram, discord, ...
- Has anyone gotten this to work as expected? Having the same issues.
- Im waiting for news about this case. I want to implement this in my enviroment.
Purview Endpoint DLP can only block sensitive data (the ones with Sensitivity labels)
I'd use Defender for Cloud apps instead and use the File Policy DLP config:
The policy below shows [Any File] being [Sent to any external users] to any [X domain.]
Hi PenTestPatrick,
here are steps to configure Endpoint DLP to block all file uploads to specific domains, not just those with a sensitivity label:
Service Domains:
Ensure you've added the domains to the Service Domain section and set them to Block. Adding them to a Service Domain Group is optional.DLP Policy:
Create a DLP policy scoped to Devices. In the rule conditions, set it to block any file over 1 byte in size.File Types/Extensions:
Although DLP typically focuses on sensitive information, you can set the policy to block uploads based on file types and/or extensions. This allows you to block all files, not just those with a sensitivity label.Apply Policy:
Activate the policy and confirm it's applied to the relevant endpoints.
If the policy isn't blocking all file uploads, check the specific applications or browsers used for upload.
Endpoint DLP enables restrictions on user activities per application, including browser and domain restrictions.
Configure endpoint DLP settings | Microsoft Learn
Blocking file uploads to all sites, unless safelisted - Microsoft Community Hub
Re: Can I block upload of data based on DLP Policy and/or Sensitivity Label? - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)Hi Leon,
I appreciate you taking the time to respond. I have followed those steps you have outlined and I am still able to upload files that are not labelled as sensitive. I've attached some screenshots of the policy.
Rule configuration:
Restricted actions:
Service domains:
We are using MS Edge to test and labelled files are blocked from upload with the appropriate DLP message but I can still attach files that are not labelled even if they are one of the extensions listed. Do you have any ideas on this?
Thanks
Hi PenTestPatrick,
thanks for your update.Here are some recommended steps to address potential issues:
1. Confirm the Health of Your Endpoint DLP Setup:
- For Windows devices, make sure you're using the correct Windows version, have Real-Time Protection (RTP) and Behavior Monitoring (BM) enabled, and are using the Microsoft Edge browser.
2. Verify Policy Synchronization:
- Check that the device's configuration status is "Updated" in the Device Onboarding page.
- Utilize the MDE Client Analyzer tool on Windows machines for troubleshooting. Execute the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the generated ZIP file with the support team for further assistance.
3. Confirm Policy Application to Files:
- Download the MDE Client Analyzer tool.
- Run the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the ZIP file with the support team for further analysis.
4. Addressing Policy Discrepancies:
- Validate the installed Office version for compliance.
- Check if the file location may not be covered by Endpoint DLP, such as being on removable media or a network share.
- Understand that policies follow the most restrictive enforcement; when a file matches multiple DLP policies, the most stringent rule takes precedence.
Common questions on Microsoft Purview Data Loss Prevention for endpoints - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
