Sep 20 2018
- last edited on
May 24 2021
Does anyone know, if there is any way to whitelist a domain in DLP policy?
The problem is that we are sharing documents from SPO site to a trusted partner domain and don't want to get the DLP warning messages for this, but at the same time don't want to take the whole site out of DLP's reach.
Sep 20 2018 06:57 AM
Have you looked into exceptions for DLP rules, more specifically the "recipient domain is" exception? https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies#tuning-r...
Sep 21 2018 03:22 AM
I didn't find any mention about recipient domain exception in the article? Only thing I could find about exceptions is Exchange Online Transport rules, but my problem is with Sharepoint content so when sharing from Sharepoint is there way to whitelist domain that you share documents from Sharepoint?
Sep 21 2018 05:46 AMSolution
The article shows you how to configure conditions/exceptions, it doesn't list them all...
Jul 18 2019 01:53 PM
@Vasil Michev I'm curious to see if anyone has answered this successfully yet. Currently, you can't add a domain exception ("recipient domain is..." for SharePoint or OneDrive. It only works for exchange. We have a very similar business case where we need our parent company to be excluded from certain DLP policies that protect us from sharing "internal only" content with external users.
Jul 22 2019 08:12 AM
@Expiscornovus We haven't found one yet, other than allowing users to override policies. I spoke with MS support, and this is by design.
Right now, we're planning to give users the option to override the policy to share with our parent company, and apply some custom auditing (through scripting) to make sure folks are following the rules.
Aug 01 2019 11:06 AM
We've found a lot of "by design" within O365 recently of how default settings are configured but there isn't a way to set your own defaults.
We're up against the same situation for DLP rules applied to Sharepoint, Teams, and OneDrive. We have business partners who have contractual agreements, BAAs, NDAs, etc. and such that we have legitimate business justification for sharing potentially sensitive info. It would be nice to whitelist those domains once they are vetted as OK with all the proper documentation in place so our users don't have to provide a business justification on every share. Then we could block file shares for all non-approved recipients.
As we need to do now on allowing overrides, it requires so much more overhead to check all the logs/reports and read the justifications on recipients that really should be allowed.
Aug 01 2019 11:10 AM - edited Aug 01 2019 11:11 AM
@crichmond It's a business problem that I hope will be solved in coming updates. Lots of companies have either a parent/child relationship with another company, or a "trusted partner" relationship like you're describing.
We tested using the overrides, but weren't really happy with how that works either. It's not a great user experience. Hopefully they'll enable whitelisting!
Oct 10 2019 11:21 AM
. While there is no whitelist, there is a possible workaround.. perhaps by design.
Office 365 DLP cannot read (or match) on an AIP encrypted file.
AIP can encrypt files automatically upon save if conditions are met
If you configure AIP to auto encrypt, DLP will not read and the domains are essentially whitelisted.
plus there is the bonus of assigning file specific permissions if needed.
requires p2 license
please like if this works for you, or reply if it doesnt
Dec 09 2021 09:02 AM
Please try creating a separate DLP Policy just for exchange Online and then you can have all the different exclusions you will need.