Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Whitelisting domain in DLP policy

Copper Contributor

Does anyone know, if there is any way to whitelist a domain in DLP policy?

The problem is that we are sharing documents from SPO site to a trusted partner domain and don't want to get the DLP warning messages for this, but at the same time don't want to take the whole site out of DLP's reach.

12 Replies

Have you looked into exceptions for DLP rules, more specifically the "recipient domain is" exception? https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies#tuning-r...

I didn't find any mention about recipient domain exception in the article? Only thing I could find about exceptions is Exchange Online Transport rules, but my problem is with Sharepoint content so when sharing from Sharepoint is there way to whitelist domain that you share documents from Sharepoint?

best response confirmed by Deleted
Solution

The article shows you how to configure conditions/exceptions, it doesn't list them all...

@Vasil Michev I'm curious to see if anyone has answered this successfully yet. Currently, you can't add a domain exception ("recipient domain is..." for SharePoint or OneDrive. It only works for exchange. We have a very similar business case where we need our parent company to be excluded from certain DLP policies that protect us from sharing "internal only" content with external users. 

@Adrienne Almeida, I am also interested if there is a solution/workaround for the domain exception across different products and not only Exchange.

@Expiscornovus  We haven't found one yet, other than allowing users to override policies. I spoke with MS support, and this is by design. 

 

Right now, we're planning to give users the option to override the policy to share with our parent company, and apply some custom auditing (through scripting) to make sure folks are following the rules. 

We've found a lot of "by design" within O365 recently of how default settings are configured but there isn't a way to set your own defaults.

 

We're up against the same situation for DLP rules applied to Sharepoint, Teams, and OneDrive. We have business partners who have contractual agreements, BAAs, NDAs, etc. and such that we have legitimate business justification for sharing potentially sensitive info. It would be nice to whitelist those domains once they are vetted as OK with all the proper documentation in place so our users don't have to provide a business justification on every share. Then we could block file shares for all non-approved recipients.

 

As we need to do now on allowing overrides, it requires so much more overhead to check all the logs/reports and read the justifications on recipients that really should be allowed.

@crichmond It's a business problem that I hope will be solved in coming updates. Lots of companies have either a parent/child relationship with another company, or a "trusted partner" relationship like you're describing. 

 

We tested using the overrides, but weren't really happy with how that works either. It's not a great user experience. Hopefully they'll enable whitelisting!

. While there is no whitelist, there is a possible workaround.. perhaps by design.

 

Office 365 DLP cannot read (or match) on an AIP encrypted file.

AIP can encrypt files automatically upon save if conditions are met

If you configure AIP to auto encrypt, DLP will not read and the domains are essentially whitelisted.

plus there is the bonus of assigning file specific permissions if needed.

 

requires p2 license

 

please like if this works for you, or reply if it doesnt

 

@Vasil Michev no you are incorrect there is no setting for this.  

Please try creating a separate DLP Policy just for exchange Online and then you can have all the different exclusions you will need.

Are there new updates on this topic ? In large companies, the option to manage whitelists by exceptions can lead to management nightmares. Large companies work with hundreds or thousands of external partners. Ideal situation would be to be able to automate feeding of whitelisted domains with external consolidated list and just have a role in the organization completing a mapping between some sensitive info type and the associated vendors. Management of such thing in each rule /policy individually is not a sustainable model in large organsiations.
1 best response

Accepted Solutions
best response confirmed by Deleted
Solution

The article shows you how to configure conditions/exceptions, it doesn't list them all...

View solution in original post