Dec 15 2023 01:00 PM
Hello,
I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!
Dec 18 2023 06:40 AM
Hi @PenTestPatrick,
here are steps to configure Endpoint DLP to block all file uploads to specific domains, not just those with a sensitivity label:
Service Domains:
Ensure you've added the domains to the Service Domain section and set them to Block. Adding them to a Service Domain Group is optional.
DLP Policy:
Create a DLP policy scoped to Devices. In the rule conditions, set it to block any file over 1 byte in size.
File Types/Extensions:
Although DLP typically focuses on sensitive information, you can set the policy to block uploads based on file types and/or extensions. This allows you to block all files, not just those with a sensitivity label.
Apply Policy:
Activate the policy and confirm it's applied to the relevant endpoints.
If the policy isn't blocking all file uploads, check the specific applications or browsers used for upload.
Endpoint DLP enables restrictions on user activities per application, including browser and domain restrictions.
Configure endpoint DLP settings | Microsoft Learn
Blocking file uploads to all sites, unless safelisted - Microsoft Community Hub
Re: Can I block upload of data based on DLP Policy and/or Sensitivity Label? - Microsoft Community H...
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Dec 18 2023 11:34 AM
Hi Leon,
I appreciate you taking the time to respond. I have followed those steps you have outlined and I am still able to upload files that are not labelled as sensitive. I've attached some screenshots of the policy.
Rule configuration:
Restricted actions:
Service domains:
We are using MS Edge to test and labelled files are blocked from upload with the appropriate DLP message but I can still attach files that are not labelled even if they are one of the extensions listed. Do you have any ideas on this?
Thanks
Dec 18 2023 10:57 PM
Hi @PenTestPatrick,
thanks for your update.
Here are some recommended steps to address potential issues:
1. Confirm the Health of Your Endpoint DLP Setup:
2. Verify Policy Synchronization:
3. Confirm Policy Application to Files:
4. Addressing Policy Discrepancies:
Common questions on Microsoft Purview Data Loss Prevention for endpoints - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 17 2024 01:35 PM
Jan 24 2024 09:46 AM
@Luke_Michael_Fisher We have not yet resolved this issue. Going back and forth with MS support for several weeks now with different implementations of the DLP rule. Per Microsoft's recommendation, our current rules are as follows:
We are experiencing inconsistent DLP blocking when uploading to our specified domains. Sometimes it blocks upload, sometimes it allows it, even for the same file. We're hoping to get some clarification from MS on this. Are you having any success?
Jan 25 2024 11:24 AM
Feb 07 2024 10:38 AM
Mar 05 2024 06:21 AM
Purview Endpoint DLP can only block sensitive data (the ones with Sensitivity labels)
I'd use Defender for Cloud apps instead and use the File Policy DLP config:
The policy below shows [Any File] being [Sent to any external users] to any [X domain.]
Apr 10 2024 10:05 PM
Apr 11 2024 07:36 AM