How to Use DLP Policies and Sensitivity Labels to Block External Access to Confidential Documents

Exploit Sensitivity Labels to Protect Confidential Material Stored in SharePoint Online

If you assign sensitivity labels to critical documents stored in SharePoint Online or OneDrive for Business, you probably don’t want users to share those documents with external parties. It’s possible to restrict sharing at the level of a SharePoint site or tenant to stop documents being shared externally, but that will stop all sharing. Being able to pinpoint and block specific documents is better, especially when someone has made a judgment that a document needs to be protected by a certain sensitivity label. Of course, if the sensitivity label invokes encryption, the recipient might not have the rights to access the content, but it’s better when the block is imposed by the service and the intended recipient doesn’t get a chance to inspect document metadata (title, etc.), which might reveal something of its content.

Last July, Microsoft introduced the initial support in DLP policies for sensitivity labels using checks against the managed property defined in the SharePoint Online schema used to hold the GUID of a sensitivity label. The property is called InformationProtectionLabelId and the check is performed against a document property in the form InformationProtectionLabelId:Guid. For example:

InformationProtectionLabelId:9ec4cb17-1374-4016-a356-25a7de5e411d

In an announcement posted on November 10, Microsoft confirmed full support for sensitivity labels in DLP policies. This means that instead of using a document property, you can specify that the content contains a sensitivity label in the same way as the policy can check for the presence of a sensitive data type (like a credit card number) or retention label.

Simple DLP Policy

A simple DLP policy illustrates the point. The policy needs one rule with two conditions and an action:

  • Condition 1: Content contains a retention label, sensitive data type, or sensitivity label. Select sensitivity label and then select the sensitivity label to check (Figure 1).
  • Condition 2: Content is shared with someone outside the organization.
  • Action: Block access to people outside the organization.
Figure 1: A simple Office 365 DLP policy to block access to sensitive documents

You can decide to apply the policy to selected sites or all sites in the tenant. I elected to use all sites because it means that documents marked as Ultra Confidential cannot be shared externally from any site, including new sites added after the policy becomes active.

The Block in Effect

After the DLP policy is published to SharePoint Online, any attempt to share a document with the Ultra Confidential label will proceed as follows:

  • User will be able to create and send a sharing link to an external recipient as normal.
  • DLP will detect that a link has been generated and block sharing (no further external sharing is possible). The sharer will receive notification that sharing is blocked (Figure 2). At this point, the sharer should probably tell the external person that the sharing link won’t work because…
  • If the external person tries to access the document, they’ll be informed that they can’t.
The sharer learns that sharing is blocked
Figure 2: The sharer learns that sharing is blocked

Using Auto-Label Policies To Find and Label Documents

Another way of approaching the problem is to use an auto-label policy to search for documents with a specific characteristic and apply a label to protect the document. This works well, providing that you’re willing to pay for Office 365 E5 licenses to use auto-labeling policies. The technique described above works with Office 365 E3.

Another point to remember is that the most important and critical information in a company often cannot be easily found by auto-labeling. Some human intervention is needed to decide just how confidential a document is and what the appropriate level of protection should be. And when someone applies a highly confidential label to a document, it’s nice that you can then stop external sharing with such a simple DLP policy.


DLP policies are covered in Chapter 22 of the Office 365 for IT Pros eBook. We cover sensitivity labels in Chapter 24. Lots of information to learn from!

3 Replies to “How to Use DLP Policies and Sensitivity Labels to Block External Access to Confidential Documents”

  1. Great post,
    I have followed your instructions and the rule is not working.
    When I try to send an attachment by email, it lets me send the message and does not block it.
    The document property in the rule is added like this: InformationProtectionLabelid: 96360738-ffe3-48c7-81d2-a39f005b8c0c

    What could be failing?
    Thank you.

    1. I really have no idea. It’s kind of hard to debug with just a few facts… You could ask Microsoft to help.

      BTW, Microsoft will soon make it much easier to check for sensitivity labels in DLP policies. You might want to wait until the fully baked code is available.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.