Use Office 365 DLP Policies to Block External Access to Sensitive Documents

Exploit Sensitivity Labels to Protect Confidential Material

Microsoft doesn’t currently support the detection of sensitive content by Data Loss Prevention (DLP) policies based on a label assigned to documents, but the advent of managed properties for sensitivity labels in the SharePoint Online schema makes some magic possible.

If you assign highly sensitive labels to critical documents, you probably don’t want users to share those documents with external parties. It’s possible to restrict sharing at the level of a SharePoint site or tenant to stop documents being shared externally, but that will stop all sharing. Being able to pinpoint and block specific documents is better, especially when someone has made a judgment that a document needs to be protected by a certain sensitivity label. Of course, if the sensitivity label invokes encryption, the recipient might not have the rights to access the content, but it’s better when the block is imposed by the service and the intended recipient doesn’t get a chance to inspect document metadata (title, etc.), which might reveal something of its content.

Simple DLP Policy

A simple DLP policy will do the trick. The policy needs one rule (Figure 1) with two conditions and an action:

  • Condition 1: Content is shared with someone outside the organization.
  • Condition 2: Document property is InformationProtectionLabelId:Guid. The Guid is the identifier for the label to block. In my case, I wanted to block external access to documents labeled with the Ultra Confidential label and its Guid is 9ec4cb17-1374-4016-a356-25a7de5e411d. To find the GUID for a sensitivity label, use PowerShell to connect to the Security and Compliance endpoint and run the Get-Label cmdlet.
  • Action: Block access to people outside the organization.
A simple Office 365 DLP policy to block access to sensitive documents
Figure 1: A simple Office 365 DLP policy to block access to sensitive documents

You can decide to apply the policy to selected sites or all sites in the tenant. I elected to use all sites because it means that documents marked as Ultra Confidential cannot be shared externally from any site, including new sites added after the policy becomes active.

The Block in Effect

After the DLP policy is published to SharePoint Online, any attempt to share a document with the Ultra Confidential label will proceed as follows:

  • User will be able to create and send a sharing link to an external recipient as normal.
  • DLP will detect that a link has been generated and block sharing. The sharer will receive notification that sharing is blocked (Figure 2). At this point, the sharer should probably tell the external person that the sharing link won’t work because…
  • If the external person tries to access the document, they’ll be informed that they can’t.
The sharer learns that sharing is blocked
Figure 2: The sharer learns that sharing is blocked

Using Auto-Label Policies To Find and Label Documents

Another way of approaching the problem is to use an auto-label policy to search for documents with a specific characteristic and apply a label to protect the document. This works well, providing that you’re willing to pay for Office 365 E5 licenses to use auto-labeling policies. The technique described above works with Office 365 E3.

Another point to remember is that the most important and critical information in a company often cannot be easily found by auto-labeling. Some human intervention is needed to decide just how confidential a document is and what the appropriate level of protection should be. And when someone applies a highly confidential label to a document, it’s nice that you can then stop external sharing with such a simple DLP policy.

More Comprehensive Support for Sensitivity Labels in DLP Policies

The functionality as described above works, but it’s not very user friendly to have to remember GUIDs (a process that’s also prone to error). Microsoft is working on the UI necessary to allow admins to select sensitivity labels by name rather than GUID when building rules for DLP policies. This functionality should appear later in 2020.


DLP policies are covered in Chapter 22 of the Office 365 for IT Pros eBook. We cover sensitivity labels in Chapter 24. Lots of information to learn from!

One Reply to “Use Office 365 DLP Policies to Block External Access to Sensitive Documents”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.