How to Create a DLP Policy to Stop External Sharing of Teams Meeting Recordings

Joins the Controls for Teams Meeting Recordings

Now that Microsoft has created the transition of storage for Teams meeting recordings (TMRs) from Stream (classic) to OneDrive for Business and SharePoint Online (ODSP), attention is focused on how to manage these files. Microsoft plans to introduce an auto-expiration policy for TMRs in January 2022 to allow organizations dictate how long these files exist in ODSP. The auto-expiration policy will work for any Microsoft 365 tenant which has licenses for Teams.

If you have Office 365 E3, users can apply retention labels to TMRs to gain more control over their retention, and if you have Office 365 E5 or Microsoft 365 E5 licenses, you can deploy an auto-label retention policy to find and label TMRs (and track the success of the policy in finding and labeling TMRs). In short, over time, organizations are gaining ways to exert compliance control over TMRs.

Blocking Sharing with Data Loss Prevention

Data Loss Prevention (DLP) for SharePoint Online and OneDrive for Business is included in the Office 365 E3 SKU. The value of DLP is that you can use a policy to protect against inadvertent data leakage caused when someone shares a TMR outside the organization. Imagine what would happen if a competitor got hold of a recording of a discussion, complete with slides, about the development of a new product!

Using much the same approach as taken to identify TMRs for the auto-labeling retention policy, we can build a DLP policy for TMRs which looks for recording files and stamps them with metadata to stop sharing happening. The DLP policy to block external sharing for TMRs is very simple. It is a custom DLP policy (i.e., not created using a template) consisting of:

  • A name and description.
  • Target locations. For maximum coverage, choose all SharePoint Online sites and OneDrive for Business accounts. This will stop any sharing of TMRs created for personal meetings (OneDrive) and channel meetings (SharePoint).
  • A single rule. The rule looks for any file with the property value ProgId:Media.Meeting that is shared with someone outside the organization. The rule action blocks sharing with people outside the organization. Figure 1 shows what the rule conditions look like. Optionally, the rule can allow users to override the block by providing a justification to explain why they need to share a recording with an external person.

DLP rule to prevent external sharing of Teams meeting recordings
Figure 1: DLP rule to prevent external sharing of Teams meeting recordings

Other rule settings which you might consider include creating a custom policy tip to explain why users can’t share TMRs externally or generating an incident report to alert administrators or other people when a rule violation occurs.

The Effect of DLP

It can take up to an hour before a new DLP policy is effective. When the policy is active, the indexing process for new files detects that TMRs come within the scope of a policy and applies the policy settings to block external sharing. There might be a few minutes before the block is effective for a new file during which it’s possible to create and send a sharing link. However, once the block is in place, the sharing link is nullified.

The effect of the policy is obvious because any document which matches the policy conditions now has a small icon (circle with a line in the middle). In Figure 2, the icon is shown alongside all the TMRs in the Recordings folder. Other video files that don’t have the property set are not marked. Hovering over a TMR reveals information about the file, including a link to a DLP policy tip if set. In this case, the link reveals some custom text to explain that external sharing is not permitted for TMRs.

External sharing for Teams meeting recordings is blocked, or so the policy tip says
Figure 2: External sharing for Teams meeting recordings is blocked, or so the policy tip says

If the user ignores the warning and goes ahead to try and share the recording anyway, they won’t be able to do this because OneDrive for Business blocks the attempt to create and send a sharing link (Figure 3).

OneDrive for Business blocks a sharing link for a Teams meeting recording
Figure 3: OneDrive for Business blocks a sharing link for a Teams meeting recording

Easy Update

Even if internal users don’t often go back to relisten to what was discussed in a conference call, there’s no doubt that some external people might find that content interesting, perhaps even to the detriment of your company. The time required to create and deploy a DLP policy to block external sharing of TMRs is roughly ten minutes (including a pause to drink coffee). It’s a quick and easy update to make it easier to manage the security of information contained inside these files. This is a good example of the value of DLP.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

7 Replies to “How to Create a DLP Policy to Stop External Sharing of Teams Meeting Recordings”

  1. When I go to add the rule it states ‘Rules must contain at least one ‘Content contains’ condition.’

      1. Same problem here…

        “Content contains” problem even ProgId:Meeting.Media is inserted in “Document Property is”

      2. The previous respondent got it sorted by making sure that the Conditions are:

        Content is shared from Microsoft 365
        With people outside the organization
        Document property is:

        When I run Get-DlpComplianceRule -Policy “Prevent Sharing of Teams Meeting Recordings” | fl, to view the rule settings I see:

        AccessScope : NotInOrganization
        NonBifurcatingAccessScope :
        ExceptIfAccessScope :
        FromScope :
        ExceptIfFromScope :
        WithImportance :
        ExceptIfWithImportance :
        ExternalScenarioDependancies : {}
        ContentPropertyContainsWords : {ProgID:Media.Meeting}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.