Using the SharePoint Online Sensitive by Default Control

Posted on by Tony Redmond

Sensitive by Default Blocks External Access Pending DLP Scanning

The ability to mark documents as “sensitive by defaultachieved general availability in July 2020. Despite covering the topic in the DLP chapter of the Office 365 for IT Pros eBook, I never paid the feature much attention because sensitivity labels are often a better way to protect confidential material.

Not every tenant deploys sensitivity labels. Sometimes this is because they want to avoid the complications that can come when dealing with encrypted information, such as how to move encrypted documents between tenants during a migration. And sometimes it’s because the work to prepare to deploy and manage sensitivity labels is incomplete and pending completion. These are the kind of circumstances when the sensitive by default control is useful for tenants that have the necessary Office 365 E3 (or above) licenses to use Data Loss Prevention (DLP) policies with SharePoint Online.

The idea is simple. SharePoint Online uses background processes to implement the instructions in DLP to detect sensitive information in documents and take whatever action the policy settings dictate, such as to block sharing. Because DLP processing does not happen immediately for new files uploaded to to SharePoint Online and OneDrive for Business libraries, a short period exists when it’s possible for users to share sensitive data outside the tenant and inadvertently leak data. The sensitive by default control stops this happening by forcing SharePoint Online to consider all files as sensitive until DLP processes their content.

In effect, this means that SharePoint Online blocks external access to documents until DLP scans the contents. If external users, including guest members of a team, attempt to access a document before DLP scans its content, they see a page to tell them that scanning is in progress (Figure 1). After a few minutes, the scan should complete and access is possible.

Access denied while DLP scanning proceeds. Sensitive by default
Figure 1: Access denied while DLP scanning proceeds.

Implementing Sensitive by Default

To implement the Sensitive by default control, you:

  • Implement at least one DLP policy to scan the SharePoint Online sites that store information intended for external access.
  • Run the Set-SPOTenant cmdlet in the SharePoint Online PowerShell module to block access to new files. It can take up to 15 minutes before the change is effective. The block applies to all sites in the tenant and you can’t exclude sites from its effect.

Here’s the command to implement the sensitive by default control:

Set-SPOTenant –MarkNewFilesSensitiveByDefault BlockExternalSharing

With the block in place, users can still share documents externally (if not blocked by the tenant’s sharing settings). However, external people with a sharing link cannot access the content until the document is scanned by a DLP policy.

To revert the block, run Set-SPOTenant to allow sharing without waiting for DLP processing:

Set-SPOTenant -MarkNewFilesSensitiveByDefault AllowExternalSharing

DLP Processing for Sensitive by Default

Any DLP policy that has a “contents contains” condition to process information in SharePoint Online sites can perform the check and release the block. Normally, DLP scanning either passes the document for external access (because DLP doesn’t detect a policy violation) or blocks it (because DLP detects some content that violates the policy if shared externally).

The Microsoft documentation for the feature discusses creating a form of “catch-all” DLP policy to cover all SharePoint Online sites and OneDrive for Business accounts in a tenant. The policy contains a rule to check new content for some arbitrary value. As shown in Figure 2, I use a check for the blood test sensitive information type.

A simple DLP rule to check for a sensitive information type. Sensitive by default
Figure 2: A simple DLP rule to check for a sensitive information type.

It doesn’t matter that DLP is unlikely to detect this data in my tenant. Apart from that, the DLP policy doesn’t perform any action or notify anyone if it matches content. The sole purpose of the policy is to make sure that DLP processes every file uploaded to SharePoint Online and OneDrive for Business. Other DLP policies handle any problems lurking in documents.

Sensitive by Default and Sensitivity Labels

Applying the sensitive by default control is an effective way to stop external sharing from SharePoint Online and OneDrive for Business. However, it’s a broad-brush policy that covers the entire tenant. Using sensitivity labels to restrict access to documents containing important information might be a better approach, especially when auto-label policies are used to find and apply labels to documents at rest. The two approaches are not mutually exclusive and it’s a good idea to use sensitivity labels to control access to an organization’s most confidential information, including documents shared with external guests in Teams.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.