📃

Use Information Protection to protect documents externally

Table of contents

The Solution - a quick peek
What you need
Licensing
Information Protection - Sensitivity Labels
Data Loss Prevention - Policy
Some things to think about

☝

TL;DR - Using Microsoft 365 sharing documents has become quick and easy. While this is great for user adoption and productivity, it also brings security risks for your data. It is just as easy to share confidential documents or files containing personal information. Considering that many countries have legal requirements for protecting personal information, it is important to start taking action now.

The Solution - a quick peek

Using Information and Data Loss prevention will give you two benefits:

Sharing documents from OD, SPO or Teams will become more restrictive.

When a user tries to share a specifically labelled document with an external party, they will not be able to copy or send the link.

Screenshot of sharing dialog in SharePoint being restricted by DLP and MIP when sharing externally.

Documents uploaded to a Teams room with guests, will be invisible to guests.

On the left you see the view of an internal member of the Teams room, on the right you see the same Team and channel as a guest. In my case all documents with confidential or highly confidential labeling will be invisible to the guest.

Side by side screenshot of a list of documents for internal user on the left and a shortened list on the right for a guest user due to DLP.

What you need

You will need a mix of Information Protection and Data Loss Prevention. If you want to know more about these two tools you can find more information here:

Getting started with Microsoft 365 Purview

Licensing

To make this work, you need to have at least Microsoft 365 E3, A3, or Microsoft 365 Business Premium licenses. Alternatively, you can purchase these features as add-ons for lower-tier accounts, such as Frontline licenses.

Information Protection - Sensitivity Labels

Microsoft Purview requires a way to identify the documents that need protection. This can be done using different markers. With E3 licensing, you can utilize sensitivity and retention labels. If you have E5 licensing, you can use SIT or trainable classifiers.

To start, you will need at least one label, such as "confidential" or a simpler one like "do not share". You can also integrate this into your existing classification concepts with Purview. Once the labels are in place, you can easily add DLP policies.

Data Loss Prevention - Policy

To achieve the desired behavior, you will need a Data Loss Prevention (DLP) policy that specifically includes the workloads SharePoint and OneDrive. Next, create a rule for sensitivity labels. If you have an E5 license, you can also create rules for SITs and other markers. However, the order of conditions in a rule can affect the outcome, which is a bit unusual. For the expected behavior, the first condition should check for the label that should NOT be shared or visible to guests, followed by the condition for external sharing. Then, activate the restriction on access for external users and configure user notifications. Additionally, pay close attention to the policy tips, as they are particularly important.

💡

Don't worry too much about user notifications. In my tests, I did not receive any emails regarding existing documents in Teams that were shared with guests or when I attempted to share new documents that had restrictions. However, it is important to ensure that the email is understandable to end users by providing as much context as possible. Take a look at the tokens and HTML that can be used in the email notification.

Screenshot of the rule in the DLP policy as a summary.

Some things to think about

Configuring this will provide a sense of security, acting as a first barrier. However, it is important for users to label documents appropriately for this feature to work effectively. Combining this with auto-labeling can greatly mitigate this problem.
Documents will become invisible to guest users almost instantly. In my test, it took 1-2 minutes for the document to disappear after a refresh.
This also means that if a guest somehow manages to manually apply a sensitivity label to a document (which is actually possible via the Metadata pane) or if auto-labeling is triggered, the document will be removed within seconds, preventing the user from making any further edits. This can be seen as a positive outcome.
With this configuration, you can only differentiate between guest and non-guest documents. There are no further distinctions available. Either all guests will be able to see the document, or none of them will. Here is where other types of channels come in.