Did you know: you can enable Data Loss Prevention (DLP) to automatically block external access to new files in SharePoint Online and OneDrive for Business until those files have been fully scanned for sensitive information.
When this will happen
- Microsoft will roll this out the end of June with an expected completion date by mid-July.
How this will affect your organization
This capability is available for all new files uploaded to both OneDrive and SharePoint.
When new files are added to SharePoint or OneDrive in Microsoft 365, it takes time for them to be crawled and indexed. It takes additional time for the DLP policy to scan the content and apply rules to protect sensitive content. Currently, if external sharing is turned on, sensitive content could be shared and accessed by guests before any Office DLP rule completes its processing.
By treating all new files as sensitive until they have been scanned, this feature gives a Global or SharePoint admin the ability to block guest accounts from accessing files until the DLP completes its scan.
- If the file has no sensitive content based on the DLP policy, then guests can access the file.
- If the policy identifies a file with sensitive content, then guests continue to be prohibited from accessing the file.
What you need to do to prepare
To mark new files sensitive by default:
- You will need to change a tenant property using PowerShell and a cmdlet.
- You need to enable least one DLP policy covering all SharePoint and OneDrive content.
There is no change to existing restrictions on guest user access to sensitive files.
If you’d like to schedule a free one hour consultation on Microsoft 365 roadmap planning with someone from our Microsoft 365 roadmap services team please contact us
