Data Loss Prevention policies in Microsoft Purview are designed to detect and restrict sensitive information. But many administrators find that a DLP policy does not block external sharing in SharePoint or OneDrive. This happens because DLP policies for external sharing require specific configuration in the policy location and action settings. This article explains the technical reasons why DLP does not block external sharing by default and provides the exact steps to configure it correctly.
Key Takeaways: Configuring DLP to Block External Sharing
- DLP policy location set to SharePoint and OneDrive: DLP only evaluates external sharing when the policy is scoped to these workloads.
- Action set to block sharing: The policy must include the action “Restrict access or encrypt the content” with the block sharing option enabled.
- Policy mode set to Enforce: DLP must be in enforce mode, not test mode, to actively block sharing events.
Why DLP Policy Does Not Detect External Sharing by Default
A DLP policy in Microsoft Purview scans content for sensitive data types like credit card numbers or personally identifiable information. By default, a DLP policy is not configured to monitor or block external sharing. The policy must be explicitly scoped to the SharePoint and OneDrive workload, and the action to restrict sharing must be enabled. Without these two conditions, the policy will only generate alerts or notify users without preventing the sharing act. The root cause is that DLP policies have separate locations for Exchange, Teams, and SharePoint, and the default settings do not include restricting external access.
DLP Policy Location and Scope
The DLP policy can be applied to Exchange email, Teams chat and channel messages, and SharePoint sites or OneDrive accounts. For external sharing to be blocked, the policy must include the SharePoint and OneDrive location. If the policy is only applied to Exchange, it will not evaluate sharing events in SharePoint. Additionally, the policy must be scoped to specific sites or all sites. A policy scoped to a subset of sites may not cover the site where sharing occurs.
Action Configuration
Even with the correct location, the policy must have the action “Restrict access or encrypt the content” enabled. Within that action, there is a checkbox for “Block users from sharing the content.” If this checkbox is not selected, DLP will only notify the user or send an alert to the admin. It will not block the sharing attempt. Many administrators miss this checkbox, which is why sharing continues despite the policy being active.
Policy Mode
DLP policies can run in test mode with or without policy tips. In test mode, the policy logs violations but does not enforce any actions. To block external sharing, the policy must be set to enforce mode. If the policy is in test mode, users can share sensitive content without interruption. Checking the policy mode in the Microsoft Purview compliance portal is a quick way to confirm enforcement.
Steps to Configure DLP Policy to Block External Sharing
Follow these steps to create or modify a DLP policy that blocks external sharing of sensitive content in SharePoint and OneDrive.
- Sign in to Microsoft Purview compliance portal
Go tohttps://compliance.microsoft.comand sign in with an account that has the Compliance Administrator or DLP Administrator role. - Navigate to Data Loss Prevention policies
Select Data loss prevention from the left navigation, then choose Policies from the menu. - Create a new policy or edit an existing one
Click Create policy to start a new policy. To edit an existing policy, click the policy name and select Edit. - Choose the policy template or custom policy
Select a template that matches your sensitive data, such as U.S. Personally Identifiable Information (PII) Data. Alternatively, choose Custom to define your own rules. - Name the policy and set the location
Give the policy a name like “Block External Sharing for PII.” On the Locations page, select SharePoint sites and OneDrive accounts. Do not select Exchange or Teams unless you also need email or chat protection. - Define the policy scope for sites
Choose All sites to cover all SharePoint sites and OneDrive accounts. To limit scope, choose Choose sites and add specific site URLs. - Create a rule with the block sharing action
On the Policy rules page, click Create rule. Set conditions to detect sensitive information types, such as Content contains sensitive info types and select the types you want to block. - Enable the action to restrict access
Under Actions, check Restrict access or encrypt the content. Then check Block users from receiving the content and Block users from sharing the content. Optionally, require users to justify sharing by checking Require a business justification. - Set the policy mode to Enforce
On the Policy mode page, select Turn on the policy immediately to enforce it. If you want to test first, choose Test it out first but remember that test mode does not block sharing. - Review and submit
Review the policy settings and click Submit. The policy will apply within a few minutes. External sharing of content matching the sensitive info types will be blocked.
If DLP Policy Still Does Not Block External Sharing
After configuring the policy correctly, sharing may still proceed. The following issues are common and have specific fixes.
DLP Policy Scope Does Not Cover the Site
If the policy is scoped to specific sites, verify that the site where sharing occurs is included. To check, go to the DLP policy, click Edit, and review the Locations page. Add the site URL if missing. For broad coverage, use All sites.
Sharing Link Type Bypasses DLP
DLP blocks sharing based on the content itself, not the sharing link type. However, if the sharing link is set to People with existing access or Specific people, DLP may not trigger because the content is not shared externally. DLP only triggers when the sharing link grants access to external users. Ensure the sharing link type is set to Anyone or New external users for DLP to evaluate the sharing event.
Policy Tips Not Appearing
Policy tips inform users that sharing is blocked. If policy tips do not appear, the DLP policy may be in test mode without policy tips. Go to the policy rule, select User notifications, and ensure Notify users with a policy tip is checked. Also confirm that the SharePoint site has the DLP policy tips feature enabled.
DLP Policy Is Overridden by Another Policy
Multiple DLP policies can apply to the same site. If one policy allows sharing and another blocks it, the more restrictive action may not apply. Review all DLP policies in the compliance portal. Remove or modify conflicting policies to ensure the block action is enforced.
DLP Policy Settings Comparison: Block vs. Alert Only
| Setting | Block Sharing | Alert Only |
|---|---|---|
| Action | Restrict access or encrypt the content with block sharing enabled | Send alert to admin |
| User experience | Sharing is prevented; policy tip shown | Sharing succeeds; policy tip may appear |
| Policy mode required | Enforce | Test or enforce |
| Location requirement | SharePoint and OneDrive | SharePoint and OneDrive (or Exchange) |
A DLP policy that blocks external sharing requires the action to restrict access and the policy mode to be set to enforce. An alert-only policy will notify the admin but will not stop the sharing event. Use the table to verify your policy configuration.
You can now configure a DLP policy to block external sharing of sensitive content in SharePoint and OneDrive. Start by reviewing your existing policies in the Microsoft Purview compliance portal. Ensure the policy includes the SharePoint and OneDrive location, the action to restrict access with block sharing checked, and the policy mode set to enforce. For advanced protection, combine DLP with sensitivity labels to encrypt content automatically before sharing.