You configured a Data Loss Prevention policy in Microsoft Purview to block external sharing in SharePoint, but external sharing still works. This problem occurs because DLP policies evaluate content at rest or in transit, not the sharing action itself. The DLP rule can block sharing only after it detects sensitive content being shared externally. This article explains why the policy does not stop the initial share invitation and provides the correct configuration to enforce the block.
Key Takeaways: DLP Policy and External Sharing Block
- DLP policy action “Block External Sharing”: This action triggers only after sensitive content is detected in a sharing email or link, not when the user clicks Share.
- SharePoint sharing settings in admin center: The global and site-level sharing controls are the primary gate for preventing external sharing entirely.
- Microsoft Purview compliance portal > DLP > Policy: Configure the rule to trigger on “SharePoint site” and “Exchange” locations with the action “Block external sharing for sensitive info.”
Why the DLP Policy Does Not Block External Sharing Immediately
The root cause is a misunderstanding of when DLP evaluates content. A DLP policy with the action “Block external sharing” does not prevent a user from sending a sharing invitation. The policy scans the content after the user shares it. If the shared document contains sensitive information, the DLP rule blocks the external access or sends a notification. But the initial share action succeeds. This design protects data that has already been shared externally, not the act of sharing itself. To stop external sharing at the site level, you must use SharePoint sharing settings in the SharePoint admin center or the Microsoft 365 admin center.
DLP Policy Action: Block External Sharing
The DLP rule action called “Block external sharing for sensitive info” works by detecting sensitive data types in the content that is being shared. When a user shares a file that contains a credit card number or personally identifiable information, the DLP engine intercepts the share and blocks the external recipient from accessing the file. The user who shared the file sees a policy tip or receives an email notification. However, the share invitation itself was already sent. The external user cannot open the file, but the invitation remains in their inbox. This behavior is by design. The DLP rule does not audit or block the share action before it happens.
SharePoint Sharing Settings as the Primary Gate
SharePoint has its own sharing controls that determine whether external users can be added to a site or receive a share link. These settings are located in the SharePoint admin center under Policies > Sharing. The global setting allows you to choose from “Anyone,” “New and existing guests,” “Existing guests,” or “Only people in your organization.” Site-level sharing settings override the global default. If the global setting allows external sharing, a DLP policy cannot block the initial share action. The DLP policy only restricts access to content that contains sensitive data after the share is made.
Steps to Configure DLP Policy to Block External Sharing Correctly
To make DLP block external sharing for sensitive content, you must configure the policy to trigger on both SharePoint and Exchange locations. The Exchange location ensures that the policy inspects the sharing email that contains the link. The SharePoint location inspects the document itself. Follow these steps.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the DLP Compliance Management role. In the left navigation, select Data Loss Prevention > Policies. - Create or edit a DLP policy
Click Create policy to start a new policy, or select an existing policy and click Edit policy. Choose a template or select Custom policy to define your own rule. - Add SharePoint sites and Exchange as locations
In the Locations step, select Specific sites and add the SharePoint site URLs you want to protect. Also select Exchange email. Both locations are required for the block external sharing action to work fully. - Define the rule with sensitive info types
In the Policy rules step, click Create rule. Give the rule a name. Under Conditions, select Content contains sensitive info types. Choose the types you want to block, such as Credit Card Number or U.S. Social Security Number (SSN). - Add the action to block external sharing
Under Actions, select Block external sharing for sensitive info. Set the action to Block users from sharing content with everyone. Optionally, enable Notify users with a policy tip and email notification. - Set the rule to test mode first
In the Policy mode step, select Test it out first. This lets you review DLP alerts before enforcing the rule. After confirming the rule triggers correctly, change the mode to Turn it on immediately. - Review and submit the policy
Review the policy settings and click Submit. The policy may take up to 24 hours to apply to all content.
If DLP Still Does Not Block External Sharing
Even after correct configuration, you might find that external sharing continues. The following issues are the most common causes.
SharePoint Allows External Sharing at the Site Level
If the SharePoint site’s sharing setting is set to “Anyone,” any user can share files with external users. The DLP policy can block access to sensitive files, but the share invitation is still sent. To prevent external sharing entirely, change the site’s sharing setting to “Only people in your organization” in the SharePoint admin center. Go to Active sites, select the site, and click Sharing. Choose the appropriate level.
DLP Policy Is in Test Mode
A policy in test mode generates alerts but does not block sharing. Check the policy status in the DLP Policies list. If the policy is in test mode, change it to enforcement mode. Wait up to 24 hours for the change to take effect.
User Is an Admin or Has Elevated Permissions
DLP policies do not apply to users who have the DLP Compliance Management role or global admin role. If an admin shares a file externally, the DLP rule does not block the action. To test the policy, use a non-admin account.
Sensitive Info Type Is Not Detected
The DLP rule requires that the shared content contains a sensitive info type. If the document does not contain a matching pattern, the rule does not trigger. Verify that the document contains the exact data type you configured. Use the DLP Alerts page to see if the rule fired.
DLP Block External Sharing vs SharePoint Sharing Settings
| Item | DLP Block External Sharing | SharePoint Sharing Settings |
|---|---|---|
| Scope | Blocks access to sensitive content after sharing | Prevents external users from being added to a site or receiving a link |
| Trigger | Detected sensitive info type in the shared content | Share action itself |
| User notification | Policy tip or email | Error message during share attempt |
| Configuration location | Microsoft Purview compliance portal > DLP | SharePoint admin center > Policies > Sharing |
| Effect on existing shares | Revokes access to the specific file | Does not affect existing external users |
The DLP policy is a secondary layer. It blocks access to sensitive files after they are shared externally. To stop external sharing from happening at all, configure SharePoint sharing settings to disallow external users. Use DLP as a safety net for content that accidentally gets shared with sensitive data.
After completing the configuration, test the policy by sharing a document that contains a sensitive info type with an external email address. Verify that the external user cannot open the file. Also check that the policy tip appears for the user who shared the file. For full protection, combine the DLP policy with SharePoint sharing restrictions and training for users on safe sharing practices.