There is a scenario where your SharePoint files can still be shared with external users, even if you have DLP policies applied.
This scenario is applicable if your tenant is set up to allow external sharing. For example, your tenant might allow external sharing in a B2B setup, where one business collaborates with another. Or your organization might have regional divisions in different countries, each with its own tenant, requiring users to be added as guests for collaboration.
Let’s say your organization creates a large number of reports or other files at the end of the quarter and uploads them to SharePoint. These newly uploaded files are not immediately protected by DLP policies because it takes time to process new files.
During this delay, external users could still access these sensitive files before DLP scanning is complete.
You can easily fix this by using the following PowerShell command:
Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharingThis setting applies to all SharePoint sites within your tenant. Once enabled, all newly uploaded files are treated as sensitive by default until DLP scans them. Guests will not have access to these files during this time. Instead, they’ll see a page with a message that scanning is in progress.
This setting only affects external users - files can still be shared freely with internal users.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -ForceImport-Module Microsoft.Online.SharePoint.PowerShellConnect-SPOService -Credential $creds -Url https://[YOURTENANT]-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizationsSet-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharingYou will need to wait about 15 minutes or so until the setting takes effect.
To reverse this setting, run the following command:
Set-SPOTenant -MarkNewFilesSensitiveByDefault AllowExternalSharing
Comments