How to setup DLP to block file uploads to sharing websites with Microsoft Purview
Data leakage via uploads to consumer and public file‑sharing sites remains one of the most common and risky ways sensitive information escapes an organisation. This post walks through a practical Microsoft Purview Data Loss Prevention (DLP) approach to detect and block those uploads at the endpoint and in cloud channels, with clear policy design, pilot testing steps, and enforcement options for real‑world environments.
In the following steps we are going to show you how to setup DLP to block file uploads but will allow users to receive information.
License requirement
Microsoft Purview is provided as a set of tenant‑level compliance and data governance services that are available across Microsoft 365 and Office 365 plans; specific Purview capabilities vary by plan and by add‑ons. You can either purchase Purview as a seperate license, however it is also included in:
- Microsoft 365 E3 / Office 365 E3 — includes core Purview services (tenant‑level governance, basic compliance and labeling capabilities).
- Microsoft 365 E5 / Office 365 E5 (Compliance) — includes the full suite of advanced Purview capabilities (advanced data loss prevention, Insider Risk Management, advanced eDiscovery, and other premium compliance features).
Manual
If you don’t have a license yet, you can choose to enable a trial, go to https://purview.microsoft.com
Activation may take up 2 to 24 hours to complete, so be patient.
STEP 1: Before we can do anything we need to start onboarding devices. From the Purview portal go to device onboarding: https://purview.microsoft.com/settings/devices
Confirm device onboarding.
good news if you are already using defender for endpoint, onboarding goes automatically.
If you’re not using defender for endpoint you can download the onboarding package and deploy it via your preferred method.
Example of the deployment script:
STEP 2: Create sensitive site group. This will allow you to control websites you want to disable file uploads.
From the settings menu on top menu go to Data Loss Prevention
Search for Browser and domain restrictions to sensitive data
Add unallowed browsers, by default only Edge supports file upload. (Chrome can be used when using a the purview extension: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx).
This will block file upload on all browsers.
Scroll down a bit further, and change service domains to block.
A confirmation that you want to block sharing sensitive files for Edge and that other browsers are allowed by default.
Make sure to fill in the domain URL’s that you want to block.
Now create a sensitive service domain group to add domains.
Give the group a name that matches the filesharing websites and add the domains again.
STEP 3: Create a policy and assign it to the users.
From the Solutions menu, go to Data Loss Prevention
Now Create policy
Select the data type: Data stored in connected sources
On the next screen we will head forward with a Custom policy
Give you policy a fancy name 😉
If you’re using administrative units you can limit the scope to a unit. Else just click next.
Select only Devices and click on the edit button to assign the policy to limited users, devices and/or groups.
On the next screen click Next
Click on Create rule
Now create the following rule. On step 6 below, select the group created above.
ATTENTION: also select Paste to supported browsers needs to be set to BLOCK mode to avoid drag and drop
Now make sure that the status is set to enabled and click Next
Turn the policy on the enable it inmediatly. You can choose to run it in simulation mode to test the effects.
When the policy is created, give it a few hours before the policy gets applied.
STEP 4: How does it look like for the end user?
The user gets a deny message that upload is being blocked by your organization.
About The Author
