Automatically block guest access to new OneDrive and SharePoint files until scans are complete

You can enable Data Loss Prevention (DLP) to automatically block external access to new files in SharePoint Online and OneDrive for Business until those files have been fully scanned for sensitive information.

This message is associated with Microsoft 365 Roadmap 34247.

When this will happen

  • We will roll this out the end of June; we expect the rollout to be complete by mid-July.
How this will affect your organization

This capability is available for all new files uploaded to both OneDrive and SharePoint.

When new files are added to SharePoint or OneDrive in Microsoft 365, it takes time for them to be crawled and indexed. It takes additional time for the DLP policy to scan the content and apply rules to protect sensitive content. Currently, if external sharing is turned on, sensitive content could be shared and accessed by guests before any Office DLP rule completes its processing.

By treating all new files as sensitive until they have been scanned, this feature gives a Global or SharePoint admin the ability to block guest accounts from accessing files until the DLP completes its scan.

  • If the file has no sensitive content based on the DLP policy, then guests can access the file.
  • If the policy identifies a file with sensitive content, then guests continue to be prohibited from accessing the file.
What you need to do to prepare

To mark new files sensitive by default:

  • You will need to change a tenant property using PowerShell and a cmdlet.
  • You need to enable least one DLP policy covering all SharePoint and OneDrive content.