Microsoft 365 Message Center ArchiveM365 Archive
Message CenterMajor change

MC1338823Microsoft Purview | Data Loss Prevention – Block external domain or user access for SharePoint and OneDrive

Summary

Microsoft Purview DLP will enable blocking external SharePoint and OneDrive access by domain or email, enhancing control over sensitive data sharing. Rolling out from May to July 2026, admins can configure block and allow lists in DLP policies to prevent unauthorized external file access.

More information

What and Why:

Microsoft Purview Data Loss Prevention (DLP) is adding the ability to block access to sensitive SharePoint Online and OneDrive for Business files based on an external user’s domain or specific email address (SMTP). This enhancement provides more granular, enterprise-ready control over external access and helps reduce the risk of unintended data exposure when collaborating outside your organization.

This message is associated with Microsoft 365 Roadmap ID 557191.

Rollout Schedule:

  • Public Preview: We will begin rolling out in late May 2026 and expect to complete by early June 2026.
  • General Availability (Worldwide): We will begin rolling out in early July 2026 and expect to complete by mid-July 2026.

Impact on Your Organization:

Who is affected: Microsoft 365 administrators who manage Microsoft Purview DLP policies and external users accessing SharePoint Online or OneDrive for Business content protected by DLP.

Platforms/Services:

  • Microsoft Purview
  • SharePoint Online
  • OneDrive for Business

What will happen:

  • Admins can configure DLP rules to block access for specific external domains or individual external email addresses.
  • External users who are blocked will:
    • See an access denied message
    • Be unable to open or download the file
  • Admins can optionally configure allow lists for trusted external domains or users.
  • If a domain or user appears in both allow and block lists, block takes precedence.
  • This capability is not enabled by default; it applies only when configured in a DLP policy.

Configuration steps:

  1. Go to the Microsoft Purview portal.
  2. Navigate to Data Loss Prevention → Policies.
  3. Create a new policy or edit an existing policy.
  4. Ensure the policy scope includes SharePoint Online, OneDrive for Business, or both.
  5. In the policy rule, after configuring conditions, go to the Actions section.
  6. Select Restrict access or encrypt content.
  7. Choose Block access to specific domains or users.
  8. Configure one or more of the following:
    • Domains to block (Is), for example partner.com
    • Specific external users (Is), for example [email protected]
  9. Optionally configure allow lists using Is NOT for domains or users.
  10. Save the rule.

Action Required / Recommendations:

  • Review existing DLP policies to identify scenarios where external access requires more granular control.
  • Identify sensitive or regulated data shared with external users that may need domain- or user-based restrictions.
  • Plan communications for internal users, helpdesk staff, and external partners who may experience new access restrictions.
  • Update internal documentation related to DLP and external sharing as appropriate.

Learn more: Data Loss Prevention policy reference | Microsoft Learn

Compliance considerations:

Area Explanation
Processing and access to existing customer data DLP enforcement can block external users from opening or downloading existing SharePoint Online and OneDrive for Business files based on domain or email address.
Data Loss Prevention (DLP) policies or enforcement This change introduces new rule actions and conditions within Microsoft Purview DLP for controlling external access.
Admin controls The feature is fully controlled by admins through Microsoft Purview DLP policies.