Purview DLP policy doesn't preventing download in SharePoint sites

Shao Liu 0

I create one Data loss policy to block downloading for everyone. I select 'Block Everyone' in the rule. I used the custom property for searching the documents. The simulation found the right docs in SharePoint, and I turned on the policy. But I can still download and share the document. I don't know what happened here. Thanks

Chandra Boorla 8,870 Reputation points Microsoft Vendor

2025-02-14T10:21:59.8666667+00:00

@Shao Liu

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Emily Du-MSFT 50,411 Reputation points Microsoft Vendor

2025-02-21T09:49:03.2033333+00:00

I'm checking how the things are going on about this issue. Whether Chandra Boorla's answer helps you?

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

2 answers

Chandra Boorla 8,870 Reputation points Microsoft Vendor

2025-02-13T09:11:06.8033333+00:00
Hi @Shao Liu

Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

As I understand that you are attempting to create a Microsoft Purview Data Loss Prevention (DLP) policy to prevent downloads in SharePoint Online. However, despite the policy simulation correctly identifying the files, users are still able to download and share the documents.

Here are a few steps you can take to investigate and potentially resolve the issue:

Policy Configuration - Double-check that the DLP policy is correctly set up to block downloads for everyone. Ensure that the custom property you are using is accurately defined and applied to the documents you want to protect.

Policy Status - Make sure the policy is not in "Test" or "Simulation" mode, as these modes do not enforce restrictions. The policy should be set to "On" or "Enforce" mode for it to block actions.

Testing and Simulation: While the simulation may have identified the correct documents, it’s important to test the policy in a real-world scenario. Sometimes, simulations do not fully replicate the enforcement of the policy.

User Permissions - Verify that there are no exceptions in the policy that might allow certain users to bypass the download block. Also, review any conflicting permissions that might override the DLP policy.

Policy Activation - Ensure that the DLP policy is fully activated. Sometimes, there can be a delay in policy enforcement after activation. Check the policy status to confirm it is active.

Policy Scope - Verify that the policy is correctly scoped to the SharePoint sites you intend to protect. If the policy is not applied to the specific sites or libraries, it won't enforce the restrictions.

Policy Conditions - Review the conditions set in the DLP policy. Ensure that the custom property you are using for document identification is correctly configured and that the documents meet the criteria specified in the policy.

Policy Conflicts - If there are multiple DLP policies in place, they may conflict with each other. Ensure that there are no other policies that might allow downloads or sharing of documents.

Please refer to the below mentioned MS Q&A threads addressing similar issue, as they might offer some insights.

DLP actions for Sharepoint files

Purview unable to find certain SharePoint Online sites when querying to add them to a DLP policy scope

I hope this information helps. Please do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.

1 person found this answer helpful.
Chandra Boorla 8,870 Reputation points Microsoft Vendor

2025-02-17T01:40:09.5333333+00:00

@Shao Liu

Following up to see if the above suggestion was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Shao.Liu@cix.csi.cuny.edu 0 Reputation points

2025-02-17T19:37:20.4933333+00:00

Thank you for your reply. I checked the SharePoint permissions. It might be the "edit" permission level I gave to the users. My question is, if I want to block users from downloading some specific documents with DLP applied while maintaining the edit and download permission on other documents, is this possible? If it is, how to set the permissions and DLP?

Shao.Liu@cix.csi.cuny.edu 0 Reputation points

2025-02-17T19:44:16.2066667+00:00

Thank you! I have another question. If I want to block downloading for DLP-labeled files while maintaining edit and download permission for other files, how can I accomplish this? It seems to me if the users have edit permission on the SharePoint site, they can view and download the file no matter what kind of DLP is applied to that file.

Chandra Boorla 8,870 Reputation points Microsoft Vendor

2025-02-18T15:22:51.83+00:00

@Shao Liu

if I want to block users from downloading some specific documents with DLP applied while maintaining the edit and download permission on other documents, is this possible? If it is, how to set the permissions and DLP?

Yes, it is possible to block downloads for specific documents using DLP while still allowing users to edit and download other documents in SharePoint. You can achieve this by leveraging both DLP policies and SharePoint permissions in a way that allows the desired level of control over specific documents.

Use Sensitivity Labels + DLP Policies One of the most effective ways to enforce restrictions on certain documents is by combining sensitivity labels with your DLP policies. Sensitivity labels can be used to classify documents and apply encryption, which in turn can be used by DLP policies to trigger actions like blocking downloads.

Create Sensitivity Labels - In the Microsoft Purview Compliance Center, create sensitivity labels (e.g., "Restricted" or "Sensitive") that can enforce restrictions on document actions. Configure these labels to prevent downloads and sharing outside the organization.

Configure DLP Policies - Create a DLP policy that specifically targets documents with the "Restricted" sensitivity label. Set the action in the DLP policy to block downloads or sharing for these labeled documents.

Apply Sensitivity Labels - Manually apply the sensitivity label to the documents you want to restrict or set up automatic labeling based on content or metadata.

SharePoint Permissions Control - Use SharePoint Permission Levels: Instead of using the standard "edit" permission level, create custom permission levels that allow editing but restrict downloading or printing. For example, create a custom permission level called "Restricted Download" that removes the "Download" and "Print" permissions.

Apply Custom Permissions - For sensitive documents, break inheritance on permissions and assign the custom permission level to those specific documents.

Combining DLP and Permissions - With sensitivity labels and DLP policies in place, the documents labeled as "Restricted" will have their downloads blocked by the DLP policy. Documents without the restrictive label will remain accessible according to standard SharePoint permissions, allowing users to edit and download as needed.

If I want to block downloading for DLP-labeled files while maintaining edit and download permission for other files, how can I accomplish this?

You're correct in noting that DLP policies in Microsoft Purview primarily block actions like sharing or exfiltration of sensitive data, but they don't directly block users from downloading files if they already have the necessary permissions in SharePoint. So, if users have edit permissions, they can still view and download the file, regardless of the DLP restrictions applied.

However, you can manage this scenario using a combination of Sensitivity Labels, Conditional Access, and SharePoint Permissions. Here's a strategy to achieve your goal of blocking downloads for DLP-labeled files while maintaining edit and download access to other files.

Use Sensitivity Labels to Classify Files - Create Sensitivity Labels, In the Microsoft Purview Compliance Center, create sensitivity labels (e.g., "Sensitive") that include restrictions such as blocking downloads and sharing. Configure the label to enforce actions like encryption or restricting downloads when applied to documents.

Apply DLP Policies to Block Downloads for Labeled Files - Create DLP Policies, set up a DLP policy that targets files labeled with your sensitivity label (e.g., "Sensitive"). In the DLP policy, specify actions to block sharing and downloading for these labeled files. Note that while DLP can restrict sharing and some download actions, it may not prevent downloads directly in SharePoint if users have edit permissions.

Apply Conditional Access to Control Download Access - Implement Conditional Access Policies, use Conditional Access to enforce additional restrictions on accessing sensitive documents. For example: Require users to be on compliant devices to access sensitive documents. Block access from unmanaged devices, which can prevent downloads even for users with edit permissions. This adds a layer of security by ensuring that only devices that meet your organization’s compliance standards can access sensitive files.

Use SharePoint Permissions to Manage Edit Access -

Custom Permission Levels - Create custom permission levels in SharePoint that allow users to edit documents but prevent downloading. For example, you can create a permission level that includes "Edit" but excludes "Download" and "Print" permissions.

Break Permission Inheritance - For sensitive documents, break inheritance from the parent library or site and apply the custom permission level to restrict downloading while allowing editing.

Key Considerations

Understanding Limitations - While sensitivity labels and DLP policies help protect against unintended sharing and downloading, they do not directly block downloads for users who already have permissions. Therefore, combining these with Conditional Access and custom SharePoint permissions is crucial.

User Training - Educate users about the importance of sensitivity labels and the implications of applying them to documents to ensure compliance.

Monitoring and Reporting - Regularly review DLP policy reports and access logs to monitor compliance and effectiveness, making adjustments as necessary.

I hope this information helps.

Chandra Boorla 8,870 Reputation points Microsoft Vendor

2025-02-19T12:36:04.62+00:00

@Shao Liu

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pauline Mbabu 595 Reputation points Microsoft Employee

2025-02-13T10:06:08.3633333+00:00

Hello @Shao Liu ,

If you were able to run the Policy in Simulation and turned the Policy on, then ensure that the Policy is not being blocked by other policies due to the priority ordering. Priority 0 is the highest Priority, and the rule will run first.

You can also check if the policy us running after some time since it might just be a
an issue with the rule taking some time to propagate.
I hope this helps to answer your question.

If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.
If you have further questions, kindly leave a comment and I will get back to you.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Purview DLP policy doesn't preventing download in SharePoint sites

2 answers

Your answer