SharePoint Data Loss Prevention

Documents are the heart of any Organization, large or small. The core expertise of the Company lies in the documents that are created on daily basis. As a part of Digital Transformation, many of our customers have adopted SharePoint based Document Management System.

One major concern of the Customers is how to ensure that the Documents are not leaked out (Data Loss Prevention – DLP). So let us examine some of the methods here.

First, we shall examine the DLP capabilities that can be enabled using the native SharePoint Online available within Microsoft 365.

  • Setup basic MFA

  • Restrict user from deleting file

  • Restrict user from uploading file

  • Restrict user from creating new files & Folder

  • Restrict user from downloading file.

  • Permission can be assigned/restricted to the users and groups to create, upload and delete files and folders in SharePoint. (If only read permission is assigned to any user, edit and download will be restricted)

  • Share files internally or externally with specific permissions

  • Hide specific file and folder from any user

  • Audit Logs 

  • Declare Record – (block edit and delete) 

  • Hide sync button so that Document folders cannot be synced offline.

  • Restrict external Sharing

  • Allow or block Domain level sharing

  • Restrict access from different location besides office

  • Alert Policy – modified, delete, and download. Email Notification occurs whenever any of the specified alert policy is matched.

  • Assign different permission (Read, Write and Full control) while sharing file to different users? If No, then how do you handle it?

DLP using SharePoint Plan 2:

  • Legal Hold. When a hold is placed on a SharePoint site, a preservation hold library is created, if one doesn’t already exist. The preservation hold library is only visible to site collection administrators so most users can’t view it.

  • eDiscovery

SharePoint DLP using Intune and Azure AD Premium:

Note that the features given here are deployed using the above Service packs.

  • Unmanaged devices. Restrict access from devices that are not compliant or joined to a domain.

  • Idle session out. Automatically sign out users from inactive browser sessions

  • Network location. Allow access only from specific IP addresses.

  • Block access from Office 2010 and other apps that cannot enforce device-based restrictions.

  • Remote Wipe. Wipe Corporate Data from system if it gets lost leaving personal data intact

  • Protect data through restricting the copy/ paste of corporate data within Office 365 apps only in Mobile and PCs

  • Restrict setup of Corporate apps like Outlook only.

  • Block printing organization data

  • Block screen capture

  • Conditional Access

  • If you download file from Sharepoint and Onedrive it will be downloaded as corporate file

  • Restrict copy-paste only between managed apps. Adding an app to the protected apps list will make it a managed app

  • when corporate file is copied to USB drive it will copy as work document only and can accessed by corporate people. If USB drive lost still, we don’t worry about our data

  • And more..

SharePoint DLP and Disaster Recovery

This creates a copy of the Document Libraries to another Cloud Services and allows for quick recovery. Useful in case of accidental or malicious deletion of documents.

Team Document backup and Disaster Recovery to another Cloud for pre-defined users.

So do reach out to us if you want to prevent Data Loss from Windows Devices.



Our Solutions