SOLVED

DLP and Defender for Cloud Apps (MCAS) blocking the upload of sensitive data to personal Dropbox

%3CLINGO-SUB%20id%3D%22lingo-sub-2962676%22%20slang%3D%22en-US%22%3EDLP%20and%20Defender%20for%20Cloud%20Apps%20(MCAS)%20blocking%20the%20upload%20of%20sensitive%20data%20to%20personal%20Dropbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2962676%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETHE%20REQUIREMENT%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EBlock%20the%20upload%20of%20sensitive%20content%20(defined%20with%20Sensitive%20Information%20Types%20-%20not%20Labels)%20to%20personal%20cloud%20storage%20such%20as%20a%20personal%20Dropbox%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETHE%20RESEARCH%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CEM%3EEndpoint%20DLP%3C%2FEM%3E%3C%2FP%3E%3CP%3EBased%20on%20this%20requirement%2C%20I%20have%20come%20to%20the%20conclusion%20that%20this%20can%20only%20be%20achieved%20through%20%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fendpoint-dlp-learn-about%3Fview%3Do365-worldwide%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fendpoint-dlp-learn-about%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEndpoint%20DLP%20(Upload%20to%20cloud%20service)%3C%2FA%3E%20using%20the%20%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdlp-chrome-get-started%3Fview%3Do365-worldwide%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdlp-chrome-get-started%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Compliance%20Extension%3C%2FA%3E%20and%20requiring%20an%20E5%20license%20for%20all%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EConditional%20Access%20and%20Defender%20for%20Cloud%20Apps%20-%20Session%20Policy%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20also%20considered%20using%20a%20%3CA%20title%3D%22https%3A%2F%2Fitsakerhetsguiden.se%2F2021%2F03%2F31%2Fmcas-session-control-for-sensitive-information%2F%22%20href%3D%22https%3A%2F%2Fitsakerhetsguiden.se%2F2021%2F03%2F31%2Fmcas-session-control-for-sensitive-information%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESession%20based%20policy%3C%2FA%3E%20in%20Defender%20for%20Cloud%20Apps%20(MCAS)%20to%20block%20the%20upload%20of%20such%20information%2C%20but%20the%20policy%20only%20relies%20on%20Sensitivity%20Labels%20(and%20not%20Sensitive%20Information%20Types%20which%20is%20the%20requirement)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EM365%20Compliance%20Centre%20and%20Defender%20for%20Cloud%20Apps%20-%20DLP%20Policy%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20am%20also%20aware%20that%20one%20can%20add%20an%20App%20Connector%20for%20Dropbox%20as%20a%20Cloud%20App%2C%20then%20using%20this%20in%20M365%20Compliance%20Centre%20as%20a%20location%3A%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DirkPrinsloo_1-1636868121664.png%22%20style%3D%22width%3A%20716px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F326910i081EF04B3298C7F3%2Fimage-dimensions%2F716x58%3Fv%3Dv2%22%20width%3D%22716%22%20height%3D%2258%22%20role%3D%22button%22%20title%3D%22DirkPrinsloo_1-1636868121664.png%22%20alt%3D%22DirkPrinsloo_1-1636868121664.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20this%20only%20works%20for%20corporate%20Dropbox%20accounts%20and%20not%20personal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20sure%20I%20am%20missing%20something%20here%20in%20terms%20of%20the%20requirement%20and%20the%20capability%20that%20Microsoft%20provides%20throughout%20the%20DLP%20and%20MIP%20capabilities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDirk%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2962676%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDLP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDropbox%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMCAS%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensitive%20Information%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3015100%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20and%20Defender%20for%20Cloud%20Apps%20(MCAS)%20blocking%20the%20upload%20of%20sensitive%20data%20to%20personal%20Dropbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3015100%22%20slang%3D%22en-US%22%3EI%20have%20a%20similar%20request%20from%20a%20client%2C%20have%20you%20been%20able%20to%20identify%20an%20actual%20solution%20using%20other%20approaches%3F%3C%2FLINGO-BODY%3E
Senior Member

Hi there,

 

THE REQUIREMENT

Block the upload of sensitive content (defined with Sensitive Information Types - not Labels) to personal cloud storage such as a personal Dropbox account.

 

THE RESEARCH

Endpoint DLP

Based on this requirement, I have come to the conclusion that this can only be achieved through Endpoint DLP (Upload to cloud service) using the Microsoft Compliance Extension and requiring an E5 license for all users.

 

Conditional Access and Defender for Cloud Apps - Session Policy

I also considered using a Session based policy in Defender for Cloud Apps (MCAS) to block the upload of such information, but the policy only relies on Sensitivity Labels (and not Sensitive Information Types which is the requirement)

 

M365 Compliance Centre and Defender for Cloud Apps - DLP Policy

I am also aware that one can add an App Connector for Dropbox as a Cloud App, then using this in M365 Compliance Centre as a location:

 

DirkPrinsloo_1-1636868121664.png

 

But this only works for corporate Dropbox accounts and not personal.

 

I am sure I am missing something here in terms of the requirement and the capability that Microsoft provides throughout the DLP and MIP capabilities.

 

Please help?

 

Dirk

2 Replies
I have a similar request from a client, have you been able to identify an actual solution using other approaches?
best response confirmed by Trevor_Rusher (Community Manager)
Solution
Yes, endpoint DLP is the Microsoft solution for this requirement. MDCA does not have a forward proxy capability, so the best MDCA can do is integrate with a 3rd party secure web gateway like Zscaler, iBoss, Menlo Security, etc.

CAAC session policies are limited to SSO-enabled (sanctioned) apps and they also only support browser-based access, not client apps.

With MDE integration, MDCA can block access to the SaaS app entirely, which also includes blocking uploads, but is typically not what customers with this requirement are looking for.

Cu
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE