Blocking external access by domain or user email for SharePoint and OneDrive files in Microsoft Purview

Microsoft Purview Data Loss Prevention (DLP) now supports blocking or allowing access to sensitive SharePoint and OneDrive for Business files based on an external user’s domain or specific email address. This feature has been in Public Preview since April and should be generally available in July 2026.

Timeline

General availability is scheduled for July 2026.

How does this affect your organization?

In a Microsoft Purview DLP policy for SharePoint, OneDrive for Business, or both, compliance administrators can configure the action “Block access for specific external domains and users“…

Configure the Action to block (or allow) access to/from external domains and users
Configure the Action to block (or allow) access to/from external domains and users

…to block OR allow access from specific external domains or individual external email addresses to SharePoint and/or OneDrive files.

  • The conditions Domain IS and User IS will block access.
Block OR allow access from specific external domains or individual external email addresses
Block OR allow access from specific external domains or individual external email addresses
  • The conditions Domain IS NOT and User IS NOT will allow access.
Different DLP conditions to block or allow access
Different DLP conditions to block or allow access

As Microsoft notes:

When you use Block access for specific external domains or users: if a user or domain appears in both allow and block lists, the block takes effect (most restrictive wins). If a file matches both an allow rule and a block rule, evaluation is per rule — allowed users and domains are permitted, blocked users and domains are denied, and users in neither list are blocked by default.

If the DLP policy is active and matches one of the rule conditions, blocked external users will see an access denied message and be unable to open or download the file. User notifications and user overrides are not available for this DLP action.
The message referencing “this site” can be misleading, since the block applies to the file, not the site. Purview DLP redirects the blocked user to a generic SharePoint site page.

DLP policy to block external access is active
DLP policy to block external access is active

In my case, the guest can still access the General folder and the contents (for example, the Teams Forms Excel file), but the DLP policy blocks access to the Area511 file due to my rule.

My DLP policy blocks access only to the red-marked file
My DLP policy blocks access only to the red-marked file

These activities are recorded in Purview Audit Logs / Sentinel.

Recorded in Purview Audit Logs / Sentinel
Recorded in Purview Audit Logs / Sentinel

Note:
The license requirements for this feature are not yet clearly documented. They may be the same as those for Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business.

  • Microsoft 365 E7/E5/A5/G5/E3/A3/G3, Microsoft 365 Business Premium, SharePoint Plan 2, OneDrive for Business (Plan 2), Exchange Online Plan 2
  • Office 365 E5/A5/G5/E3/A3/G3
  • Microsoft Purview Suite/EDU/GOV/FLW and Microsoft Defender + Purview Suite FLW
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Comment