ASD's Blueprint for Secure Cloud

Data Loss Prevention: Block email of PROTECTED items

This section describes the configuration of Data Loss Prevention (DLP) policies within Microsoft Purview associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

Estimated reading time: 6 minutes

Name

ItemValue
NameBlock email of PROTECTED items
DescriptionBlocks users from sending emails classified as PROTECTED to external recipients

Admin units

ItemValue
Admin unitsFull directory

Locations

ItemValue
Exchange emailAll groups
SharePoint sites
OneDrive accounts
Teams chat and channel messages
Devices
On-premises repositories
Power BI workspaces

Advanced DLP rules

Block PROTECTED email to non-approved organisations

ItemValue
NameBlock PROTECTED email to non-approved organisations
Description
Conditions
ItemValue
Content is shared from Microsoft 365with people outside my organization
AND
Content containsSensitivity labels
Group nameDefault
Group operatorAny of these
Sensitivity labelsAll PROTECTED labels
AND
Condition Group
NOT
Recipient domain isList of approved domains
OR
Recipient is a member ofgrp-PROTECTED-Guests
Actions
ItemValue
Restrict access or encrypt the content in Microsoft 365 locationsBlock users from receiving email or accessing shared SharePoint, OneDrive, and Teams files
- Block only people outside your organization
User notifications
ItemValue
Use notifications to inform your users and help educate them on the proper use of sensitive infoOn
Email notificationsChecked
- Notify the user who sent, shared, or last modified the content
- Attach matching email message to the notification
Policy tipsChecked
Customize the policy tip textA recipient of this email is from an organisation which has not been configured as authorised for receipt of PROTECTED information. Transmission will be blocked to these addresses. If this is incorrect, please contact support to discuss your requirement.
User overrides
ItemValue
Allow overrides from M365 servicesNot checked
Incident reports
ItemValue
Use this severity level in admin alerts and reportsMedium
Send an alert to admins when a rule match occursOn
Use email incident reports to notify you when a policy match occursOff
Additional options
ItemValue
If there’s a match for this rule, stop processing additional DLP policies and rulesNot checked
Priority0

Block PROTECTED email to non-cleared internal users

ItemValue
NameBlock PROTECTED email to non-cleared internal users
Description
Conditions
ItemValue
Content is shared from Microsoft 365only with people inside my organization
AND
Content containsSensitivity labels
Group nameDefault
Group operatorAny of these
Sensitivity labelsAll PROTECTED labels
AND
Condition Group
NOT
Recipient is a member ofgrp-PROTECTED-Users
grp-PROTECTED-Guests
Actions
ItemValue
Restrict access or encrypt the content in Microsoft 365 locationsBlock users from receiving email or accessing shared SharePoint, OneDrive, and Teams files
- everyone
User notifications
ItemValue
Use notifications to inform your users and help educate them on the proper use of sensitive infoOn
Email notificationsChecked
- Notify the user who sent, shared, or last modified the content
- Attach matching email message to the notification
Policy tipsChecked
Customize the policy tip textA recipient of this email is not cleared for receipt of PROTECTED items. Transmission of the message will be blocked.
User overrides
ItemValue
Allow overrides from M365 servicesNot checked
Incident reports
ItemValue
Use this severity level in admin alerts and reportsLow
Send an alert to admins when a rule match occursOn
Use email incident reports to notify you when a policy match occursOff
Additional options
ItemValue
If there’s a match for this rule, stop processing additional DLP policies and rulesNot checked
Priority1

Limit sending of internal PROTECTED email

ItemValue
NameLimit sending of internal PROTECTED email
Description
Conditions
ItemValue
Content is shared from Microsoft 365only with people inside my organization
AND
Content containsSensitivity labels
Group nameDefault
Group operatorAny of these
Sensitivity labelsAll PROTECTED labels
AND
Condition Group
NOT
Sender is a member ofgrp-PROTECTED-Users
Actions
ItemValue
Restrict access or encrypt the content in Microsoft 365 locationsBlock users from receiving email or accessing shared SharePoint, OneDrive, and Teams files
- Block everyone
User notifications
ItemValue
Use notifications to inform your users and help educate them on the proper use of sensitive infoOn
Email notificationsChecked
- Notify the user who sent, shared, or last modified the content
- Attach matching email message to the notification
Policy tipsChecked
User overrides
ItemValue
Allow overrides from M365 servicesNot checked
Incident reports
ItemValue
Use this severity level in admin alerts and reportsLow
Send an alert to admins when a rule match occursOn
Send an alert every time an activity matches the ruleSelected
Use email incident reports to notify you when a policy match occursOff
Additional options
ItemValue
If there’s a match for this rule, stop processing additional DLP policies and rulesNot checked
Priority2

Limit sending of external PROTECTED email

ItemValue
NameLimit sending of external PROTECTED email
Description
Conditions
ItemValue
Content is shared from Microsoft 365only with people outside of my organization
AND
Content containsSensitivity labels
Group nameDefault
Group operatorAny of these
Sensitivity labelsAll PROTECTED labels
AND
Condition Group
NOT
Sender is a member ofgrp-PROTECTED-Users
Actions
ItemValue
Restrict access or encrypt the content in Microsoft 365 locationsBlock users from receiving email or accessing shared SharePoint, OneDrive, and Teams files
- Block everyone
User notifications
ItemValue
Use notifications to inform your users and help educate them on the proper use of sensitive infoOn
Email notificationsChecked
- Notify the user who sent, shared, or last modified the content
- Attach matching email message to the notification
Policy tipsChecked
User overrides
ItemValue
Allow overrides from M365 servicesNot checked
Incident reports
ItemValue
Use this severity level in admin alerts and reportsLow
Send an alert to admins when a rule match occursOn
Send an alert every time an activity matches the ruleSelected
Use email incident reports to notify you when a policy match occursOff
Additional options
ItemValue
If there’s a match for this rule, stop processing additional DLP policies and rulesNot checked
Priority3

Policy mode

ItemValue
Policy modeTurn the policy on immediately

Security & Governance

  • None identified

Design

  • None identified

Configuration

  • None identified

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra