How unified labelling and endpoint DLP prevent cloud uploads

Many companies have sensitive data that, for regulatory or business reasons, must not be transferred to the cloud – either intentionally or accidentally. Organisational guidelines cannot technically prevent this.

With Microsoft Purview, such requirements can now be implemented much more precisely – through the combination of sensitivity labels and endpoint DLP.

In this article, I will show you how to create a label such as "NoCloud" and link it to an endpoint DLP policy to effectively block the upload of confidential files to cloud services such as OneDrive, Dropbox or Google Drive.

Step 1: Create sensitivity label "NoCloud"

First, we create a new label that will later serve as the trigger for the DLP rule.

1. Create a new label in the Microsoft Purview Compliance Portalunder
   Information Protection > Sensitivity Labels.
2. Label configuration:
   • Name: NoCloud
   • Display name: NoCloud
   • Description: "Prevents uploading to cloud services."
   • Target objects: files
   • Protection: Encryption Optional – the label is used purely for classification purposes.
3. Release: Roll out the label to the relevant user groups via a label policy.

Step 2: Configure Endpoint DLP Policy

We now ensure that files labelled "NoCloud" can no longer be uploaded to cloud storage – regardless of whether the upload is done via the browser, an app or Explorer.

1. Navigate to the Purview
   portal for Data Loss Prevention.
2. Create new policy:
   • Type: Custom policy
   • Name: Block Cloud Upload for Label "NoCloud"
3. Select sources:
   • Select only "Devices"
   • Target group: Users or groups to whom the rule should apply
4. Add rule:
   • Condition: Content contains  Sensitivity Labels  "NoCloud".
   • Action:
     • Upload to blocked cloud services / Block browsers
       (e.g. OneDrive, Google Drive, Box, Dropbox, Firefox, Chrome)
   • Notification:
     • Optional: Display user warning
     • Optional: Send incident report to the security team
5. Activate policy (recommended first in monitoring mode with policy tips) and deploy

Alternatively: If you want to prevent all files (regardless of classification) from being uploaded via DLP, you can use the condition "Document size is equal to or greater than". Select 1 byte there, and it will apply to everything.

However, you should find out in advance whether there are scenarios where, for example, partners require an external cloud storage solution or similar.

When it comes to service domains, it should be noted that these do not work for "paste in" actions. This is a feature gap that will surely be closed in the future.

Step 3: Validation

After deployment, a targeted test is recommended:

• Label a file with NoCloud
• Attempt to upload via various methods (browser, app, Explorer) to a cloud service.
• Expected behaviour: The upload is blocked, and a user notification may appear.

Monitoring & Reporting

Several tools are available for tracking and analysis:

• Activity Explorer: Shows blocked actions in detail

   

Conclusion

The combination of unified labelling and endpoint DLP allows you to implement highly targeted protective measures without unnecessarily restricting user productivity. The NoCloud label is a simple but effective way to ensure that certain data does not leave the company via cloud services.

Side note:

Of course, the relevant clients must first be rolled out in Endpoint DLP (when using MDE, this is done with a single click (Purview Admin Centre > Settings > Device Onboarding > Devices > Turn On Windows Device Monitoring). The service domains and browsers must also be maintained in the Endpoint DLP settings.

In principle, Chrome and Firefox can be used in combination with Purview. The only thing to note is that the Purview extension must be distributed.

Further sources & information on this topic:

Configure settings to prevent data loss at the endpoint - Microsoft Purview | Microsoft Learn



 

Modern IT and cloud scenarios place new demands on security, governance and operations. Telekom's consulting services on Microsoft security help you analyse your environment in a structured manner and develop it in a targeted way – from initial classification to concrete implementation.

Start with a no-obligation orientation meeting or a Microsoft 365 Security Assessment and receive clear recommendations for action to improve security.