Stop Users Sharing Teams Files Externally with Purview DLP (SharePoint + OneDrive)
How to Block External File Sharing in Microsoft Teams Using Microsoft Purview DLP
If you want to stop users from sharing internal documents with external users in Microsoft Teams, you need to configure it in the right place. A common mistake is assuming Teams stores files. It does not.
Teams is the front door. The files live in SharePoint and OneDrive. That detail matters because it determines which locations your Data Loss Prevention (DLP) policy must cover.
This guide walks you through the real configuration in Microsoft Purview so you can enforce the rule properly.
Why Teams File Sharing Is Different Than Teams Messages
Before you configure anything, lock this in:
- Teams channel files are stored in SharePoint (the teamโs connected SharePoint site)
- Teams chat files are stored in OneDrive (the senderโs OneDrive)
- Teams chat and channel messages location covers message text only, not file storage
So if your goal is to block document sharing, your DLP policy must target the storage layer.
What You Need Before You Start
Required roles
You need permissions in Purview to create and manage DLP policies. Common roles include:
- DLP Compliance Management
- Compliance Administrator
- Global Administrator (works, but not ideal long term)
Licensing note
A Microsoft 365 E5 tenant includes the necessary Purview capabilities typically used for advanced DLP scenarios.
Step-by-Step: Create the DLP Policy in Microsoft Purview
Step 1: Open Microsoft Purview
- Go to compliance.microsoft.com
- Sign in with your compliance role
Step 2: Start a New DLP Policy
- Go to Data loss prevention
- Select Policies
- Click Create policy
Step 3: Choose a Template or Custom Policy
Pick one:
- Template-based policy: Faster and great if you want to protect known data types (PII, financial, etc.)
- Custom policy: Best when you are building an โinternal-onlyโ control based on how your organization defines internal data
Click Next after selecting.
Step 4: Name the Policy
Use a name that clearly states the intent.
Example:
Block External Sharing of Internal Documents (Teams Files)
Add a short description so other admins know why it exists.
Step 5: Select the Correct Locations (This Is the Exam and Real-World Key)
Enable these locations:
- โ SharePoint sites
- โ OneDrive accounts
Leave this off unless you also want to control message text:
- โ Teams chat and channel messages
This is the core setup that blocks files shared from Teams, because Teams files are stored in SharePoint and OneDrive.
Step 6: Build the Rule That Defines โInternal Documentsโ
You have a few strong options. The best choice depends on how you label or classify your data.
Option A: Sensitivity Labels (Best Practice)
If your org uses sensitivity labels, this is the cleanest control.
Example condition:
- Content contains Sensitivity label = Internal
Option B: Sensitive Info Types
Use this when you want to block specific types of content.
Example conditions:
- Credit card numbers
- Government IDs
- Employee IDs
- Financial account info
Option C: External Sharing Trigger
If your goal is specifically โdo not let internal files go outside the org,โ add a sharing condition aligned to external access.
Example condition:
- Content is shared with people outside your organization
In most real deployments, you combine A or B with C.
Step 7: Configure the Enforcement Action
Choose an action that matches your tolerance:
Recommended enforcement
- Block sharing with external users
- Allow sharing internally
If you want to reduce disruption early, start with a softer action:
- Allow but audit and alert, then enforce later
Step 8: Configure User Notifications and Policy Tips
This is how you prevent confusion and reduce tickets.
Enable:
- Policy tips to show a message when a user tries to share externally
Example message:
โThis file is internal and cannot be shared with external users.โ
Step 9: Configure Alerts for Admin Visibility
Turn on alerts so security or compliance teams can track attempts.
Common configuration:
- Alert on every match, or after a low threshold (1โ3 events)
- Send to a shared mailbox or security distro
Step 10: Test First, Then Turn It On
Recommended rollout path
- Set policy mode to Test with notifications
- Monitor results in Purview reporting
- Confirm there are no unexpected blocks
- Switch the policy to On
How to Validate the Policy Works
Run these quick tests:
Test 1: Teams channel file to a guest user
Expected result:
- Blocked (SharePoint enforced)
Test 2: Teams chat file to an external user
Expected result:
- Blocked (OneDrive enforced)
Test 3: Internal sharing
Expected result:
- Allowed (unless your rules block it)
Common Mistakes to Avoid
- Applying DLP only to Teams chat and channel messages
- Forgetting OneDrive (chat file storage)
- Enforcing immediately without running audit mode
- Not using labels or data classification, which leads to noisy matches
Summary
To stop users from sharing documents with external users through Teams:
- Configure Microsoft Purview DLP
- Apply it to:
- SharePoint sites
- OneDrive accounts
- Build a rule that identifies internal content
- Block external sharing
- Start in audit mode, then enforce
Teams is the interface. SharePoint and OneDrive are where the control actually happens.
