"Whitelist" Work Outlook For The Web in Purview DLP policy

Magnus Trangard 0 Reputation points
2026-06-23T15:28:23.0466667+00:00

Hi,

We have a Purview endpoint DLP policy in place preventing users from uploading files containing key words matches and/or sensitivity labels to cloud service domain (Upload to a restricted cloud service domain or access from an unallowed browser".

What we are trying to achieve with the DLP policy is to prevent users from uploading sensitive information to unapproved cloud (google drive etc.)

The current policy prevents users from uploading documents meeting the conditions to Work Outlook for the Web which is an approved application.

Is there a way to whitelist the organisations Work Outlook for the web?

Thanks

Magnus

Microsoft Security | Microsoft Purview
0 comments No comments

2 answers

Sort by: Most helpful
  1. Manoj Kumar Boyini 17,950 Reputation points Microsoft External Staff Moderator
    2026-06-26T15:40:19.3333333+00:00

    Hey @Magnus Trangard ,

    You can’t whitelist Outlook on the Web by app name – Endpoint DLP controls uploads based on the target domain in the browser. To allow your users to keep sending mail via OWA while still blocking uploads to consumer clouds, update your Endpoint DLP settings like this:

    1. In the Microsoft Purview compliance portal go to Data Loss Prevention > Endpoint DLP Settings > Browser and domain restrictions to sensitive data.
    2. Under Service domains choose one of two approaches: • Block mode – list only the domains you want to block (e.g. google.com, dropbox.com). Any domain not on that list (including your OWA endpoint) is automatically allowed. • Allow mode – list only your approved domains (e.g. outlook.office.com or your tenant-specific OWA URL). All other cloud service domains will be blocked.
    3. Click Add cloud service domain, enter the FQDN for your org’s Outlook on the Web endpoint, and Save.
    4. Publish or republish your DLP policy.

    Within a few minutes endpoint agents (Edge for Business or Chrome/Firefox with the Purview extension) will pick up the change, and uploads to your OWA URL will no longer be blocked by the “Upload to a restricted cloud service domain” rule.

    References:
    https://learn.microsoft.com/purview/dlp-configure-endpoint-settings#browser-and-domain-restrictions-to-sensitive-data
    https://learn.microsoft.com/purview/endpoint-dlp-create-policy-unauthorized-cloud-apps-services

    Was this answer helpful?


  2. AI answer

    2026-06-23T15:28:36.9033333+00:00

    Yes. Configure the Endpoint DLP policy so that only unapproved (restricted) cloud service domains are controlled, and leave Outlook on the web (your Exchange Online/OWA domain) out of those restricted domain definitions.

    In Endpoint DLP, control of uploads to cloud services is driven by Sensitive service domain groups and the Upload to a restricted cloud service domain or access from an unallowed browser action:

    1. In the Microsoft Purview portal, go to:
      • Data loss prevention > Settings (gear icon) > Data Loss Prevention > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domain groups.
    2. In the Sensitive service domain group(s) used by the policy, make sure only unapproved services (for example, Google Drive, Dropbox, etc.) are listed as Sensitive service domains. Do not add the organization’s Outlook on the web/OWA domain here.
    3. Save the group.
    4. Under Data loss prevention > Policies, edit the Endpoint DLP policy that uses:
      • Devices as the location, and
      • An action of Audit or restrict activities on devices with Service domain and browser activities set to Upload to a restricted cloud service domain or access from an unallowed browser.
    5. Ensure the rule is configured to apply only to those restricted cloud service domains (the Sensitive service domain group created in step 2). Since Outlook on the web is not in that group, uploads to it will not be blocked by this rule.

    Effectively, “whitelisting” Outlook on the web means not classifying its domain as a restricted/sensitive service domain in Endpoint DLP. The policy will then continue to prevent uploads of sensitive data only to the explicitly listed unapproved cloud domains.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.