HIPAA External Block β€” Single Policy

Block all external sharing of Protected Health Information (PHI) across Microsoft 365 workloads using one reliable Microsoft Purview DLP policy.

Tools Used

πŸ“Œ Summary

This lab demonstrates a single-policy design that blocks any external sharing of PHI across Exchange, SharePoint, OneDrive and Teams.

βš™οΈ Approach

  1. Create one DLP policy named HIPAA External Block.
  2. Scope the policy explicitly to the four workloads (Exchange, SharePoint, OneDrive, Teams) using the location picker.
  3. Include all users and groups in scope (default), no exclusions required for this lab.
  4. Rule condition: content contains configured HIPAA sensitive info types or matching classifiers.
  5. Action: Block external sharing/delivery; show inline policy tip; send end‑user notification; create Purview incident and alert to admins.
  6. Validate externally-targeted sharing attempts from each workload are blocked and generate alerts.

Policy Configuration (high-level)

Name: HIPAA External Block β€” Global
Locations: Select specific locations β†’ Exchange mailboxes; SharePoint sites; OneDrive accounts; Teams chat and channel messages
Users in scope: All users and groups (no exclusions in this lab)
Condition: Contains HIPAA sensitive info types / classifiers
Actions: Block external sharing/delivery; Show policy tip; Send user notification; Create incident/alert.

Steps Taken

  1. Create custom DLP policy using the Purview portal and name it per above.
  2. Choose specific locations and enable Exchange, SharePoint, OneDrive and Teams.
  3. Select sensitive info types and any trainable classifiers that represent PHI.
  4. Set action to block external sharing/delivery; configure policy tip and notify options.
  5. Publish policy and allow propagation (test after 30–60 minutes; final confirmation next day).
  6. Perform external sharing tests from each workload and capture results (blocked tip, NDR, Purview incident/alert).

Screenshot: Policy Overview

Policy overview configuration for HIPAA External Block Global
Click to view full-size: DLP policy overview showing name, location selections and actions

Screenshot: Locations Picker (selected workloads)

Locations picker showing Exchange, SharePoint, OneDrive, Teams selected
Click to view full-size: Locations panel with Exchange, SharePoint, OneDrive and Teams selected (avoid All locations)

Per-workload test placeholders & expected artifacts

SharePoint / OneDrive

Share dialog with DLP policy tip blocking external share
Policy tip in SharePoint/OneDrive when attempting to share a file externally

SharePoint / OneDrive

Notice of Undeliberable Mail because of policy violation
Email Notification, undeliberable

Teams

Teams composer showing policy tip when sending PHI to guest
Policy tip displayed in Teams when trying to send PHI to an external guest
Teams composer showing message blocked
Policy tip displayed in Teams when trying to send PHI to an external guest
Teams chat for receiving user
Receiving chat example

Exchange

Exchange NDR or policy tip when attempting to mail PHI externally
Outlook compose tip and/or NDR that indicates the external send was blocked

Screenshot: Admin side artifacts

Purview alert for blocked external PHI share
Purview alert view showing details of the policy match/block
Purview alert emailed to Admin showing HIPAA external block events
Alert email where admin receives notifications about blocked external sharing and policy match
Email notification to Admin showing policy match
Email notification to Admin showing policy match

Outcome

Single global external-block policy prevents PHI from leaving the tenant across all major M365 workloads. This simplified design reduces scoping complexity. Admins receive incidents and alerts for auditing and response.