-description: "Learn how to block external sharing of newly added SharePoint and OneDrive files while they are scanned for DLP rules."

-Instead of turning off external sharing entirely, you can mark the files in your organization as sensitive by default. This blocks guest access to new content until it has been scanned for sensitive content and DLP policies that include content-based conditions are applied. Guests are notified that the file is being scanned if they attempt to access it during this time.

-Once a file has been crawled and no content that would block sharing per DLP rules has been detected, guests can access the file. If the policy identifies sensitive content in the document that matches DLP rules, the normal behavior defined by those DLP rules will be applied.

-This feature doesn't block access to a file if the content has already been crawled and no sensitive content was found that matches the conditions in any DLP rules, or if the file has properties that match exemptions in DLP rules that allow it to be shared.

-When this feature is enabled, any content that isn't explicitly checked in a DLP policy will be blocked from being externally accessed. In other words, for content to be shareable externally, it must be in a location that's covered by a DLP policy and the policies for that location must determine, after content has been crawled and identified, that the file doesn't match any rules that would prevent it from being shared. This helps prevent users from leaking sensitive files by placing them in a location not covered by DLP policies.

-If you want to enable external sharing in locations not currently covered by DLP policies, you can create a DLP rule that includes all SharePoint and OneDrive locations, that contains at least one rule with the ΓÇ£content containsΓÇ¥ condition (for any content), and that doesn't perform any action (such as limiting or blocking the content), trigger any alerts, or generates any notifications or reports. This policy must be moved to the top of the list and not have the *stop processing more rules* option set, so it is only effective for content that doesn't match any other DLP rule. As a result of such a rule, any file in any location that doesnΓÇÖt match other DLP rules will be allowed for external sharing.