|Service||Microsoft Docs article||Related commit history on GitHub||Change details|
|SharePoint||Modern Root Site||https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/modern-root-site.md||
If you've [turned on audit log search](/office365/securitycompliance/turn-audit-### Limitations - The site you select as the new root site must be a communication site (SITEPAGEPUBLISHING#0) or a modern team site that isn't connected to a Microsoft 365 group (STS#3) and where **the publishing feature has never been activated.**-- The current root site can't be connected to a Microsoft 365 group. - When you replace the root site, both the current site and the new site can't be hub sites or associated with a hub. If either site is a hub site, unregister it as a hub site, replace the root site, and then re-register the site as a hub site. If either site is associated with a hub, disassociate the site, replace the root site, and then reassociate the site. [Learn how to manage hubs in the new SharePoint admin center](manage-sites-in-new-admin-center.md#change-a-sites-hub-association) - Replacing the root site with another site replaces the entire site collection with the new site collection. If your current root site has subsites, they'll be archived. - The site you select as the new root site must be within the same domain as the current root site.
|SharePoint||Sensitive By Default||https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sensitive-by-default.md|| Title: "Mark new files as sensitive by default"
+ Title: "Prevent guest access to files while DLP rules are applied"
search.appverid:- BSA160 - GSP150 - MET150
-description: "Learn how to block external sharing of newly added files."
+description: "Learn how to block external sharing of newly added SharePoint and OneDrive files while they are scanned for DLP rules."
-# Mark new files as sensitive by default
+# Prevent guest access to files while DLP rules are applied
-When new files are added to SharePoint or OneDrive in Microsoft 365, it takes a while for them to be crawled and indexed. It takes time for the [Microsoft Purview Data Loss Prevention (DLP) policy](/microsoft-365/compliance/dlp-learn-about-dlp) to scan the content and apply rules to help protect sensitive content. If external sharing is turned on, sensitive content could be shared and accessed by guests before the Office DLP rule finishes processing.
+When new files are added to SharePoint or OneDrive in Microsoft 365, it takes a while for [Microsoft Purview Data Loss Prevention (DLP) policy](/microsoft-365/compliance/dlp-learn-about-dlp) to scan the content and apply rules to help protect sensitive content. If external sharing is turned on, sensitive content could be shared and accessed by guests before the DLP rule finishes processing.
-Instead of turning off external sharing entirely, you can address this issue by using a PowerShell cmdlet to block external access to new content. However, this doesn't work if external sharing is explicitly authorized in a DLP rule and the lack of sensitive content that goes against the policy rules has been verified. The setting enabled by this cmdlet prevents external users from accessing newly added files until at least one Office DLP policy scans the content and determines that the document doesn't contain any sensitive information that's against the rules defined in the policy. If the file has been indexed and scanned and it has no sensitive content that's against the rules in the DLP policy, then guests can access the file. If the policy identifies sensitive content in the document, or if there's no DLP rule explicitly authorizing access to the file, then guests won't be able to access the file, and they'll receive the following access denied error message: "This file is being scanned right now. Please try again in a few minutes. If you still don't have access, contact the file owner."
+Instead of turning off external sharing entirely, you can mark the files in your organization as sensitive by default. This blocks guest access to new content until it has been scanned for sensitive content and DLP policies that include content-based conditions are applied. Guests are notified that the file is being scanned if they attempt to access it during this time.
-> This cmdlet applies to newly added files in all SharePoint sites and OneDrive accounts where a DLP policy is in place. It doesn't block sharing if an existing file is changed.
+Once a file has been crawled and no content that would block sharing per DLP rules has been detected, guests can access the file. If the policy identifies sensitive content in the document that matches DLP rules, the normal behavior defined by those DLP rules will be applied.+
+This feature doesn't block access to a file if the content has already been crawled and no sensitive content was found that matches the conditions in any DLP rules, or if the file has properties that match exemptions in DLP rules that allow it to be shared.+
+This feature applies to newly added files in SharePoint and OneDrive. It doesn't block sharing if an existing file is changed.+
+## DLP rules are required for content to be shared with guests+
+When this feature is enabled, any content that isn't explicitly checked in a DLP policy will be blocked from being externally accessed. In other words, for content to be shareable externally, it must be in a location that's covered by a DLP policy and the policies for that location must determine, after content has been crawled and identified, that the file doesn't match any rules that would prevent it from being shared. This helps prevent users from leaking sensitive files by placing them in a location not covered by DLP policies.+
+If you want to operate under the principle that only locations explicitly checked by DLP can be shared externally, no further action is necessary.+
+If you want to enable external sharing in locations not currently covered by DLP policies, you can create a DLP rule that includes all SharePoint and OneDrive locations, that contains at least one rule with the ΓÇ£content containsΓÇ¥ condition (for any content), and that doesn't perform any action (such as limiting or blocking the content), trigger any alerts, or generates any notifications or reports. This policy must be moved to the top of the list and not have the *stop processing more rules* option set, so it is only effective for content that doesn't match any other DLP rule. As a result of such a rule, any file in any location that doesnΓÇÖt match other DLP rules will be allowed for external sharing.+
+For information about how to create a DLP rule, see [Learn how to create and turn on a DLP policy](/microsoft-365/compliance/create-test-tune-dlp-policy).
-1. Since any content that isn't explicitly checked in a DLP policy will not be blocked from being externally accessed after this setting is enabled, you must ensure any content that needs to be shared externally is covered by at least one DLP policy. If you prefer to require explicit authorization in a DLP policy for a site to be shareable, no further action is needed after this setting is enabled. If not all locations with content that needs to be shared externally are already covered by an existing DLP policy, you must add them to at least one policy. The easiest way to do this is to create a DLP policy that includes all SharePoint or OneDrive locations, that has any "content contains" condition selected, and that specifies no actions, no alerts, no notifications and no reports. Also, make sure the rule doesn't use the option to stop processing more DLP rules. [Learn how to create and turn on a DLP policy](/microsoft-365/compliance/create-test-tune-dlp-policy)
+## Mark files as sensitive by default
- > [!IMPORTANT]
- > Any content not in the scope of DLP policies would not be blocked for external access.
+This feature is configured using PowerShell.
-2. [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251).
+1. [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251).> [!NOTE] > If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."
-3. Connect to SharePoint as a [Global Administrator or SharePoint Administrator](./sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
+1. Connect to SharePoint as a [Global Administrator or SharePoint Administrator](./sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
-4. Run the following command:
+1. Run the following command:```PowerShell Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing