How Microsoft completely failed to protect SharePoint Online files with Office 365 labels and DLP

Microsoft provided a feature that users could apply Office 365 labels and data loss prevention (DLP) policies for SharePoint Online team sites with various levels of information protection. This looks exciting to design and deploy Office 365 labels and DLP policies for baseline, sensitive, and highly confidential SharePoint Online team sites highlighted in this Microsoft article.

One of the use case is to use SharePoint policy to label one document library as high sensitive and do not allow to share with external users. External users are no allowed to request access. After you configure the policy, the document in the library will have a small icon to indicate the policy. See the screenshot. This looks good so far.

However, after few days configuration, debugging, and discussion with Microsoft, this DLP feature seems to be funny and stupid that will fail completely! Here are few issues and I’ll provide the real life example to explain the details.

The first issue is after the label and policy applied, it may take one day to apply to SharePoint site and seven days to synced to the item. When you have policy enabled on the document library, any document uploaded will NOT have the policy until policy applied up to one day delay. In previous screenshot, you will see two documents do not have the policy applied at that time!

This is like a law officer like policeman add a "Stop" sign to the road. However, it will not take effect until a day later. Every new car arrived to this street will not see the sign until one day later. This is to every new car!!!

The second issue is user can edit the document properties and remove the label. See screenshot below.

This is like a law officer like policeman add a "Stop" sign to the road. However, driver can remove the stop sign! Every driver can remove the stop sign!!!

The third issue is user can edit the document properties and change the label to a different one event it is not assigned to this library. See screenshot above there are two labels.

This is like a law officer like policeman add a "Stop" sign to the road. However, driver can change it to a different sign like "Slow" sign! Every driver can change the sign to ANY other sign available!!!

Now you will understand why SharePoint Online files with Office 365 labels and DLP protection feature is so funny and stupid! I've raise the user voice in Microsoft user voice site.