Microsoft Purview DLP Policy Error: "'DocumentCreatedByMemberOf' Parameter is supported only in None locations. Either remove the parameter or scope policy only to None."

Question

Hi everybody,

I am trying to setup the following DLP policy:

If a document on any sharepoint site is shared externally but has the information protection label "internal" applied to it AND it was created by a member of our global team (containing all internal users), block external access.
When I try to submit the policy, I get the error "'DocumentCreatedByMemberOf' Parameter is supported only in None locations. Either remove the parameter or scope policy only to None."
If I actually try scoping the policy to "none", it won't even let me pass step 4 of setting up the policy and obviously I want it to be "all" and not "none".

I would also appreciate other potential solutions to achieve this goal.

The policy originally was set to "If a document on any sharepoint site is shared externally but has the information protection label "internal" applied to it", block access to external users - this works, but has a side effect: if an external user submits a document and doesn't have a license to label it, it will automatically get labeled "internal" once the first internal user saves it, and the external user loses access to their own document.

We do have seperate policies for setting "external" or "internal" labels for documents uploaded to internal/external teams, but since the policy is not actually applied to the location, but to the members of a group and all internal users are in at least 1 internal team, every document they create anywhere will get labeled internal by default.

Best regards,

Robin

Answer 1

Dear Ralph and for everybody else who might run into this issue:

It is simply broken, Support wasn't able to do anything or provide any meaningful help. First suggestion was scoping the policy to only selected sites, but this results in a different error. Second suggestion was something on the roadmap which might in future help solving this issue. I am seriously shocked by the lack of quality and being told to add this as a feedback. This should not have passed internal testing.

Answer 2

Dear Robin,

Good day! hope you are doing well.

I am really sorry about this, and I will also report the issue from my end. Once again, I apologize for the inconvenience this has caused. We appreciate your patience and understanding and thank you for your time and cooperation.

Sincerely,

Ralph Chawatama | Microsoft Community Moderator

Answer 3

Dear Robin,

Good day! hope you are doing well.

After analyzing the results, we obtained and conducting further investigations, we have concluded that this issue requires more resources and expertise than our forum team currently possesses. Therefore, I recommend that you create a support ticket with Microsoft Support directly by following steps from this link: Get support - Microsoft 365 admin | Microsoft Learn

If you are not an admin, you can contact your admin to contact Microsoft support. You can look for the way to find your admin through this link: How do I find my Microsoft 365 admin? - Microsoft Support

Please accept my sincere apologies for not being able to resolve the problem and for redirecting you to the related development team. I regret any inconvenience this may cause. The fix to your concern can be identified through the background logs, and I suggest you raise a support ticket from the Office 365 admin center, where the related team will investigate the problem further by collecting the necessary background logs.

Once again, I apologize for the inconvenience this has caused. We appreciate your patience and understanding and thank you for your time and cooperation.

Sincerely,

Ralph Chawatama | Microsoft Community Moderator

Answer 4

Hi Ralph,

thank you very much for your swift reply.

Here are the settings in Detail:

If I set notify user to disabled, I additionally get a different error:

Missing parameter: 'NotifyUser'. Use of 'BlockAccessScope PerUser' requires -BlockAccess $true -AccessScope NotInOrganization -NotifyUser -NotifyAllowOverride parameters.

Best regards,

Robin

On a side note: The UI for setting up advanced DLP rules seems incredibly broken in many aspects, could you perhaps have this rechecked by quality management? There are multiple possibilities to set non functional combinations of options, the documentation is poor, rules are saved with empty content if you get an error while submitting.

Answer 5

Dear Robin_1985,

Good day! Thank you for posting to Microsoft Community. We are happy to help you.

We are sorry to hear that you’re having trouble with creating a Microsoft Purview DLP Policy. I deeply understand the inconvenience caused and apologize for it.

We appreciate your understanding that sometimes the initial response may not resolve the problem immediately. However, we can work together to narrow down and resolve the situation. So, for further troubleshooting, could you please provide a screenshot of the Create rule section under Advanced DLP rules? You can upload the screenshot using this feature: 
![](https://learn-attachment.microsoft.com/api/attachments/835d07f6-443e-4f45-a903-5a171e51e9e3?platform=QnA