In Defender for Cloud Apps file policies, Access level is the filter used to detect how a file is exposed (e.g., Public on the internet, External, Internal, Private). Choosing Access level = External matches files that are shared with users outside your organization—exactly the “shared externally” condition.
Ref: Microsoft Defender for Cloud Apps – Create/Use file policies (File filters: Access level), Microsoft Learn.
See: Microsoft Defender for Cloud Apps > Policies > File policies documentation describing file filters including Access level and its values (Public, External, Internal, Private).
To target files that carry an MIP/AIP classification such as Internal Only, you use the Sensitivity label file filter. Defender for Cloud Apps ingests Microsoft Purview Information Protection labels and lets you build file policies that trigger when a specific label is applied.
Ref: Integrate Microsoft Information Protection with Microsoft Defender for Cloud Apps and File policies – Sensitivity label filter, Microsoft Learn.
These docs explain that MCAS can filter and govern files by Sensitivity label and apply governance based on labels such as Internal Only, Confidential, etc.
Why not the other options?
Collaborators filters by specific users/domains; it’s useful to find files shared with a particular external user but not for the generic “shared externally” condition.
Matched policy is for files already flagged by another policy/DLP engine and does not detect “Internal Only” labeling by itself.
Submit