Block guest access to newly added files in SharePoint Online - Sensitive by default

There are two ways to block guest access in SharePoint Online - Data Loss Prevention policy(DLP) and Restrict external sharing in SharePoint Admin Center. When new files are added to SPO, it takes time to crawl and index and additional time for DLP processing. If external sharing is turned on, then sensitive information could be shared before the DLP processing.

To over come this problem, Microsoft introduced new feature - Sensitive by default, that is, new files are marked as sensitive until at least one Office DLP scans the content. If the file has no sensitive content based on the DLP policy, then guests can access the file. If the policy identifies sensitive content, then guests will not be able to access the file.

To turn on sensitive by default, we need the latest SPO module and use the cmdlet Set-SPOTenant.

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

To disable:

Set-SPOTenant -MarkNewFilesSensitiveByDefault AllowExternalSharing

Once you turn on this feature and new file is accessed by guest, they will shown with the below message. Once the content is scanned and DLP policy applied, then the corresponding controls are applied.

Reference: Mark new files as sensitive by default - SharePoint in Microsoft 365 - Microsoft Docs