Forum Discussion

ViktorMalum's avatar
ViktorMalum
Copper Contributor
Aug 19, 2025

Clarification on collection policies

I'm in the midst of trying the new collection policies feature in Purview and I stumbled upon something that I'm not really clear on

An article from Microsoft says the following;

Collection policies and Endpoint Data Loss Prevention

When Always audit file activity for devices is enabled all activities for Office, PDF, and CSV files are collected by default. If you want to modify which activities are collected for devices in this case, you can do so by configuring a collection policy targeted to devices. If Always audit file activity for devices isn't enabled, activities aren't collected from devices, even if a collection policy is created scoped to devices.

Collection policies can't impact the behavior of DLP policies, only what is collected and recorded for audit file events on devices.

https://learn.microsoft.com/en-us/purview/collection-policies-solution-overview

Let's say if if I were to configure a collections policy and choose File uploaded to cloud as the activity to detect, does this mean I won't be able to see other DLP activity logs in Activity explorer after I enable the collections policy?

1 Reply

  • Prathista Ilango's avatar
    Prathista Ilango
    Icon for Microsoft rankMicrosoft
    Aug 20, 2025

    Hello ViktorMalum,

    1. If Always audit file activity for devices is enabled, then by default, when devices are onboarded, activity for Office, PDF, and CSV files is automatically audited and available for review in activity explorer. 
    2. If you want to restrict this for certain file actions only, for example, 'File Created' and 'File Modified' activities only to be audited, the same can be achieved using collection policy. 
    3. If Always audit file activity for devices isn't enabled, no activity is collected for devices even when there is a collection policy. This universal setting should be enabled to audit any activity. 

    To your query, 

    Scenario1: 

    1. You have Always audit file activity for devices enabled.
    2. You have a collection policy for File uploaded to cloud activity, enabled and scoped to devices.

    Result: You should see this activity (Office, pdf, csv) in activity explorer. 

    Scenario2: You have Always audit file activity for devices enabled. No collection policy configured. 

    Result: You should see all activities (Office, pdf, csv) in activity explorer. 

    Scenario3: You have Always audit file activity for devices not enabled. 

    Result: You will not see any activity under activity explorer. 

    Hope that clarifies. 

    References: https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings#always-audit-file-activity-for-devices 

    Collection policies policy reference | Microsoft Learn

    Regards,

    PI

    Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

Resources