Clarification related to JIT for EDLP

Hey Mansha​, Microsoft clearly states the below in its documentation:
"When JIT is enabled for devices all user activities are audited, even the activities of the users who aren't in the scope of the policy. Egress activities are audited and blocked for users who are in the policy scope."

So seeing activities from other users is totally normal. For the scoped user's issue, I can think of a few obvious but effective ways:

1. Check if the anti-malware Client version is 4.18.23080 or later.

2. Go to Data Loss Prevention > Diagnostics page, and select 'Endpoint DLP not working' card to check whether the scoped devices have met JIT prerequisite or not.

3. It is possible that the file wasn't really stale. This can be a common scenario especially for network share files. Please check if the file is really stale by checking the last label/classification timestamp. You can also try to use an intentionally unclassified file or force a stale classification scenario (rename or copy to an unclassified path) and re-test.

If any of the above helps in any way, please like and/or accept as an answer!