Forum Discussion

shreyabhurkuse's avatar
shreyabhurkuse
Copper Contributor
May 30, 2025

Endpoint DLP Not Enforcing Real-Time Blocking

Hello Team,

I’m currently testing Microsoft Purview Endpoint DLP and have configured policies to block sensitive data activities (e.g., copying to personal Gmail, uploading to cloud apps, etc.). I’ve enabled enforcement mode and selected “Block” for all activities like copy to clipboard, file uploads, and print.

However, despite this configuration:

     Activities are only being audited, not blocked in real time

     In Activity Explorer, enforcement mode shows as “Audit”

     Example: I copied sensitive content into Gmail (saved as draft), and it was not blocked

What I’ve already checked:

    Enforcement mode is set to “Block”, not just “Audit”

    Device is onboarded and showing healthy in Microsoft Defender for Endpoint

    Logged in with a user in scope of the policy

    Verified DLP policy is enabled and published

    Confirmed content matches sensitive info type

 

     Why does the activity still show “Audit” even when set to block?

     Are there any additional settings, delays, or known issues?

     How can I force real-time enforcement?

     Is there a way to validate/test if the policy is fully enforced?

Attaching screenshot of DLP policy and activity explorer for better understanding error. Looking forward to your suggestions.

 

3 Replies

Sort By
  • saloni's avatar
    saloni
    Icon for Microsoft rankMicrosoft
    Jun 01, 2025

    In the Activity Explorer event, check the Policy and Rule name fields- if it matches with the policy you created.

    Also confirm whether the domain mail.google.com (or any other where you want the upload to be blocked) is added in Sensitive service domains block list in DLP settings.

    • shreyabhurkuse's avatar
      shreyabhurkuse
      Copper Contributor
      Jun 02, 2025

      Hello Saloni,

      In the Activity Explorer event -Policy and Rule name fields are showing blank, attached screenshot for your reference. And domain mail.google.com is also added in Sensitive service domains block list in DLP settings.

      • saloni's avatar
        saloni
        Icon for Microsoft rankMicrosoft
        Jun 08, 2025

        This means the files are not getting classified and just audited by default. 

        1. Check whether the created policy is synced to the device (device onboarding page shows policy sync status).
        2. Try editing any of the files again or create a new file having sensitive data and upload it. DLP (without just-in-time protection enabled) doesn't work on cold files created before the machine was onboarded.

Resources