Forum Discussion
Migrating DLP Policies from one tenant to other
Has anyone successfully migrated DLP policies from a dev tenant (like contoso.onmicrosoft.com) to a production tenant (paid license with custom domain) in Microsoft Purview without third-party tools?
We're open to using PowerShell, Power Automate, or other Microsoft technologies—such as exporting policies via PowerShell cmdlets from the source tenant, then importing/recreating them in the target tenant using the Microsoft Purview compliance portal or Security & Compliance PowerShell module.
Details: The dev tenant has several active DLP policies across Exchange, Teams, and endpoints that we need to replicate exactly in prod, including sensitive info types, actions, and conditions. Is there a built-in export/import feature, a sample script, or Power Automate flow for cross-tenant migration? Any gotchas with licensing or tenant-specific configs?
There isn’t a built-in export/import mechanism for DLP policies across tenants.
DLP policies contain tenant-bound objects (sensitive info types, locations, conditions, etc.), so they must be recreated in the destination tenant.The most reliable approach is:
- Export the policy definitions using Security & Compliance PowerShell
Get-DlpCompliancePolicy and Get-DlpComplianceRule let you retrieve the configuration, match locations, and extract conditions. - Recreate them in the target tenant using the same cmdlets
(New-DlpCompliancePolicy, New-DlpComplianceRule).
You’ll need to adjust references to any tenant-specific info types or endpoints. - Validate sensitive info types
If you used custom SITs, they must be exported/imported separately or recreated manually before importing the DLP rules.
Today there is no cross-tenant migration API for DLP, and Microsoft Purview doesn't offer a native copy/clone feature.
PowerShell automation is the cleanest and most predictable path.- Export the policy definitions using Security & Compliance PowerShell
4 Replies
I must say, I never tried it before myselfe but it is on my list.
Thist would be the Microsoft way to do it professional and save:
Manage Microsoft 365 Tenant Configuration with Azure DevOps - Azure Architecture Center | Microsoft LearnThere isn’t a built-in export/import mechanism for DLP policies across tenants.
DLP policies contain tenant-bound objects (sensitive info types, locations, conditions, etc.), so they must be recreated in the destination tenant.The most reliable approach is:
- Export the policy definitions using Security & Compliance PowerShell
Get-DlpCompliancePolicy and Get-DlpComplianceRule let you retrieve the configuration, match locations, and extract conditions. - Recreate them in the target tenant using the same cmdlets
(New-DlpCompliancePolicy, New-DlpComplianceRule).
You’ll need to adjust references to any tenant-specific info types or endpoints. - Validate sensitive info types
If you used custom SITs, they must be exported/imported separately or recreated manually before importing the DLP rules.
Today there is no cross-tenant migration API for DLP, and Microsoft Purview doesn't offer a native copy/clone feature.
PowerShell automation is the cleanest and most predictable path.I was able to download the policies using these commands but haven't uploaded them to the new tenant as it is not yet created - it will created sometime next week. I will test out the import of the policies then, and if successful i will update here.
- Export the policy definitions using Security & Compliance PowerShell
Hello,
You can export DLP policies, rules and settings using PowerShell.
You can find the details in this techcommunity Microsoft employee Blog talking about this case.
Export DLP Policies, Rules and Settings using PowerShell | Microsoft Community Hub
Thanks,
Moetaz RABAI
