Forum Discussion

FahadAhmed's avatar
FahadAhmed
Brass Contributor
Jan 03, 2024

OneDrive DLP false positive issue

Hi,

 

We are currently facing a very absurd issue, we have opened the support case with Microsoft and seems like they are unable to resolve the issue.

 

We have a DLP policy implemented where any file shared to outside of organization through One Drive or Sharepoint will trigger the policy. Currently there are thousands of alerts in Activity explorer for policy hits. however, investigation shows that its just user files syncing to one drive and still DLP policy is being triggered.

 

any one has experienced the same issue?

  • vicwingsing's avatar
    vicwingsing
    Brass Contributor

    FahadAhmed 

     

    What is in the activity explorer details? Does it only show syncing in the details?

     

    Also, if applying DLP to prevent users from sharing files using OneDrive or SharePoint is the objective, you can also try using Microsoft Defender for Cloud Apps (MDCA). You will need to create a file policy for this. I find this is better than using just Purview DLP.

     

    Here's an example of a file policy I created in my lab where I monitor all files WITHOUT a label from begin shared in OneDrive and SharePoint.

     

Resources