Forum Discussion

lannamal's avatar
lannamal
Copper Contributor
Dec 11, 2025

Test DLP Policy: On-Prem

We have DLP policies based on SIT and it is working well for various locations such as Sharepoint, Exchange and Endpoint devices. But the DLP policy for On-Prem Nas shares is not matching when used with Microsoft Information Protection Scanner. 

 

DLP Rule:

Conditions

Content contains any of these sensitive info types:

Credit Card Number

U.S. Bank Account Number

U.S. Driver's License Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN)

 

 

The policy is visible to the Scanner and it is being logged as being executed 

MSIP.Lib    MSIP.Scanner (30548)    Executing policy: Data Discovery On-Prem, policyId: 85........................

 

and the MIP reports are listing files with these SITs

The results 

 Information Type Name - Credit Card Number

                                          U.S. Social Security Number (SSN) 
                                          U.S. Bank Account Number

 Action - Classified

 Dlp Mode -- Test

 Dlp Status  -- Skipped

 Dlp Comment -- No match

 

There is no other information in logs. Why is the DLP policy not matching and how can I test the policy ? 

thanks

data loss prevention
Information Protection
microsoft purview

2 Replies

  • Ajeeth_Muthu's avatar
    Ajeeth_Muthu
    Brass Contributor
    Jan 31, 2026

    This is expected behavior and not related to Test / Simulation mode.

    For on-prem NAS shares scanned by the MIP scanner, DLP rule evaluation is not supported. The scanner only performs SIT detection and classification/labeling. As a result, DLP rules are skipped by design, which is why reports show DLP Status = Skipped / No match, even though SITs are detected correctly.

    If the policy were evaluated in Test mode, you would still see a DLP match (without enforcement). The fact that it is marked as Skipped indicates the workload is not eligible for DLP evaluation.

    Enabling the policy (“Turn the policy on immediately”) will not change this behavior. The same policy will match as expected in supported workloads such as Exchange Online, SharePoint Online, OneDrive, or Endpoint DLP.

    For on-prem data, use the scanner for discovery and labeling, and apply enforcement via Endpoint DLP or after the data moves to a supported cloud workload.

  • Prathista Ilango's avatar
    Prathista Ilango
    Icon for Microsoft rankMicrosoft
    Jan 07, 2026

    Hello lannamal,

    Looking at the logs, looks like the DLP policy is configured to run in simulation/test mode. That could be the reason why it is not enforced. Please confirm if "Turn the policy on immediately” is set and try again. 

    Hope this helps!

    Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided