Forum Discussion

lannamal's avatar
lannamal
Copper Contributor
Dec 11, 2025

Test DLP Policy: On-Prem

We have DLP policies based on SIT and it is working well for various locations such as Sharepoint, Exchange and Endpoint devices. But the DLP policy for On-Prem Nas shares is not matching when used w...
data loss prevention
Information Protection
microsoft purview
Ajeeth_Muthu's avatar
Ajeeth_Muthu
Brass Contributor
Jan 31, 2026

This is expected behavior and not related to Test / Simulation mode.

For on-prem NAS shares scanned by the MIP scanner, DLP rule evaluation is not supported. The scanner only performs SIT detection and classification/labeling. As a result, DLP rules are skipped by design, which is why reports show DLP Status = Skipped / No match, even though SITs are detected correctly.

If the policy were evaluated in Test mode, you would still see a DLP match (without enforcement). The fact that it is marked as Skipped indicates the workload is not eligible for DLP evaluation.

Enabling the policy (“Turn the policy on immediately”) will not change this behavior. The same policy will match as expected in supported workloads such as Exchange Online, SharePoint Online, OneDrive, or Endpoint DLP.

For on-prem data, use the scanner for discovery and labeling, and apply enforcement via Endpoint DLP or after the data moves to a supported cloud workload.