Forum Discussion
What is Enforcement mode in Activity Explorer
Hello Everyone,
In Microsoft purview DLP policy activity explorer, there is field called "Enforcement mode" I see there are entries like Warn, WarnAndBypass and Audit and some blanks.
I want to know whether WarnAndBypass gets triggered only for Endpoint workload or it also shows when somebody tries to block with override from Exchange online and SharePoint OneDrive. I have sent sensitive data to test using exchange and override with justification, I do not see any entry with WarnandBypass.
Is there any detailed article on this from Microsoft if it is their it will really helpful. Thanks
Hello Afsar_Shariff,
Enforcement mode is the action taken for the DLP condition, like audit, allow, block, block with override.
The WarnAndBypass in Activity explorer means "Block with Override" option in endpoint DLP policy.
This is not the same case for User Overrides for other workload policies like Exchange, Teams, etc., You will still see the activity of override for these in activity explorer as "DLP rule matched" or "DLP Rule undo" but not the enforcement mode.
Hope that clarifies.
Regards,
PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
2 Replies
- This exists because Endpoint DLP has specific enforcement actions at the device level, unlike cloud-based workloads.Example:
- Copying a file with sensitive data to USB - WarnAndBypass (Endpoint DLP)
- Sending sensitive data via Exchange with override - DLP rule undo (Exchange DLP)
Hope this clears it up! 
Prathista IlangoMicrosoft
Hello Afsar_Shariff,
Enforcement mode is the action taken for the DLP condition, like audit, allow, block, block with override.
The WarnAndBypass in Activity explorer means "Block with Override" option in endpoint DLP policy.
This is not the same case for User Overrides for other workload policies like Exchange, Teams, etc., You will still see the activity of override for these in activity explorer as "DLP rule matched" or "DLP Rule undo" but not the enforcement mode.
Hope that clarifies.
Regards,
PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
