Forum Discussion
Solved
What is Enforcement mode in Activity Explorer
Hello Everyone, In Microsoft purview DLP policy activity explorer, there is field called "Enforcement mode" I see there are entries like Warn, WarnAndBypass and Audit and some blanks. I want to k...
Hello Afsar_Shariff,
Enforcement mode is the action taken for the DLP condition, like audit, allow, block, block with override.
The WarnAndBypass in Activity explorer means "Block with Override" option in endpoint DLP policy.
This is not the same case for User Overrides for other workload policies like Exchange, Teams, etc., You will still see the activity of override for these in activity explorer as "DLP rule matched" or "DLP Rule undo" but not the enforcement mode.
Hope that clarifies.
Regards,
PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
This exists because Endpoint DLP has specific enforcement actions at the device level, unlike cloud-based workloads.
Example:
- Copying a file with sensitive data to USB - WarnAndBypass (Endpoint DLP)
- Sending sensitive data via Exchange with override - DLP rule undo (Exchange DLP)
Hope this clears it up!