Forum Discussion

Sergio_Londono's avatar
Sergio_Londono
Copper Contributor
Apr 13, 2026

Endpoint DLP Collection Evidence on Devices

Hello team, 

I am trying to setup the feature collect evidence when endpoint DLP match.

Official feature documentation:

https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-learn

https://learn.microsoft.com/en-us/purview/dlp-copy-matched-items-get-started


unfortunately, it is not working as described in the official documentation, I opened ticket with Microsoft support and MIcrosoft Service Hub, Unfortunatetly, they don't know how to setup it, or they are unable to solve the issue.

Support ticket: 
TrackingID#26040XXXXXXX9201
Service Hub ticket: 

https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create


TrackingID#26040XXXXXXXX924


I follow the steps to configure:


based on the Microsoft documentation, I should be able to see the evidence in Activity explorer or Purview DLP alert or Defender Alerts/Incidents.



Collection evidence on device
dlp
endpoint dlp
purview

3 Replies

    • Sergio_Londono's avatar
      Sergio_Londono
      Copper Contributor
      May 01, 2026

      Hello nikkichapple​ ,
      the Azure blob storage apply when is chosen store the evidence in my storage account.
      to make this easier for Microsoft, I chosen Microsoft store. using this setting the evidence is stored in Microsoft storage.

      Unfortunately, both tickets were closed by Microsoft support, they report it is not in scope, however, the reality, they don' know how to configure. I am trying to see if someone worldwide had enabled this feature.

      It is good feature in paper, but, it is not working and Microsoft didn't help. 

      It is required to see the file that end-users are moving out of the endpoint to unmanaged environment: USB, RDP, Gmail, Google Drive, Generative websites.


      I will open other ticket to see if someone can help.


      If you make it works, please share the steps with me.

       

      • DerekMorgan2's avatar
        DerekMorgan2
        Brass Contributor
        May 18, 2026

        Hi Sergio_Londono​ ,

         

        Frustrating one. The feature is GA as of August 2025 (Roadmap 497838), so this is almost certainly config rather than service-side. Three things worth checking before I try to reproduce it in my lab:

         

        The per-rule checkbox. Tenant-level evidence collection is a prerequisite, but the actual capture is gated on each rule's action page: "Collect original file as evidence for all selected file activities on Endpoint." Quick confirm in Security & Compliance PowerShell:

         

        Get-DlpComplianceRule -Identity "rule name" | fl Name, NotifyAllowOverride, *Evidence*

         

        The viewer roles. In March 2025, Microsoft split out two roles: Data Classification Content Viewer (preview) and Data Classification Content Download (download). Both live in the Information Protection Investigators role group. Without both, the rule fires, the file is stored, and the row renders without an evidence link.

         

        The activity scope. Endpoint DLP only collects evidence for eight activities: USB, network share, Print, Bluetooth, RDP file copy, cloud upload via service domain groups or unallowed browser, paste-to-browser, and restricted apps. Gmail and Google Drive uploads only count when the browser is on your unallowed list or those domains are in a service domain group.

         

        If you want a clean split between "didn't collect" and "can't view," this advanced hunting query tells you which side the problem is on:

         

        CloudAppEvents

        | where ActionType == "DLPRuleMatch"

        | extend EvidenceUri = tostring(RawEventData.EvidenceFileURI)

         

        Blank URI is config side. Populated URI is viewing side.

         

        I'll set this up in my lab against a fresh policy with USB egress and Microsoft-managed storage, then report back.