Forum Discussion

GrahamP67's avatar
GrahamP67
Copper Contributor
Sep 12, 2024

Purview DLP Policy Scope - Shared Mailbox

I have created a block policy in Purview DLP and scoped to a security group.

The policy triggers when a scoped user sends email that matches the policy criteria but doesnt detect when the user sends the same email from a shared mailbox.

Is that a  feature of Purview DLP?

 

I had expected the policy to still trigger as email is sent by the scoped user 'on behalf of' the shared mailbox, and the outbound email appears in Exchange Admin as coming from the scoped user. 

data loss prevention

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 06, 2026

    Yes, this behavior is expected and is related to how Purview DLP evaluates Exchange locations.

    DLP policies in Exchange Online are evaluated against the mailbox that is sending the message — not necessarily the user who clicked “Send”.

    When you scope a DLP policy to a security group under Exchange locations, the scope applies to:

    • The mailbox object (user mailbox, shared mailbox, etc.)
    • Not the delegate or the “on behalf of” sender

    So when a scoped user sends mail from their own mailbox, DLP evaluates that mailbox and triggers correctly.

    However, when the same user sends from a shared mailbox:

    • The message is processed as originating from the shared mailbox
    • DLP evaluates the shared mailbox as the sending entity
    • If the shared mailbox is not in scope, the policy will not trigger

    Even though Exchange Admin Center may show the message as “sent by user on behalf of shared mailbox”, DLP does not evaluate delegate context in that way. It evaluates the mailbox location.

    In other words:

    DLP scope = mailbox location
    Not = interactive user identity

    This is consistent with how DLP policies are architected across Exchange workloads.

    If you want the policy to apply when users send from shared mailboxes, you have two options:

    Option 1 – Include shared mailboxes in scope
    You can:

    • Add shared mailboxes directly to the policy scope
    • Or scope “All mailboxes” and use exclusions if needed

    Option 2 – Use Adaptive Scope
    Create an adaptive scope that includes:

    • User mailboxes
    • Shared mailboxes

    Based on RecipientTypeDetails or other attributes.

    Important architectural note:

    DLP is designed to protect data in a location.
    It is not primarily designed to enforce behavior based on “who clicked send”.

    If your requirement is identity-based control regardless of mailbox used, you may need to combine:

    • DLP
    • Transport rules
    • Or Conditional Access / app enforcement

    Summary:

    Yes, this is expected behavior.
    DLP evaluates the mailbox location (shared mailbox in this case), not the delegate identity.
    To trigger the policy, the shared mailbox must also be in scope.

Resources