Home

Enabled DLP policies don't seem to be doing anything in OneDrive

%3CLINGO-SUB%20id%3D%22lingo-sub-154489%22%20slang%3D%22en-US%22%3EEnabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154489%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20get%20DLP%20to%20identify%20very%20obvious%20social%20security%20numbers%2C%20credit%20card%20numbers%2C%20routing%20numbers%2C%20and%20passport%20numbers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20enabled%20DLP%20in%20two%20tenants%20(one%20production%2C%20one%20test%3B%20they're%20not%20connected%20in%20any%20way)%20and%20scoped%20the%20applicability%20to%20certain%20OneDrive%20accounts.%20I'm%20using%20the%20default%20HIPAA%2C%20US%20PII%2C%20and%20US%20PCI%20templates%2C%20but%20making%20them%20so%20only%20one%20value%20will%20cue%20the%20policy%20to%20take%20effect%20(I'm%20not%20touching%20the%20matching%20%25%20because%20based%20on%20their%20definitions%2C%20my%20test%20data%20%5Bwhich%20is%20real%20information%2C%20just%20used%20for%20test%20purposes%5D%20are%20clearly%20within%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fwhat-the-sensitive-information-types-look-for-fd505979-76be-4d9f-b459-abef3fc9e86b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20matching%20bounds%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20first%2C%20I%20tried%20just%20a%20US%20PCI%20policy%20with%20all%20OneDrive%20accounts%20(not%20SPO%2C%20not%20Exchange)%20in%20the%20test%20tenant%2C%20and%20it%20did%20fine%20finding%20the%20file%20with%20the%20credit%20card%20number%20and%20routing%20number.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20I%20tried%20to%20apply%20the%20rest%20of%20the%20policies%20only%20to%20my%20OneDrive%20account%20(which%2C%20oddly%2C%20you%20have%20to%20enter%20using%20the%20OneDrive's%20address%3B%20you%20can't%20search%20for%20a%20user).%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20production%20tenant%2C%20I've%20got%20scoped%20policies%20set%20up%20with%20the%20same%20test%20data.%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20tried%20switching%20between%20test%20mode%20and%20on%20mode%20(the%20former%20removes%20any%20sharing%20barriers%20and%20only%20shows%20the%20warning%20icons%20on%20files%3B%20the%20latter%20closes%20down%20sharing%2C%20as%20I%20had%20set%20it%20up).%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReindexing%20the%20OneDrive%20account%20doesn't%20work%20(nor%20should%20I%20have%20to%20do%20that%20for%20all%20of%20my%20accounts%20once%20it's%20enabled%20globally%20anyway).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20not%20acknowledging%20anything%20at%20all.%20Any%20issues%26nbsp%3Banyone%20is%20aware%20of%20with%20DLP%20and%20implementing%20it%20correctly%3F%20I'm%20at%20a%20loss%20and%20don't%20know%20who%20to%20reach%20out%20to%20at%20this%20point.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20should%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Ejust%20work%3C%2FEM%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-154489%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159143%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159143%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20similar%20issue%20here.%20Please%20let%20me%20know%20if%20you%20got%20any%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158320%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158320%22%20slang%3D%22en-US%22%3Esmells%20like%20support%20ticket%20to%20me%20%3AD%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158197%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158197%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20we%20went%20down%20to%20one%20instance%20and%2010%25%20match%20to%20a%20US%20social%20security%20number%20in%20a%20file.%20That%20should%20have%20made%20it%20so%20a%20birthday%20would%20have%20been%20flagged!%20D%3A%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155108%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155108%22%20slang%3D%22en-US%22%3EDid%20you%20try%20tuning%20the%20rules%20for%20Instance%20count%20and%20Match%20accuracy%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%23tune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%23tune%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155099%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155099%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%2C%20didn't%20indicate%20this%20was%20over%20the%20course%20of%20a%20couple%20days%2C%20so%20that%20should%20no%20longer%20be%20a%20concern.%20Thanks%20though!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154680%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154680%22%20slang%3D%22en-US%22%3E%3CP%3EGive%20it%20some%20time.%20It%20usually%20takes%20a%20day%20or%20two%20in%20my%20experience%2C%20nowhere%20near%20the%20SLAs%20Microsoft%20has%20specified%20in%20the%20documentation.%20And%20changes%20to%20the%20policy%20will%20force%20a%20redeploy%2C%20so%20you%20have%20to%20wait%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

I'm trying to get DLP to identify very obvious social security numbers, credit card numbers, routing numbers, and passport numbers.

 

I've enabled DLP in two tenants (one production, one test; they're not connected in any way) and scoped the applicability to certain OneDrive accounts. I'm using the default HIPAA, US PII, and US PCI templates, but making them so only one value will cue the policy to take effect (I'm not touching the matching % because based on their definitions, my test data [which is real information, just used for test purposes] are clearly within the matching bounds).

 

At first, I tried just a US PCI policy with all OneDrive accounts (not SPO, not Exchange) in the test tenant, and it did fine finding the file with the credit card number and routing number.

 

Then I tried to apply the rest of the policies only to my OneDrive account (which, oddly, you have to enter using the OneDrive's address; you can't search for a user). No luck.

 

In the production tenant, I've got scoped policies set up with the same test data. No luck.

 

I've tried switching between test mode and on mode (the former removes any sharing barriers and only shows the warning icons on files; the latter closes down sharing, as I had set it up). No luck.

 

Reindexing the OneDrive account doesn't work (nor should I have to do that for all of my accounts once it's enabled globally anyway).

 

It's not acknowledging anything at all. Any issues anyone is aware of with DLP and implementing it correctly? I'm at a loss and don't know who to reach out to at this point.

 

It should just work.

6 Replies

Give it some time. It usually takes a day or two in my experience, nowhere near the SLAs Microsoft has specified in the documentation. And changes to the policy will force a redeploy, so you have to wait again.

Sorry, didn't indicate this was over the course of a couple days, so that should no longer be a concern. Thanks though!

Yes, we went down to one instance and 10% match to a US social security number in a file. That should have made it so a birthday would have been flagged! D:

smells like support ticket to me :D

We have similar issue here. Please let me know if you got any progress.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies