Enabled DLP policies don't seem to be doing anything in OneDrive

%3CLINGO-SUB%20id%3D%22lingo-sub-154489%22%20slang%3D%22en-US%22%3EEnabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154489%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20get%20DLP%20to%20identify%20very%20obvious%20social%20security%20numbers%2C%20credit%20card%20numbers%2C%20routing%20numbers%2C%20and%20passport%20numbers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20enabled%20DLP%20in%20two%20tenants%20(one%20production%2C%20one%20test%3B%20they're%20not%20connected%20in%20any%20way)%20and%20scoped%20the%20applicability%20to%20certain%20OneDrive%20accounts.%20I'm%20using%20the%20default%20HIPAA%2C%20US%20PII%2C%20and%20US%20PCI%20templates%2C%20but%20making%20them%20so%20only%20one%20value%20will%20cue%20the%20policy%20to%20take%20effect%20(I'm%20not%20touching%20the%20matching%20%25%20because%20based%20on%20their%20definitions%2C%20my%20test%20data%20%5Bwhich%20is%20real%20information%2C%20just%20used%20for%20test%20purposes%5D%20are%20clearly%20within%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fwhat-the-sensitive-information-types-look-for-fd505979-76be-4d9f-b459-abef3fc9e86b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20matching%20bounds%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20first%2C%20I%20tried%20just%20a%20US%20PCI%20policy%20with%20all%20OneDrive%20accounts%20(not%20SPO%2C%20not%20Exchange)%20in%20the%20test%20tenant%2C%20and%20it%20did%20fine%20finding%20the%20file%20with%20the%20credit%20card%20number%20and%20routing%20number.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20I%20tried%20to%20apply%20the%20rest%20of%20the%20policies%20only%20to%20my%20OneDrive%20account%20(which%2C%20oddly%2C%20you%20have%20to%20enter%20using%20the%20OneDrive's%20address%3B%20you%20can't%20search%20for%20a%20user).%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20production%20tenant%2C%20I've%20got%20scoped%20policies%20set%20up%20with%20the%20same%20test%20data.%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20tried%20switching%20between%20test%20mode%20and%20on%20mode%20(the%20former%20removes%20any%20sharing%20barriers%20and%20only%20shows%20the%20warning%20icons%20on%20files%3B%20the%20latter%20closes%20down%20sharing%2C%20as%20I%20had%20set%20it%20up).%20No%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReindexing%20the%20OneDrive%20account%20doesn't%20work%20(nor%20should%20I%20have%20to%20do%20that%20for%20all%20of%20my%20accounts%20once%20it's%20enabled%20globally%20anyway).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20not%20acknowledging%20anything%20at%20all.%20Any%20issues%26nbsp%3Banyone%20is%20aware%20of%20with%20DLP%20and%20implementing%20it%20correctly%3F%20I'm%20at%20a%20loss%20and%20don't%20know%20who%20to%20reach%20out%20to%20at%20this%20point.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20should%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Ejust%20work%3C%2FEM%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-154489%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159143%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159143%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20similar%20issue%20here.%20Please%20let%20me%20know%20if%20you%20got%20any%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158320%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158320%22%20slang%3D%22en-US%22%3Esmells%20like%20support%20ticket%20to%20me%20%3AD%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158197%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158197%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20we%20went%20down%20to%20one%20instance%20and%2010%25%20match%20to%20a%20US%20social%20security%20number%20in%20a%20file.%20That%20should%20have%20made%20it%20so%20a%20birthday%20would%20have%20been%20flagged!%20D%3A%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155108%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155108%22%20slang%3D%22en-US%22%3EDid%20you%20try%20tuning%20the%20rules%20for%20Instance%20count%20and%20Match%20accuracy%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%23tune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%23tune%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155099%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155099%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%2C%20didn't%20indicate%20this%20was%20over%20the%20course%20of%20a%20couple%20days%2C%20so%20that%20should%20no%20longer%20be%20a%20concern.%20Thanks%20though!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154680%22%20slang%3D%22en-US%22%3ERe%3A%20Enabled%20DLP%20policies%20don't%20seem%20to%20be%20doing%20anything%20in%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154680%22%20slang%3D%22en-US%22%3E%3CP%3EGive%20it%20some%20time.%20It%20usually%20takes%20a%20day%20or%20two%20in%20my%20experience%2C%20nowhere%20near%20the%20SLAs%20Microsoft%20has%20specified%20in%20the%20documentation.%20And%20changes%20to%20the%20policy%20will%20force%20a%20redeploy%2C%20so%20you%20have%20to%20wait%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

I'm trying to get DLP to identify very obvious social security numbers, credit card numbers, routing numbers, and passport numbers.

 

I've enabled DLP in two tenants (one production, one test; they're not connected in any way) and scoped the applicability to certain OneDrive accounts. I'm using the default HIPAA, US PII, and US PCI templates, but making them so only one value will cue the policy to take effect (I'm not touching the matching % because based on their definitions, my test data [which is real information, just used for test purposes] are clearly within the matching bounds).

 

At first, I tried just a US PCI policy with all OneDrive accounts (not SPO, not Exchange) in the test tenant, and it did fine finding the file with the credit card number and routing number.

 

Then I tried to apply the rest of the policies only to my OneDrive account (which, oddly, you have to enter using the OneDrive's address; you can't search for a user). No luck.

 

In the production tenant, I've got scoped policies set up with the same test data. No luck.

 

I've tried switching between test mode and on mode (the former removes any sharing barriers and only shows the warning icons on files; the latter closes down sharing, as I had set it up). No luck.

 

Reindexing the OneDrive account doesn't work (nor should I have to do that for all of my accounts once it's enabled globally anyway).

 

It's not acknowledging anything at all. Any issues anyone is aware of with DLP and implementing it correctly? I'm at a loss and don't know who to reach out to at this point.

 

It should just work.

6 Replies
Highlighted

Give it some time. It usually takes a day or two in my experience, nowhere near the SLAs Microsoft has specified in the documentation. And changes to the policy will force a redeploy, so you have to wait again.

Highlighted

Sorry, didn't indicate this was over the course of a couple days, so that should no longer be a concern. Thanks though!

Highlighted
Highlighted

Yes, we went down to one instance and 10% match to a US social security number in a file. That should have made it so a birthday would have been flagged! D:

Highlighted
smells like support ticket to me :D
Highlighted

We have similar issue here. Please let me know if you got any progress.