Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDCA File Policy in Trash option

Copper Contributor

Hi Community, anyone have played around with the option for "in Trash" in MDCA file Policy (DLP)?

I created a detection policy for (a)

  • sensitivity label + ms info protection + equals + confi labelled files
  • App + equals + sharepoint online and onedrive

and (b)

  • sensitivity label + ms info protection + equals + confi labelled files
  • App + equals + sharepoint online and onedrive
  • in trash + is + false

Both detection policy resulted in the same policy matches count.

 

I reviewed this kb - https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters

In trash – Exclude/include files in the trash folder. These files may still be shared and pose a risk.

 

Would users deleted files = files that have been moved to trash?

 

If my result shows that the value is similar, would files retention hold policy applied for SPO and OneDrive impact the result because the files aren't really 'deleted' into the trash?

 

Look forward to hearing anyone else with similar experiences and how they go about reducing the number of policy matches when files are already 'trashed'. :)

5 Replies

Hi @jokej_outlook,

 

If a file has been deleted and trashed my expectation is that it would fall out of file matches and be removed from the UI in Defender for Cloud Apps.

@Keith_Fleminghave you had experience if there's retention hold in place for files stored onedrive and sharepoint online?

I am unsure if its related, it seems that file violations stayed in the detected list even after they've been deleted by users.

One work-around I had was to manually 'refresh' the files in MDCA, that seems to help, but I have 1.2mil violations and I can't 'refresh' all of them regularly from the console.

@jokej_outlook after the refresh is the file being deleted from the UI? 

If you create a new file policy I would expect files in scope to be rescanned automatically without needing to refresh.

Thats right because MDCA employs 2 separate scanning engines to process near-real-time speed and another for files already present in the system. By creating a new policy, the whole list will be refreshed.
Unfortunately, I can't go that route because I have a downstream process which requires the same policy ID.

@jokej_outlook I would recommend opening up a case for this so it can be investigated.  If the file is in the trash and it's deleted, I wouldn't expect it see it in the UI and matching a policy.