Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

DLP Triggered by a Policy I am No Ionger In

Copper Contributor

Hi everyone,

We are testing out creating DLP policy that involves blocking by file type when uploading to Dropbox. This first policy I created didn't really do what I expected to, so I created a second policy that takes a different approach. I removed myself from the first policy and made the second policy top priority, yet I am still seeing the first policy being triggered during my tests. It's been a week, and my policy sync status is up to date.

Has anyone else experienced this?

4 Replies

Hi @Mabel_dlp_999 , try to explicitly exclude your account in the first policy under "Locations" -- " Exclude users and groups" and include it in the second policy. thanks

Thank you so much, great idea. I'll give it a try and confirm if this solution worked.
So after placing an explicit exclusion on myself for policy 1, I am seeing unexpected and inconsistent results.

So for clarity--
Policy 1 = Block all unlabeled document uploads to Dropbox with a file size greater than 1 byte
Policy 2 = Block all uploads to drop box if they are NOT word-processing / presentation file types

During testing if I try to upload a csv or xlsx, I may see three different results. One where policy 1 is triggered (even though I am excluded from that policy), one where policy 2 is triggered, and one where it uploads to Dropbox, even though policy 2 should have blocked it.

If you had any advice on this it would be appreciated, though I'd understand if not. Has your experience working with this product been smooth? My experience with purview has been really terrible so far. I'm wondering if maybe this is a bad product.

Hi @Mabel_dlp_999 

that's strange, I would suggest raising a support case with Microsoft. They can assist and probably run an MDE analyzer to capture logs from your device to understand why the DLP sensor (SenseCA.exe) is not detecting the files with the correct policy match.
If required, I can share the steps to run the MDE analyzer for troubleshooting.
I've seen some inconsistent results in the past but was able to fix them all after doing minor changes. Unfortunately, all the information classification/protection solutions today require tuning and training specifically during initial deployment. :) thanks