Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Exchange DLP detection is not working

Brass Contributor

I have a customer that has "Microsoft 365 E5 Information Protection and Governance" Add-on license, they also have the M365 E3 license.

 

We have setup DLP policies in Exchange to detect Credit card numbers, (policy has no actions, no alerts or incident) we just need to see the DLP matches, nothing is showing in Activity explorer or in DLP matches report after many tries.

Also we have another policy to detect in Teams but also nothing is showing in Activity explorer

 

The same policy works fine in another tenant and I could see the detections in the Activity explorer but it has the Full E5.

 

What might be the issue that DLP policies are no showing any activities or detections.

Note: the same policy is working for SharePoint DLP detections

8 Replies

Hi @BaselFawal,

 

There could be several reasons for this. Be sure that DLP policies are correctly configured (number of instances) and enabled from Compliance center only. In addition, confirm that the correct content sources are selected. If you are scanning SPO or OneDrive, this could take time after activating the policy. Finally, test the content if it is detectable directly from the SIT or Classifier that you are using in your DLP rule.

 

Thanks!

 

Hi @IsmKay
Actually we discovered that DLP is working for SharePoint, we have set up a DLP policy has the three locations, Exchange, SharePoint and Teams, the DLP detections are working For SharePoint, documents uploaded etc.., not for Exchange emails

There is no detection in Activity explorer for Exchange email send and received that contains the same sensitive info as it is one policy.

So now Exchange DLP is not working all mailboxes are migrated to Exchange online

Hi @BaselFawal 

 

If you've created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the Compliance portal. But note that rules created in the Exchange admin center take precedence. All Exchange mail flow rules are processed first, and then the DLP rules from the Compliance portal are processed.

It means:

  • Messages that are blocked by Exchange mail flow rules won't get scanned by DLP rules created in the Compliance portal.
  • Messages that are quarantined by Exchange mail flow rules or any other filters run before DLP won't be scanned by DLP.
  • If an Exchange mail flow rule modifies a message in a way that causes it to match a DLP policy in the Compliance portal, such as adding external users, then the DLP rules will detect it and enforce the policy as needed.

Also note that Exchange mail flow rules that use the "stop processing" action don't affect the processing of DLP rules in the Compliance portal - they'll still be processed.

 

https://learn.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=...

 

Thanks!

Hello the issue has been resolved by opening a ticket with Microsoft to fix something in the backend, also we had to recreate the policies, after that we could see the DLP detection in Exchange and Teams.

@BaselFawal What was the fix in the backend? Our tenant isn't detecting SSNs in attachments to emails using notifications but can detect them in the body or subject. Not sure if this is related? Thx

Hi tshinkle1, it should detect in both the attachment and message body,
you better open a ticket with Microsoft
Just wondering if you have tested the policy for other locations, like SharePoint, I mean uploading a document with SSN in SharePoint site, it should be visible in activity explorer in the DLP.

@BaselFawal 
I tried creating EP and Exchange policy with same SIT, but the exchange one is not working whereas the EP one is detecting as expected.

 

Kindly suggest the workaround, I already had a case raised with MS but yet to get a reply.

we are experiencing this same issue as well. dropping the file in the SIT works, however the entire email will not flag. @Avisheck