Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

What is the best method to migrate Exchange DLP rules to a Compliance DLP Policy?

Copper Contributor

We have historically used Exchange Mail flow rules to encrypt email for our clients. For example: 


- Apply this rule if: 

1) message is sent outside the organization AND

2) message contains sensitive information (ex: SSN, Credit Card Number, etc.) 

- Do the following:

Rights protect message with RMS template: Encrypt


Earlier this year, Microsoft disabled the ability to create/edit DLP policies/rules in Exchange Admin Center. In November, those rules completely stopped working (yes, they likely notified us a long time ago, and yes we're way behind on this :sad:). 


The recommended action is to "migrate" them to Purview DLP in the compliance center. EDIT: found out the migration wizard is only supported for for ETRs that are *linked* to DLP policies. Reference: comments section here. Our ETRs are not linked to policies.  There is  documentation (see here) stating that a migration wizard can be used to move the policies. In the tenant where I'm testing, I have the correct licensing (E3) as required in the documentation; I also have Office 365 DLP licenses. However, the migration wizard is not appearing in the Compliance Center > Data loss prevention > policies. I have beat my head against the wall with Microsoft support and have gotten no answers. 



1. Is there any other way to access the DLP migration wizard other than hoping the banner pops up? (See here under "Migration" #2) (answered above, not available if your ETRs are not linked to a DLP policy)

2. If not, is there any efficient way to move the specific rule mentioned above for several dozen tenants? Perhaps a PowerShell command to create this specific DLP rule that encrypts emails with sensitive content? 

3. If not, is there any documentation from Microsoft on how to configure an email encryption policy like this? If we have to manually create the policy (Purview Compliance > Data loss prevention > create policy), the closest action I see is "restrict access or encrypt the content in Microsoft 365 locations".


0 Replies