DLP alerts and protection for existing documents in SharePoint and OneDrive

%3CLINGO-SUB%20id%3D%22lingo-sub-2342908%22%20slang%3D%22en-US%22%3EDLP%20alerts%20and%20protection%20for%20existing%20documents%20in%20SharePoint%20and%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2342908%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fuse-notifications-and-policy-tips%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20documentation%3C%2FA%3E%20states%20DLP%20does%20not%20send%20email%20alerts%20for%20existing%20content%20and%20are%20only%20generated%20for%20new%20content.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20the%20criteria%20used%20to%20determine%20what's%20existing%20content%20and%20what's%20new%3F%20Is%20it%20something%20similar%20to%20all%20documents%20last%20modified%20prior%20to%20DLP%20policy%20going%20live%20are%20existing%3F%20E.g.%2C%20if%20a%20document%20XYZ.docx%20was%20modified%20at%2010%2F05%2F2021%2011am%20and%20DLP%20policy%20was%20published%20at%2010%2F05%2F2021%2011%3A30am%20then%20would%20an%20email%20alert%20be%20generated%20for%20this%20document.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20planning%20on%20implementing%20a%20DLP%20policy%20to%20BLOCK%20external%20sharing%20of%20all%20documents%20labelled%20as%20'Top%20Secret'.%20We%20don't%20want%20the%20DLP%20policy%20to%20bombard%20our%20users%20with%20email%20notifications%20for%20existing%20confidential%20data%20stored%20in%20SharePoint%20and%20OneDrive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2342908%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398821%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20alerts%20and%20protection%20for%20existing%20documents%20in%20SharePoint%20and%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398821%22%20slang%3D%22en-US%22%3EI%20believe%20the%20statement%20about%20existing%20only%20refers%20to%20emails.%20For%20example%2C%20if%20you%20create%20a%20DLP%20Policy%20at%2011am%20then%20it%20will%20only%20start%20generating%20email%20alerts%20for%20emails%20sent%20after%2011%3A30am.%20It%20will%20not%20generate%20emails%20for%20all%20prior%20emails%20sent.%3CBR%20%2F%3EHowever%2C%20DLP%20evaluates%20any%20content%20that%20can%20be%20indexed%20in%20SharePoint%20and%20OneDrive%2C%20so%20in%20those%20cases%2C%20I%20would%20expect%20an%20alert%20to%20be%20generated%20on%20anything%20it%20discovers%20as%20sensitive%20in%20SharePoint%20and%20OneDrive.%3CBR%20%2F%3E%22DLP%20policies%20apply%20to%20all%20documents%20that%20match%20the%20policy%2C%20whether%20those%20documents%20are%20new%20or%20existing.%20However%2C%20an%20email%20notification%20is%20only%20generated%20when%20new%20content%20matches%20an%20existing%20DLP%20policy.%20Existing%20content%20is%20protected%2C%20but%20will%20not%20generate%20a%20user%20notification%20via%20email.%22%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fuse-notifications-and-policy-tips%3Fview%3Do365-worldwide%23add-user-notifications-to-a-dlp-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fuse-notifications-and-policy-tips%3Fview%3Do365-worldwide%23add-user-notifications-to-a-dlp-policy%3C%2FA%3E%3CBR%20%2F%3EThe%20best%20way%20to%20determine%20what%20this%20is%20going%20to%20find%20is%20to%20browse%20to%20Content%20Explorer.%20It%20will%20show%20you%20the%20matches%20before%20the%20rule%20fires.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Microsoft documentation states DLP does not send email alerts for existing content and are only generated for new content.

 

Does anyone know the criteria used to determine what's existing content and what's new? Is it something similar to all documents last modified prior to DLP policy going live are existing? E.g., if a document XYZ.docx was modified at 10/05/2021 11am and DLP policy was published at 10/05/2021 11:30am then would an email alert be generated for this document.

 

We are planning on implementing a DLP policy to BLOCK external sharing of all documents labelled as 'Top Secret'. We don't want the DLP policy to bombard our users with email notifications for existing confidential data stored in SharePoint and OneDrive.

1 Reply
I believe the statement about existing only refers to emails. For example, if you create a DLP Policy at 11am then it will only start generating email alerts for emails sent after 11:30am. It will not generate emails for all prior emails sent.
However, DLP evaluates any content that can be indexed in SharePoint and OneDrive, so in those cases, I would expect an alert to be generated on anything it discovers as sensitive in SharePoint and OneDrive.
"DLP policies apply to all documents that match the policy, whether those documents are new or existing. However, an email notification is only generated when new content matches an existing DLP policy. Existing content is protected, but will not generate a user notification via email."
https://docs.microsoft.com/en-us/microsoft-365/compliance/use-notifications-and-policy-tips?view=o36...
The best way to determine what this is going to find is to browse to Content Explorer. It will show you the matches before the rule fires.