DLP Exceptions issues




We are trying to setup a DLP Policy that does the following:

- If an email contains more than 10 credit card numbers and is being sent to an external email address, notify the DLPAdmin user, except if the source of the email is "customerservice@ourcompany.com".

@ourcompany.com is our Azure Tenant (in this example).


So, we have created a new DLP Policy, as follows:

  • choose locations to apply the policy: Exchange email (all included, none excluded). No other Location is selected

Customized DLP Rule:

  • Sensitive info type: Credit Card Number (High Confidence 10 to Any) AND
  • Content is shared from M365 "with people outside my organization"
  • Except if sender is: "customerservice@ourcompany.com"
  • User notification on: notify these people / send the email to these additional people: DLPAdmin@ourcompany.com

Turn the Policy on right away.



IMHO the above should work...however, DLPAdmin@ourcompany.com always gets notified when the customerservice@ourcompany.com account send an email externally (and contains 10 or more credit cards). I thought the idea of the 'exceptions' was for the DLP rule to work, except when the exclusion = true.


What are we doing wrong?


Thank you,



2 Replies
it doesn't sound like you are doing anything wrong. can you upload a screen shot to confirm?

Hi @Joe Stocker,


Thank you for taking the time to respond.

I have attached the DLP Policy screenshots.


Not sure if its useful, but I am using Outlook Web Access, and not the Outlook client for this setup and testing.


Thank you,