data loss prevention

13 Topics

DLP USB Block
Currently we have DLP policies setup to block the use of USB devices and copying data to it. When checking the activity explorer I am still seeing user's able to copy data to USB devices and for the action item it says "Audit" when in the DLP policies we explicitly set it to block. Has anyone run into this issue or seen similar behavior?
BIH89
Dec 25, 2025 Place Microsoft Purview
57Views
0likes
2Comments
DLP Policy not Working with OCR
Hello Community, i activated the OCR in Microsoft Purview, and scan works fine infact Purview find image that contains sensible data. I have created DLP Policy that not permit print and move to rdp file that containts "Italy Confidential Data" like "Passport Number, Drivers License ecc..." this policy works for xlsx or word that contains data, but if file word contains image with this data not apply the DLP Rule infact i'm able to print or move into rdp this file also only the jpeg file. Policy match correctly i see it into "Activity Explorer" Is this behavior correct? Regards, Guido
Solved
GuidoImpe
Dec 22, 2025 Place Microsoft Purview
29Views
0likes
1Comment
Clarification related to JIT for EDLP
Can someone help clarify how JIT actually works and in which scenario we should enable JIT. The Microsoft documentation is very differently from what I’m observing during hands-on testing. I enabled JIT for a specific user (only 1 user). For that user, no JIT toast notifications appear for stale files when performing EDLP activities such as copying to a network share, etc. However, for all other users even though JIT is not enabled for them their events are still being captured in Activity Explorer. See SS below.
Solved
Mansha
Dec 15, 2025 Place Microsoft Purview
66Views
0likes
1Comment
Test DLP Policy: On-Prem
We have DLP policies based on SIT and it is working well for various locations such as Sharepoint, Exchange and Endpoint devices. But the DLP policy for On-Prem Nas shares is not matching when used with Microsoft Information Protection Scanner. DLP Rule: Conditions Content contains any of these sensitive info types: Credit Card Number U.S. Bank Account Number U.S. Driver's License Number U.S. Individual Taxpayer Identification Number (ITIN) U.S. Social Security Number (SSN) The policy is visible to the Scanner and it is being logged as being executed MSIP.Lib MSIP.Scanner (30548) Executing policy: Data Discovery On-Prem, policyId: 85........................ and the MIP reports are listing files with these SITs The results Information Type Name - Credit Card Number U.S. Social Security Number (SSN) U.S. Bank Account Number Action - Classified Dlp Mode -- Test Dlp Status -- Skipped Dlp Comment -- No match There is no other information in logs. Why is the DLP policy not matching and how can I test the policy ? thanks
lannamal
Dec 11, 2025 Place Microsoft Purview
38Views
0likes
0Comments
Migrating DLP Policies from one tenant to other
Has anyone successfully migrated DLP policies from a dev tenant (like contoso.onmicrosoft.com) to a production tenant (paid license with custom domain) in Microsoft Purview without third-party tools? We're open to using PowerShell, Power Automate, or other Microsoft technologies—such as exporting policies via PowerShell cmdlets from the source tenant, then importing/recreating them in the target tenant using the Microsoft Purview compliance portal or Security & Compliance PowerShell module. Details: The dev tenant has several active DLP policies across Exchange, Teams, and endpoints that we need to replicate exactly in prod, including sensitive info types, actions, and conditions. Is there a built-in export/import feature, a sample script, or Power Automate flow for cross-tenant migration? Any gotchas with licensing or tenant-specific configs?
Solved
AtharvaTheMaverics
Dec 05, 2025 Place Microsoft Purview
137Views
0likes
4Comments
Customized Oversharing Dialog not working for Exchange DLP
Hi Team, When I'm enabling policy tip as a dialog for custom content. This is not working. I'm testing this option on new outlook. and this is my JSON file { "LocalizationData": [ { "Language": "en-us", "Title": "Add a title", "Body": "Add the body", "Options": [ "I have a business justification", "This message doesn't contain sensitive information", "Business justification" ] } ], "HasFreeTextOption": "true", "DefaultLanguage": "en-us" } For old outlook it's not working there too. No policy tips, no override option My old outlook version
Solved
Mansha
Dec 05, 2025 Place Microsoft Purview
61Views
0likes
1Comment
Copilot DLP Policy Licensing
Hi everyone We are currently preparing our tenant for a broader Microsoft 365 Copilot rollout and in preparation to that we were in the progress of hardening our SharePoint files to ensure that sensitive information stays protected. Our original idea was to launch sensitivity labels together with a Purview data loss prevention policy that excludes Copilot from accessing and using files that have confidential sensitivity labels. Some weeks ago when I did an initial setup, everything worked just fine and I was able to create the before mentioned custom DLP policy. However, when I checked the previously created DLP policy a few days back, the action to block Copilot was gone and the button to add a new action in the custom policy is greyed out. I assume that in between the initial setup and me checking the policy, Microsoft must have moved the feature out of our licensing plan (Microsoft 365 E3 & Copilot). Now my question is what the best licensing options would be on top of our existing E3 licences. For cost reasons, a switch to Microsoft 365 E5 is not an option as we have the E3 licences through benefits. Thanks!
Solved
Stefan19x9a
Sep 10, 2025 Place Microsoft Purview
438Views
0likes
2Comments
Teams Private Channels Reengineered: Compliance & Data Security Actions Needed by Sept 20, 2025
You may have missed this critical update, as it was published only on the Microsoft Teams blog and flagged as a Teams change in the Message Center under MC1134737. However, it represents a complete reengineering of how private channel data is stored and managed, with direct implications for Microsoft Purview compliance policies, including eDiscovery, Legal Hold, Data Loss Prevention (DLP), and Retention. 🔗 Read the official blog post here New enhancements in Private Channels in Microsoft Teams unlock their full potential | Microsoft Community Hub What’s Changing? A Shift from User to Group Mailboxes Historically, private channel data was stored in individual user mailboxes, requiring compliance and security policies to be scoped at the user level. Starting September 20, 2025, Microsoft is reengineering this model: Private channels will now use dedicated group mailboxes tied to the team’s Microsoft 365 group. Compliance and security policies must be applied to the team’s Microsoft 365 group, not just individual users. Existing user-level policies will not govern new private channel data post-migration. This change aligns private channels with how shared channels are managed, streamlining policy enforcement but requiring manual updates to ensure coverage. Why This Matters for Data Security and Compliance Admins If your organization uses Microsoft Purview for: eDiscovery Legal Hold Data Loss Prevention (DLP) Retention Policies You must review and update your Purview eDiscovery and legal holds, DLP, and retention policies. Without action, new private channel data may fall outside existing policy coverage, especially if your current policies are not already scoped to the team’s group. This could lead to significant data security, governance and legal risks. Action Required by September 20, 2025 Before migration begins: Review all Purview policies related to private channels. Apply policies to the team’s Microsoft 365 group to ensure continuity. Update eDiscovery searches to include both user and group mailboxes. Modify DLP scopes to include the team’s group. Align retention policies with the team’s group settings. Migration will begin in late September and continue through December 2025. A PowerShell command will be released to help track migration progress per tenant. Migration Timeline Migration begins September 20, 2025, and continues through December 2025. Migration timing may vary by tenant. A PowerShell command will be released to help track migration status. I recommend keeping track of any additional announcements in the message center.
nikkichapple
Aug 29, 2025 Place Microsoft Purview
478Views
1like
0Comments
Inbound Sensitive Information
Hello All, We currently have some DLP policies to restrict Financial Data, HIPPA, and PII data from leaving our org. However, is there a way to restrict this type of sensitive data from being sent into the org? For example, an external address sends some sensitive data to a specific mailbox. Can a DLP policy be created to block that data from reaching a specific mailbox and reply back the email was blocked due to the content? Thanks for any info!
Solved
IanG562
Jul 05, 2025 Place Microsoft Purview
722Views
0likes
5Comments
Configuring Purview policy to email user's Leader for approval, using external HR Database
Hello, Wondering if anybody could confirm within Microsoft Purview if it is possible to: Have a DLP Policy configured with a Policy Tip Override and have it configured so if the email for example is blocked it sends a Notification to the users 'Leader' to either Accept or Deny it. If Accepted by the user's Leader, the content is released. In the same configuration have Purview user a Data Connector to say a SAP database that the HR Department uses or any type of external database to automatically determine the users leader??? If so, any Microsoft articles and or videos???? Also want this compatibility to also be used for any type of Policy for say a SIT, Sensitivity Label, Trainable Classifier etc. etc. Thank you kindly, J
JTechGuy
Apr 23, 2025 Place Microsoft Purview
139Views
1like
1Comment