IT Hub

Troubleshooting Common DLP Issues in Microsoft 365

Reco Security Experts
May 28, 2024
May 28, 2024

DLP policies are tools within Office 365 that help organizations protect sensitive information from being shared or leaked outside the organization. These policies can be configured to detect and prevent the unauthorized sharing of sensitive data such as credit card numbers, social security numbers, or confidential information.

By defining rules and conditions, administrators can specify what types of sensitive information should be taken care of, how to handle when issues are found(such as blocking access or sending alerts), and who has access to sensitive data within the organization.

DLP policies can be applied across various Office 365 services such as Exchange Online, SharePoint Online, and OneDrive for Business, helping to protect data wherever it's stored or shared within Office 365.

Policy Creation and Deployment

  • Intent Scenarios: Consider scenarios like preventing the accidental sharing of confidential data or sensitive information from leaking out of your organization.
  • Configuration Options: Customize your DLP policy by mapping intent scenarios to specific configuration options.
  • Deployment: Choose wisely to achieve your intent without disrupting business operations.
  • Administrative Units: Understanding the basics of Microsoft Purview Data Loss Prevention.


  • Microsoft Office 365 Business Standard and Business Premium: To use DLP, you need to purchase the Office 365 data loss prevention add-on (which is added to Exchange Online Plan 1). This applies to both Business Standard and Business Premium subscriptions. DLP features are not included by default in these plans; the add-on is necessary to enable them.
  • Enterprise Licenses: If you have an enterprise-level subscription, such as Microsoft 365 E3 or Microsoft 365 E5, you’ll have access to comprehensive DLP capabilities. These licenses include advanced security and compliance features, making them suitable for organizations with more complex requirements.

Troubleshooting Common DLP Issues in Microsoft 365

Troubleshooting common DLP (Data Loss Prevention) issues in Office 365 involves checking policy configurations, ensuring proper permissions, and examining logs in case there are any lapses. Here are some steps you can take:

Review DLP Policies: Check your DLP policies to ensure they are correctly configured to match your organization's requirements.

Steps to set up and review the DLP Policy:

  • Navigate to Compliance.microsoft.com
  • Click on DLP Policy on the left-hand side

1. Permissions: Make sure users have the necessary permissions to access and use DLP features. The account used for policy creation and deployment must be a part of specific role groups:

  • Compliance Administrator
  • Compliance Data Administrator
  • Information Protection Admin
  • Security Administrator

Steps to Assign the Role:

  • Sign in to the Microsoft Purview compliance portal as a global admin from compliance.microsoft.com
  • Navigate to the Permissions section.
  • If you need to set up the policy, assign the Compliance Administrator role to the relevant user account.

2. Policy Testing: Test your DLP policies to ensure they are working as expected. This process involves extensive testing of the policy by reviewing it.

This implies that when Canada's financial data is shared across Office 365, it should be blocked.

Ensure an extensive review of the protection actions below to make sure the policy works perfectly.

This page shows where you can run the policy in simulation mode before it is enabled. Once the policy is enabled, it takes 24 hours to take effect.

3. Log Analysis: Analyze DLP logs to identify any patterns or anomalies that may indicate issues with policy enforcement.

Common Issues

DLP Policy Not Blocking Sensitive Information

  • Users can send emails or documents containing sensitive information (such as credit card numbers or Social Security Numbers), and the DLP policy does not block them.
  • Possible Causes:
    • Content of the email message.
    • Configuration issues with the DLP policy.
  • Possible Solution:
    • Check if the message’s content matches the format, pattern, and keywords specified in your sensitive information type entity definitions.

DLP Policy Tips Not Working in Outlook and OWA Clients

  • DLP policy tips (which guide users when they’re about to send sensitive information) are not functioning as expected.
  • Possible Causes:
    • Policy configuration errors.
    • Unsupported policy configurations (client-only).
    • Not all policy conditions are met.
    • MailTips aren’t enabled (client-only).
  • Resolution:
    • Review your policy configurations and ensure they are correctly set up.

Conclusion: Addressing DLP Policy Challenges in Microsoft 365

Data Loss Prevention (DLP) policies play a crucial role in protecting sensitive information within organizations. However, several challenges can affect their effectiveness. These are:

  1. Policy Configuration Errors:
  • Misconfigurations can lead to unexpected issues. For instance, having multiple rules detecting the same sensitive data types with identical instance counts and confidence levels is unnecessary and problematic.
  • The resolution lies in creating a single rule based on the same sensitive data types.
  1. Outlook Compatibility:
    • Outlook 2013 and later versions support policy tips for specific conditions and exceptions. Not all policy configurations are compatible with these versions.
    • Organizations should be aware of these limitations when designing DLP policies.
  2. Policy Conditions and External Sharing:
    • In SharePoint Online and OneDrive for Business, external sharing conditions can impact policy tips. Content is indexed as shared externally only after an external party accesses it.
    • Organizations should consider this when crafting DLP policies.
  3. MailTips and Client Support:
    • For Outlook 2013 and later clients, ensure that both MailTips and policy tips are enabled. MailTips provides essential context to users.
    • Mac clients have specific limitations related to MailTips. To enable MailTips, kindly follow the steps below:

Outlook Configuration:

  • Open Outlook.
  • Go to File > Options > Mail.
  • Scroll down to the MailTips section.
  • In the Select MailTips to be displayed dialog box, ensure that the Policy tip notification option is selected

Custom MailTips for Recipients in Exchange Online:

  • If you want to create custom MailTips for recipients in Exchange Online, follow these steps:some text
    • Open the Exchange Admin Centre.
    • Navigate to Recipients > Mailboxes.
    • Select the recipient you want to modify and click Edit.
    • In the recipient properties page,click on others and click MailTips.
    • Enter the text for the MailTip and click Save

5. Legacy Policies and Migration:

  • Legacy Exchange Online DLP policies should be migrated to the Microsoft Purview compliance portal. Failure to do so may result in unexpected outcomes, such as missing policy tips.
Explore More
See more articles from our Hub