Business users often store confidential documents in OneDrive without realizing the security risks. Files containing personally identifiable information, financial data, or trade secrets can be exposed if sharing settings are too permissive. Microsoft 365 provides built-in tools to scan OneDrive for sensitive content and flag files that need tighter access controls. This article explains how to use Microsoft Purview Data Loss Prevention policies and Microsoft 365 compliance center features to locate sensitive files in your OneDrive for Business environment.
Key Takeaways: Locating Sensitive Files in OneDrive for Business
- Microsoft Purview compliance portal > Data classification > Sensitive info types: Predefined templates and custom patterns to detect credit card numbers, passport IDs, and other regulated data in OneDrive.
- Microsoft Purview > Data Loss Prevention > Policies: Rules that automatically scan OneDrive files for sensitive content and send alerts or block sharing.
- Content Search in Microsoft Purview: A manual query tool that locates files containing specific keywords or sensitive data patterns across all OneDrive accounts.
What Counts as Sensitive Content in OneDrive
Sensitive files contain data that could cause financial or reputational harm if leaked. Microsoft 365 classifies sensitive information using predefined sensitive info types. These include credit card numbers, bank account numbers, passport IDs, driver’s license numbers, social security numbers, and health records. The compliance center also supports custom sensitive info types for company-specific data such as employee IDs or internal project codes.
The scanning process works at the file content level, not just file names or metadata. When a file is stored in OneDrive, Microsoft 365 can inspect its contents — including text in Office documents, PDFs, and images with embedded text — and match it against defined sensitive info types. The detection engine supports over 100 built-in sensitive info types and allows administrators to create custom patterns using regular expressions.
Prerequisites for Scanning OneDrive Files
To find sensitive files in OneDrive, you need the following:
- A Microsoft 365 subscription that includes Microsoft Purview — typically E5 or A5 plans, or add-on licenses for Data Loss Prevention.
- Global Administrator or Compliance Administrator role in the Microsoft 365 admin center.
- OneDrive for Business accounts must be licensed and active for all users you want to scan.
Method 1: Use Data Loss Prevention Policies to Automatically Detect Sensitive Files
Data Loss Prevention policies in Microsoft Purview can automatically scan OneDrive files for sensitive content. When a match is found, you can configure the policy to send an email alert, block sharing, or apply a sensitivity label. This method works continuously — new files uploaded to OneDrive are scanned within minutes of being created or modified.
Steps to Create a DLP Policy for OneDrive
- Open the Microsoft Purview compliance portal
Sign in to compliance.microsoft.com with your Global Administrator or Compliance Administrator account. - Navigate to Data Loss Prevention
In the left navigation menu, select Data Loss Prevention and then click Policies. - Create a new policy
Click Create policy. On the “Start with a template or create a custom policy” page, select Custom and then click Next. - Name the policy
Enter a name such as “OneDrive Sensitive Content Scan” and a description. Click Next. - Choose the locations to scan
On the “Choose locations to apply the policy” page, toggle OneDrive accounts to the On position. You can also include Exchange email, SharePoint sites, and Teams chat messages if needed. Click Next. - Define the sensitive info types to detect
On the “Define policy settings” page, click Create or customize advanced DLP rules. Click Create rule. Under Conditions, select Content contains. Choose Sensitive info types and then click Add. Select the types you want to detect — for example, U.S. Social Security Number, Credit Card Number, or Passport Number. Click Add and then Save. - Set the action for matched files
Under Actions, select Restrict access or encrypt the content. Choose Block everyone to prevent external sharing of sensitive files. Optionally, check Notify users with email and policy tips to alert the file owner. Click Save. - Test the policy before turning it on
On the “Policy mode” page, select Test it out first. This lets you review alerts without blocking files. Click Next and then Submit.
After the policy is created, Microsoft 365 will scan all existing and new files in OneDrive accounts. You can view alerts and matched files in the Purview compliance portal under Data Loss Prevention > Alerts or Activity explorer.
Method 2: Use Content Search to Manually Find Sensitive Files
If you need a one-time scan or want to search for specific keywords or data patterns, use the Content Search feature in Microsoft Purview. This method does not apply automatic restrictions — it only returns a list of files that match your query.
Steps to Run a Content Search for Sensitive Data in OneDrive
- Open the Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in as a Compliance Administrator. - Navigate to Content Search
In the left menu, expand Data classification and select Content search. - Create a new search
Click New search. Enter a name such as “OneDrive Sensitive Files Scan”. - Configure the search query
On the “Locations” page, toggle All OneDrive accounts to the On position. On the “Define your search conditions” page, you can use the keyword query language to search for specific terms. For example, to find files containing the word “confidential”, enterconfidentialin the keyword box. To search for sensitive info types, click Add condition, select Type, and then choose All sensitive info types. Click Search. - Review the search results
After the search completes, click the search name to view the results. The results page shows the number of matching items and a preview of the file metadata. You can export the results to a CSV file by clicking Export results.
Content Search is useful for compliance audits or when you need to identify files that contain a specific pattern, such as “ProjectX” or “NDA”. The search covers all OneDrive accounts in your tenant, but you can narrow it to specific users by selecting “Choose OneDrive accounts” instead of “All OneDrive accounts”.
Common Issues When Searching for Sensitive Files in OneDrive
No results returned even though files contain sensitive data
The scanning engine requires files to be in a supported format. Office documents, PDFs, and text files are scanned. Image-only PDFs or scanned images without embedded text are not scanned unless you enable OCR in Microsoft Purview. Go to Data classification > OCR configuration and toggle Enable OCR to On. Also, files must be stored in OneDrive for at least 15 minutes before scanning begins.
DLP policy does not detect sensitive content in shared files
DLP policies scan all files in OneDrive regardless of sharing status. If a file is shared externally and contains sensitive data, the policy should trigger an alert. However, the policy only scans files that match the sensitive info types you selected. Verify that the sensitive info type is correctly configured. For example, U.S. Social Security Number detection requires a nine-digit number in the format XXX-XX-XXXX. If the file uses a different format, the scan will not match it.
Content Search returns too many irrelevant files
Use the keyword query language to refine your search. Combine keywords with proximity operators. For example, to find files that contain “SSN” near “employee”, use SSN NEAR employee. You can also filter by file type: filetype:pdf AND confidential. For sensitive info types, use the condition builder to select specific types instead of the generic “All sensitive info types”.
DLP Policy Scanning vs Content Search: Key Differences
| Item | DLP Policy Scanning | Content Search |
|---|---|---|
| Purpose | Automatic detection and remediation of sensitive content | Manual one-time search for compliance or audits |
| Automation | Runs continuously on file creation and modification | Requires manual launch each time |
| Actions | Can block sharing, encrypt files, send alerts | Only returns search results |
| Supported locations | OneDrive, SharePoint, Exchange, Teams | OneDrive, SharePoint, Exchange, Teams |
| Detection method | Sensitive info types and custom patterns | Keywords, sensitive info types, file properties |
DLP policies are the best choice for ongoing protection. Content Search is better for ad-hoc investigations or when you need to verify that a specific file is no longer shared.
You now have two reliable methods to find sensitive files in OneDrive for Business. Start by creating a DLP policy in test mode to see what files are detected in your environment. After reviewing the alerts, adjust the sensitive info types and actions before switching the policy to enforcement mode. For a deeper audit, run a Content Search with custom keywords to locate files that may not match standard sensitive info types. Enable OCR in Microsoft Purview to scan text embedded in images within PDF files.