When your organization runs Data Loss Prevention scans for legal discovery, DLP alerts may miss files stored in OneDrive for Business. This problem often occurs because the DLP policy scope does not include OneDrive locations or because the files are in a state that the scanner cannot access. This article explains why DLP alerts miss OneDrive files and provides step-by-step fixes to ensure complete coverage for legal discovery.
Understanding the root cause helps you adjust DLP policies and OneDrive settings so that no file escapes detection. You will learn how to verify policy scope, enable advanced scanning features, and check file availability states. The goal is to make your DLP alerts capture every relevant document during legal hold or eDiscovery processes.
Key Takeaways: Fixing DLP Alerts That Miss OneDrive Files for Legal Discovery
- Microsoft Purview compliance portal > Data Loss Prevention > Policies > Edit policy > Locations: Ensures OneDrive accounts are included in the DLP policy scope
- OneDrive Files On-Demand status check: Files marked as online-only may not be scanned; set files to locally available before running DLP scans
- DLP policy rule > Advanced DLP rules > Content contains > Sensitivity labels: Applies DLP scanning to files labeled for legal hold or confidential data
Why DLP Alerts Miss OneDrive Files During Legal Discovery
Microsoft 365 DLP policies scan content at rest and in transit, but they depend on the file being indexed and accessible. When a OneDrive file is stored only in the cloud and not synced to a local device, the DLP scanner may skip it if the policy is not configured to scan cloud attachments or if the file lacks a sensitivity label. Legal discovery requires that all files in a custodian’s OneDrive be scanned, including those that are shared externally or stored in subfolders. The most common technical cause is a DLP policy that is scoped only to Exchange or SharePoint and not to OneDrive accounts. Another cause is the file being in a state that the scanner ignores, such as a file that has never been opened or one that is in a folder with inheritance disabled.
Policy Scope Limitations
DLP policies in Microsoft Purview can target specific workloads: Exchange, SharePoint, OneDrive, Teams, and devices. If your policy was created for email or SharePoint alone, OneDrive files are not evaluated. Even when OneDrive is selected, the policy may exclude certain sites or users if you applied a scope filter incorrectly.
File Availability and Indexing Gaps
OneDrive uses Files On-Demand to keep files online-only until they are opened. Files that remain online-only may not be fully indexed by the search service that DLP relies on. If the file has never been accessed or synced, DLP might not detect it. Additionally, files with custom permissions or those stored in a folder that inherits no label can be invisible to DLP rules that check for sensitivity labels.
Steps to Ensure DLP Alerts Capture All OneDrive Files
Follow these steps in order to fix missing DLP alerts for OneDrive files. You need global admin or DLP compliance admin permissions.
- Verify DLP policy scope includes OneDrive
Go to the Microsoft Purview compliance portal. Select Data Loss Prevention then Policies. Open the policy used for legal discovery. Under Locations, confirm that OneDrive accounts is checked. If it is not, check it and save the policy. This change applies to all new and existing files. - Check that the policy scans all OneDrive sites
While editing the policy, select Choose locations under OneDrive accounts. Make sure All users and groups or the specific legal hold group is selected. If you used a distribution group, verify the group membership is current. Save the policy after updating. - Add a rule that scans files by sensitivity label
In the same policy, select Policy settings then Edit rules. Under Conditions, choose Content contains then Sensitivity labels. Select the labels used for legal hold or confidential data. This ensures that even if the file is online-only, DLP scans its metadata and label. - Enable advanced DLP rules for cloud attachments
In the policy rule, under Advanced DLP rules, toggle on Scan content in cloud attachments. This forces DLP to inspect files shared via OneDrive links. Without this, external shares might be missed. - Force files to sync before a discovery scan
On the custodian’s device, open OneDrive settings. Go to Sync and backup then Manage backup. Ensure all folders under This PC are backed up. Then right-click the OneDrive folder in File Explorer and select Always keep on this device. This downloads all files, making them indexable. Wait for the sync to complete. - Run a DLP test scan to confirm detection
In the Microsoft Purview compliance portal, go to Data Loss Prevention then Policies. Select your policy and choose Test policy. Upload a test file with the sensitivity label to the custodian’s OneDrive. Verify that an alert appears in the Alerts tab. If no alert appears, review the policy conditions again.
If DLP Still Misses OneDrive Files After the Main Fix
OneDrive files with no sensitivity label are not scanned
If your DLP rule relies solely on sensitivity labels, files without a label are ignored. To fix this, add a condition that scans files based on content inspection. In the policy rule, under Conditions, select Content contains then choose Custom word list or Regular expression. Enter keywords relevant to legal discovery, such as “privileged” or “attorney-client”. This catches unlabeled files that contain sensitive terms.
DLP alerts do not appear for files shared externally
When a user shares a OneDrive file with an external recipient, DLP may not generate an alert if the policy does not monitor external sharing. Edit the policy rule and under Actions, select Block external sharing and notify users. Also enable the option Notify admins when a DLP rule matches on shared content. This ensures external shares trigger alerts.
Files in subfolders are missed
DLP policies scan all subfolders within OneDrive by default, but if a folder has custom permissions that break inheritance, the scanner might skip it. To verify, go to the OneDrive folder in a browser, select the folder, then Manage access. Ensure inheritance is enabled. If inheritance is broken, reset it by selecting Inherit permissions from parent. Then run a new DLP scan.
DLP Policy Scope Options: OneDrive vs SharePoint vs Exchange
| Item | OneDrive Accounts | SharePoint Sites | Exchange Mailboxes |
|---|---|---|---|
| Description | Scans files stored in user OneDrive libraries | Scans files in SharePoint team and communication sites | Scans email messages and attachments in Exchange Online |
| Best for legal discovery | Yes, includes all custodian personal files | Yes, includes team documents and shared libraries | Yes, includes email correspondence |
| Files On-Demand limitation | Online-only files may be skipped without sync | No limitation; files are always server-side | Not applicable |
| External sharing detection | Supported when cloud attachment scanning is enabled | Supported by default for site sharing | Supported for email attachments |
When configuring DLP for legal discovery, you must include all three locations to ensure complete coverage. OneDrive alone captures personal files, but SharePoint captures collaborative documents, and Exchange captures email evidence.
Now you can verify that your DLP policy includes OneDrive accounts and uses sensitivity labels or content inspection to catch all files. Next, run a test scan with a sample file to confirm alerts appear. An advanced tip is to use the Microsoft 365 audit log to search for DLP rule matches by policy ID, which helps you confirm which files triggered alerts during a specific time window.