Finance reviewers often rely on Data Loss Prevention alerts to detect sensitive files stored in OneDrive for Business. When these alerts miss files that should have been flagged, the review process becomes unreliable and compliance risks increase. This problem typically occurs because DLP policies are not correctly scoped to include all OneDrive locations, or because file metadata does not match the policy conditions. This article explains why DLP alerts miss OneDrive files during finance reviews and provides step-by-step troubleshooting steps to resolve the issue.
Key Takeaways: Troubleshooting DLP Alerts Missing OneDrive Files
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Verify that the policy scope includes all OneDrive accounts and that the policy is in test mode or enabled.
- Policy conditions and sensitive info types: Ensure the policy uses the correct sensitive information types for finance data, such as credit card numbers or bank account numbers.
- OneDrive file index status: Check that files are indexed and searchable in Microsoft Purview; unindexed files are not scanned by DLP.
Why DLP Alerts Miss OneDrive Files in Finance Reviews
Data Loss Prevention policies in Microsoft 365 scan files stored in OneDrive for Business based on conditions defined in the policy. When a finance reviewer expects an alert for a file containing sensitive financial data but no alert is generated, the root cause is usually a mismatch between the policy configuration and the file’s actual metadata or location.
The most common technical reasons include:
Policy Scope Does Not Include All OneDrive Locations
A DLP policy can be scoped to specific users, groups, or locations. If the policy is scoped to only a subset of users, files stored in OneDrive accounts of excluded users will not be scanned. Finance reviewers must confirm that the policy scope includes all relevant OneDrive accounts.
Incorrect or Missing Sensitive Information Types
DLP policies match files against predefined sensitive information types, such as credit card numbers, SWIFT codes, or tax identification numbers. If the policy uses a type that does not match the actual data in the file, no alert is generated. For example, a file containing a bank account number formatted differently than the expected pattern will be missed.
File Not Indexed or Not Yet Scanned
OneDrive files must be indexed by Microsoft Purview before DLP can scan them. Files that are newly uploaded, encrypted, or stored in a format that cannot be indexed will not trigger alerts. Additionally, DLP scanning has a latency of up to 24 hours for newly added files.
Policy in Test Mode Without Notifications
A DLP policy in test mode may generate alerts but not send notifications to reviewers. If the policy is set to test mode without sending alerts, finance reviewers will not see any DLP alerts even though the policy is technically working.
Steps to Troubleshoot and Fix Missing DLP Alerts for OneDrive Files
Follow these steps in order to identify and resolve missing DLP alerts for OneDrive files during finance reviews.
- Verify DLP Policy Scope
Sign in to the Microsoft Purview compliance portal at https://compliance.microsoft.com. Go to Data Loss Prevention > Policies. Select the finance-related DLP policy. Under Locations, confirm that OneDrive accounts is selected. If the policy is scoped to specific users, ensure that all finance team members and relevant users are included. Add missing users or groups as needed. - Check Sensitive Information Types
In the same policy, go to Conditions. Review the list of sensitive information types. Common types for finance reviews include Credit Card Number, U.S. Bank Account Number, SWIFT Code, and International Banking Account Number (IBAN). If the expected type is missing, add it. Also verify that the confidence level and proximity settings are not too restrictive. For example, set confidence level to 75 or lower for broader matching. - Confirm Policy Mode and Alert Settings
Under Policy settings, check the Mode. If the policy is in Test mode, ensure that Send alerts to admins is enabled. For production use, set the mode to Turn on the policy after testing. Under Actions, verify that Notify users with a policy tip and email is enabled if you want end-user notifications. - Verify File Indexing Status
In the Microsoft Purview compliance portal, go to Data classification > Overview. Search for the specific file name or path. If the file is not listed, it has not been indexed. To force indexing, open the file in OneDrive and save it again. Wait up to 24 hours for the index to update. For encrypted files, decrypt them first and re-upload. - Test with a Known Sensitive File
Create a test file containing real sensitive data, such as a credit card number in the format 4111-1111-1111-1111. Save it to a OneDrive account that is in scope. Wait 30 minutes, then check the Alerts page in the Microsoft Purview compliance portal under Data Loss Prevention > Alerts. If no alert appears, repeat steps 1 through 4. - Review DLP Alert History
In the Microsoft Purview compliance portal, go to Data Loss Prevention > Alerts. Filter by policy name and date range. Look for any alerts that were generated but not sent to the finance reviewer. If alerts exist but were not delivered, check the email notification settings in the policy and confirm that the reviewer’s email address is correct.
If DLP Alerts Still Miss OneDrive Files After Troubleshooting
DLP Alert Appears in the Portal but Not in the Reviewer’s Inbox
This occurs when the policy is configured to send alerts to admins but the reviewer is not listed as an admin. To fix this, add the reviewer as a recipient in the policy’s alert notification settings. Go to Data Loss Prevention > Policies, select the policy, and under Actions, choose Send alert to admins. Add the reviewer’s email address. Also check that the reviewer’s mailbox is not blocking emails from Microsoft Purview.
DLP Policy Does Not Scan Files in Shared OneDrive Folders
DLP policies scan files based on the file owner’s OneDrive account. If a file is stored in a shared folder owned by a user outside the policy scope, the file is not scanned. To ensure scanning, include all OneDrive accounts that own shared folders containing finance data. Alternatively, use a DLP policy that scans all OneDrive accounts by selecting All users in the location scope.
DLP Policy Misses Files with Custom Sensitive Data Patterns
Finance data sometimes uses internal formats that do not match predefined sensitive information types. For example, an internal account number format like ACCT-12345-6789 is not recognized. Create a custom sensitive information type in Microsoft Purview. Go to Data classification > Sensitive info types > Create. Define a pattern using regular expressions or keyword lists. Apply the custom type to the DLP policy.
DLP Policy Scope vs File Indexing: Key Differences for Finance Reviews
| Item | DLP Policy Scope | File Indexing Status |
|---|---|---|
| Description | Determines which OneDrive accounts are scanned | Determines whether a specific file is searchable and scannable by DLP |
| Impact on alerts | Files outside scope are never scanned | Unindexed files are skipped entirely |
| Configuration location | Microsoft Purview > DLP > Policies > Locations | Automatic; no direct user setting |
| Typical fix | Add missing users or select All users | Re-save file or decrypt and re-upload |
| Latency | Changes take effect within 1 hour | Indexing can take up to 24 hours |
Finance reviewers should check both scope and indexing when alerts are missing. A file can be in scope but unindexed, or indexed but out of scope. Only when both conditions are met will a DLP alert be generated.
You can now systematically diagnose missing DLP alerts for OneDrive files by verifying policy scope, sensitive information types, and file indexing status. Next, test the policy with a known sensitive file to confirm the fix works. For ongoing monitoring, enable DLP alert reporting in Microsoft Purview and set up weekly reviews of alert history.