Your organization uses Microsoft 365 Data Loss Prevention policies to audit external sharing of OneDrive files. But DLP alerts are not triggering for files shared externally from OneDrive for Business. This leaves your compliance team blind to sensitive data leaving your tenant.
The root cause is usually a misconfigured DLP rule scope or an incomplete audit log setup. DLP policies must target the correct workload and locations, and the audit log must be enabled for OneDrive sharing events. Without these settings, DLP cannot detect external sharing activities.
This article explains why DLP alerts miss OneDrive external sharing events and provides step-by-step fixes to configure DLP policies, enable audit logging, and verify that alerts fire correctly.
Key Takeaways: Fixing DLP Alerts for OneDrive External Sharing
- Microsoft 365 Defender > DLP policies > Policy scope > Locations: Must include OneDrive sites and select all users or specific groups to monitor external sharing.
- Microsoft 365 Defender > Audit log > Audit (Premium): Must be enabled for OneDrive sharing events like SharingAdded and SharingRevoked.
- DLP rule > Conditions > Content is shared with: Set to “People outside my organization” to trigger alerts on external sharing specifically.
Why DLP Alerts Miss OneDrive External Sharing Events
Data Loss Prevention policies in Microsoft 365 scan content based on the locations and conditions you define. When a DLP policy does not include OneDrive sites as a location, or when the condition for external sharing is not set, the policy ignores all OneDrive sharing activities. Another common cause is that the Microsoft 365 audit log is not enabled for OneDrive events. DLP relies on the audit log to detect sharing actions such as adding an external user or sharing a link. If audit logging is turned off or set to a lower tier that does not capture sharing events, DLP alerts will not fire.
Additionally, DLP policies can be scoped to specific users or groups. If the user who shared the file is not covered by the policy, the alert is not generated. Finally, the DLP rule must include the condition “Content is shared with” and set it to “People outside my organization” to specifically target external sharing. Without this condition, the rule might only scan file content without regard to sharing permissions.
Steps to Configure DLP Policies for OneDrive External Sharing Audits
Method 1: Create or Edit a DLP Policy for OneDrive
- Open the Microsoft 365 Defender portal
Go to https://security.microsoft.com and sign in with an account that has the Compliance Administrator or Security Administrator role. - Navigate to DLP policies
Select Data Loss Prevention from the left navigation, then choose Policies. - Create a new policy or edit an existing one
Click + Create policy to start a new policy, or click an existing policy name to edit it. - Select the policy template or custom option
Choose Custom if you want full control, or select a template like Financial data or Personal data and then click Next. - Name the policy and set the scope
Enter a name such as “OneDrive External Sharing Audit” and a description. Under Choose where to apply this policy, ensure OneDrive sites is selected. Also select Users and Groups if you want to cover all users or specific groups. Click Next. - Define the policy rule
Under Rules, click + Create rule. Give the rule a name like “External Sharing Alert.” - Set conditions for external sharing
In the Conditions section, click + Add condition and select Content is shared with. Then choose People outside my organization from the dropdown. You can also add other conditions like Content contains sensitive info types. - Configure the action and alert
Under Actions, select Restrict access or encrypt the content if you want to block sharing. Under User notifications, enable email notifications to the user. Under Incident reports, check Send an alert to the admin and enter the admin email. Set the alert severity to High or Medium. - Review and finish
Click Next through the remaining pages, review the settings, and click Submit.
Method 2: Enable Audit Logging for OneDrive Sharing Events
- Open the Microsoft 365 Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a Compliance Administrator role. - Check audit log status
In the left navigation, select Audit. If the audit log is not enabled, you will see a banner saying “Start recording user and admin activity.” Click Start recording. This enables audit logging for all Microsoft 365 services including OneDrive. - Verify OneDrive sharing events are being captured
In the Audit page, click Search. Set the Activities filter to Sharing and access requests and select SharingAdded, SharingRevoked, and Anonymous link created. Set a date range and click Search. If results appear, audit logging is working for OneDrive sharing. - Enable Audit (Premium) for advanced events
If you need detailed events like link-level sharing, go to Audit > Audit (Premium) and enable it. This provides richer data for DLP alerts.
Method 3: Verify DLP Policy Scope Covers All Users
- Open the DLP policy you created or edited
Go to Data Loss Prevention > Policies and click the policy name. - Check the locations tab
Click Edit next to Locations. Ensure OneDrive sites is toggled to On. Under Choose distribution groups, select All users or specific groups that include the users who share files externally. - Save the changes
Click Save and then Close.
If DLP Alerts Still Do Not Fire for OneDrive External Sharing
OneDrive sharing events are not appearing in the audit log
If audit log search returns no OneDrive sharing events, the audit log may be disabled or the user performing the sharing may not be licensed. Verify that the user has an appropriate Microsoft 365 license that includes audit logging. Also confirm that the audit log is enabled at the tenant level. If you recently enabled it, wait up to 24 hours for events to appear.
DLP policy shows no alerts even though audit events exist
The DLP rule might not have the correct condition for external sharing. Open the rule and verify that Content is shared with is set to People outside my organization. Also check that the policy is not in test mode. Go to the policy settings and ensure the mode is set to Turn on the policy immediately.
External sharing alerts are generated but not sent to the admin
Check the incident report settings in the DLP rule. Under Send an alert to the admin, confirm that the correct email address is entered. Also verify that the alert severity is set to a level that triggers notifications. If the admin mailbox has a spam filter, check the junk folder.
DLP Policy Settings vs Audit Log Settings for OneDrive External Sharing
| Item | DLP Policy Settings | Audit Log Settings |
|---|---|---|
| Purpose | Detect and act on sensitive data shared externally | Record all sharing events for compliance review |
| Required configuration | Policy must include OneDrive sites and set condition “Content is shared with People outside my organization” | Audit log must be enabled and Audit (Premium) for advanced events |
| Alert delivery | Sends email to admin and generates incident in Microsoft 365 Defender | Events appear in audit log search; no automatic alert |
| Coverage | Applies to users and groups defined in policy scope | Applies to all licensed users in the tenant |
| Time to effect | Changes apply within minutes after saving | Events appear within 30 minutes to 24 hours |
DLP policies and audit logs work together. DLP uses audit events to trigger alerts. If audit logging is not capturing sharing events, DLP cannot detect them. Ensure both are configured correctly.
After applying the fixes above, test by sharing a file from OneDrive to an external email address. Within minutes, a DLP alert should appear in the Microsoft 365 Defender portal under Incidents. You can also run an audit log search for the sharing event to confirm it was recorded.
For ongoing monitoring, create a DLP alert policy in Microsoft 365 Defender that triggers an automated investigation. This reduces manual checks and helps your security team respond faster to external sharing of sensitive data.