Data Loss Prevention alerts in Microsoft 365 are designed to detect sensitive content across OneDrive for Business, but many administrators report that DLP alerts fail to fire on files that are also tagged for retention cleanup. This gap occurs because retention policies and DLP policies operate from separate scanning engines and metadata queues, causing DLP to skip files that have pending retention labels or hold status. This guide explains the root cause of the mismatch and provides the exact configuration steps to ensure DLP alerts trigger correctly on OneDrive files that are under retention cleanup.
Key Takeaways: Fixing DLP Alert Gaps for OneDrive Retention-Cleanup Files
- Microsoft Purview compliance portal > Data Loss Prevention > Policies > Edit policy > Locations > OneDrive accounts: Ensure OneDrive is explicitly selected and scoped to include all users, not just specific groups that may exclude retention-tagged files.
- PowerShell cmdlet Set-DlpComplianceRule -NotifyUser -NotifyPolicyTip: Overrides default DLP behavior that skips files with active retention labels, forcing policy tips and alerts even when a file is under retention hold.
- Microsoft 365 admin center > Compliance > Retention labels > Auto-labeling policy > Simulate mode: Test retention labels in simulation before applying them to verify they do not suppress DLP scanning on the same file.
Why DLP Alerts Miss OneDrive Files Under Retention Cleanup
The core issue is that DLP and retention policies in Microsoft 365 use separate scanning pipelines. When a file in OneDrive is assigned a retention label or is placed under a retention hold for cleanup, the retention system marks the file with metadata that tells DLP scanning to skip it. This is by design to avoid conflicting policy actions on the same file. However, this design causes DLP to miss files that contain sensitive data but are also scheduled for retention cleanup.
The problem is most visible in two scenarios. First, when a retention label is applied manually or via auto-labeling, the file enters a state where DLP scanning is paused until the retention action completes. Second, when a file is under a litigation hold or eDiscovery hold, DLP treats the file as locked and does not evaluate it for sensitive content. The result is that DLP alerts for credit card numbers, personally identifiable information, or other sensitive data never appear for these files.
Another contributing factor is the DLP policy scope. If the DLP policy is configured to apply only to specific OneDrive folders or specific users, retention-tagged files outside that scope are naturally missed. Additionally, the default DLP rule in Microsoft 365 does not include a condition to override the retention-skip behavior, so administrators must add that condition manually.
How Retention Labels Interact with DLP Scanning
When a retention label is applied to a OneDrive file, the file receives a compliance tag that tells DLP to exclude it from scanning. This exclusion applies to both manual and auto-applied labels. The exclusion remains in effect until the retention period expires or the label is removed. During this time, DLP alerts are suppressed even if the file contains sensitive data that would normally trigger an alert.
The Role of Policy Priority and Rule Conditions
DLP policies in Microsoft 365 are evaluated in order of priority. If a retention policy has a higher priority than the DLP policy, the retention action takes precedence and blocks DLP scanning. In the default configuration, retention policies are given higher priority than DLP policies. This ordering is not visible in the user interface, but it is enforced at the engine level. To fix the issue, you must create a custom DLP rule with a condition that forces scanning even when a retention label is present.
Steps to Configure DLP to Alert on Retention-Cleanup Files
Follow these steps to ensure DLP alerts fire correctly on OneDrive files that are under retention cleanup. You need the Microsoft Purview compliance portal and PowerShell access with the Exchange Online Protection module installed.
- Open the DLP policy in Microsoft Purview
Go to the Microsoft Purview compliance portal. Select Data Loss Prevention, then Policies. Find the DLP policy that is missing alerts for retention-cleanup files. Click the policy name to open its properties. - Verify OneDrive is selected as a location
In the policy settings, click Locations. Confirm that OneDrive accounts is checked. If it is not checked, select it and choose Include all users. Do not limit the scope to specific groups unless you are certain those groups include the retention-tagged files. - Create a custom DLP rule with an override condition
In the same policy, click Rules, then click Create rule. Give the rule a name such as DLP Override for Retention Files. Under Conditions, select Content contains sensitive information and choose the sensitive info types you want to detect. Under Exceptions, do not add any exception that references retention labels. Under Actions, select Send alert and choose the alert severity level. - Add the PowerShell override to force scanning
Open Windows PowerShell as an administrator. Run Connect-IPPSSession to connect to the Exchange Online Protection center. Run the following command to modify the rule you just created: Set-DlpComplianceRule -Identity “DLP Override for Retention Files” -NotifyUser $true -NotifyPolicyTip $true -NotifyAllowOverride None -NotifyUserType Recipients. This command forces DLP to evaluate the file and send policy tips even when a retention label is present. - Test the rule with a retention-tagged file
Upload a test file to OneDrive that contains a credit card number or a social security number. Apply a retention label to the file. Wait 15 minutes for the label to propagate. Then verify that a DLP alert appears in the Alerts dashboard. If the alert does not appear, check the rule priority and ensure the custom rule is above any default rules. - Monitor alert generation for 24 hours
After the rule is active, monitor the Alerts page in Microsoft Purview for 24 hours. Look for alerts triggered by the rule name you created. If alerts appear, the fix is working. If no alerts appear, re-check the PowerShell command parameters and verify that the rule is enabled.
If DLP Alerts Still Miss Files After the Main Fix
DLP Alerts Fire for Some Users but Not Others
If DLP alerts work for some users but not for others, the issue is likely the user scope in the DLP policy. Open the DLP policy and change the OneDrive location from specific users to all users. If you need to keep it scoped, verify that the excluded users do not have retention labels applied to their files. You can check this by running Get-ComplianceRetentionLabel -User
Retention Labels Are Not Applied but DLP Still Misses Files
If retention labels are not applied but DLP still misses files, check whether the files are under a litigation hold or eDiscovery hold. Both hold types suppress DLP scanning. Remove the hold or use the PowerShell override described above to force scanning on held files. Run Get-Mailbox -Identity
DLP Alerts Appear but Policy Tips Are Not Shown to Users
If alerts appear in the admin portal but users do not see policy tips in OneDrive, the issue is the NotifyUser parameter in the DLP rule. Run Set-DlpComplianceRule -Identity “DLP Override for Retention Files” -NotifyUser $true -NotifyPolicyTip $true -NotifyAllowOverride None. Then ask the user to refresh the OneDrive web page and open the file again.
| Item | Default DLP Behavior | Fixed DLP Behavior with Override |
|---|---|---|
| Scanning on retention-tagged files | Skipped | Forced |
| Policy tips on held files | Not shown | Shown |
| Alert generation for cleanup files | Suppressed | Generated |
| Configuration method | UI only | UI plus PowerShell override |
| Rule priority requirement | None | Custom rule must be highest priority |
By applying the PowerShell override and adjusting the DLP policy scope, you can now ensure that DLP alerts fire on OneDrive files that are under retention cleanup. Next, review your existing DLP policies to see if any other policies need the same override. Consider creating a separate DLP policy specifically for retention-tagged files so that you can monitor alert coverage separately.