When your organization uses Data Loss Prevention policies in Microsoft 365, OneDrive for Business may block file uploads that are required for legal discovery. This happens when DLP rules misidentify privileged legal documents as sensitive or restricted content. The blockage can stop attorneys, paralegals, and compliance officers from uploading discovery materials to shared OneDrive folders. This guide explains why DLP policies interfere with legal uploads and provides the steps to resolve false positive blocks without weakening security.
Key Takeaways: Fix DLP Blocks on Legal Discovery Uploads
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Locate the specific DLP policy causing the block and review its rules and conditions.
- Policy rule > Conditions > Content contains: Adjust sensitive info types or add exceptions for legal discovery document patterns.
- Policy rule > Actions > Block access: Change the action to audit-only or add a user override option for legal hold scenarios.
Why DLP Policies Block OneDrive Uploads for Legal Discovery
Data Loss Prevention policies scan files in OneDrive for Business for sensitive information such as credit card numbers, passport IDs, or confidential legal terms. When a DLP policy matches a pattern it considers restricted, it can block the upload, send an alert, or restrict sharing. Legal discovery documents often contain personally identifiable information, medical records, or financial data that trigger these policies. Microsoft 365 treats these matches as violations unless the policy includes specific exceptions for legal hold or discovery workflows. The result is a false positive that prevents authorized users from uploading legitimate files.
How DLP Scanning Works in OneDrive
DLP policies apply to files stored in OneDrive, SharePoint, and Teams. Each policy defines conditions based on sensitive info types, document fingerprints, or custom keywords. When a user uploads a file, the policy runs a content scan. If the file matches a condition, the policy applies the action defined — block, notify, or audit. For legal discovery, the default sensitive info types for U.S. Social Security numbers, bank account numbers, and medical records are common triggers. Policies set to block will prevent the upload entirely, and the user sees an error message or a notification that the file cannot be saved.
Why Legal Discovery Files Are Misidentified
Legal discovery materials often contain personal data from clients, witnesses, or employees. A deposition transcript may include Social Security numbers. A medical record release form includes health information. A financial disclosure document includes bank account numbers. DLP policies cannot distinguish between a malicious data exfiltration attempt and a legitimate legal upload. Without an exception rule, the policy treats both the same way.
Steps to Fix DLP False Positives for Legal Discovery Uploads
You must have the Information Protection Administrator role or the Compliance Administrator role in Microsoft 365 to modify DLP policies. Follow these steps to identify the policy causing the block and create an exception for legal discovery.
- Identify the DLP policy that triggered the alert
Open the Microsoft Purview compliance portal at compliance.microsoft.com. Go to Data Loss Prevention > Alerts. Find the alert that matches the blocked upload time and user. Click the alert to view the policy name and rule details. Write down the policy name. - Review the policy rules and conditions
In the left navigation, go to Policies. Select the policy from step 1. On the policy details page, click Edit policy. Review each rule under Rules. Look for the condition Content contains sensitive info types. This is the most common condition that triggers a false positive. - Add an exception for legal discovery documents
In the policy editor, select the rule that caused the block. Under Conditions, click Add condition. Choose Except when content contains any of these sensitive info types. Add a custom sensitive info type for legal discovery documents if one exists, or add a condition that excludes files with specific keywords like “Privileged and Confidential” or “Discovery Production.” Click Save. - Change the action from block to audit or allow override
If you cannot add an exception, change the action for the rule. Under Actions, select Restrict access or encrypt the content. Change the setting from Block access to Notify users with guidance and allow them to override. This lets users upload the file and provide a business justification. Click Save. - Test the policy change with a sample legal document
Ask the affected user to upload the same file again. Monitor the DLP Alerts page for new alerts. The file should upload without a block. If an alert appears, review the rule and exception logic again.
Create a Custom Sensitive Info Type for Legal Documents
If your organization handles legal discovery regularly, create a custom sensitive info type that identifies privileged legal content. This reduces false positives without changing the main DLP policy.
- Go to Data Loss Prevention > Sensitive info types
In the Microsoft Purview compliance portal, expand Classification and select Sensitive info types. Click Create sensitive info type. - Define the pattern for legal discovery documents
Give the type a name like “Legal Discovery Document.” Add a primary element: a regular expression for keywords such as “Privileged and Confidential,” “Attorney Work Product,” “Discovery Response,” or “Legal Hold.” Set the confidence level to High. - Add supporting elements to reduce false matches
Add a supporting element that checks for a date pattern or a case number format. This ensures the type only matches documents with legal metadata. - Publish the sensitive info type
Click Create. After the type is published, return to your DLP policy and add an exception that excludes files matching this custom type.
If DLP Alerts Still Block Legal Uploads After Policy Changes
OneDrive Reports “This file can’t be uploaded due to your organization’s policies”
This error appears when the DLP policy is set to block and no exception applies. Verify that the policy change saved correctly. Go to the policy and click Test or simulate if available. Use the simulation to confirm the file would pass. If the simulation shows a block, recheck the exception condition. Ensure the custom sensitive info type is published and selected in the exception.
DLP Policy Applies to Multiple Sites and Libraries
If your DLP policy covers all OneDrive accounts, you cannot easily exclude a single user. Instead, create a second DLP policy with a lower priority that applies only to users in the legal department. Set this policy to audit-only. Place it below the main policy in the priority order. Microsoft 365 evaluates policies from highest priority to lowest. The audit-only policy will not block uploads for legal users.
Users Cannot Override the Block Even with Justification
If you changed the action to notify with override, but the user still cannot upload, check the policy rule for additional conditions. Some policies include a condition for file size or file type. Legal discovery files may be large PDFs or TIFF images. If the policy blocks files over 10 MB, increase the limit or remove the condition. Also verify that the user has the correct license. DLP overrides require an E5 or Compliance add-on license.
Block Action vs Override vs Audit: DLP Policy Options for Legal Discovery
| Item | Block Access | Notify with Override | Audit Only |
|---|---|---|---|
| Description | Prevents upload or sharing of the file entirely | Shows a warning and allows the user to override with a business reason | Logs the match but does not block the upload |
| Best for legal discovery | Not recommended — stops all legitimate uploads | Good — gives users a way to proceed with justification | Best — no disruption but requires monitoring of alerts |
| User experience | Error message; file is not saved | Policy tip appears; user clicks override and types a reason | No visible change; file uploads normally |
| Compliance risk | Low — no data leaves the tenant | Medium — user can bypass the policy | Medium — data leaves but is logged |
For legal discovery, the audit-only option provides the least friction while still recording matches for review. Use notify with override if your compliance team requires a documented justification for each upload. Avoid the block action for any policy that applies to legal users.
You can now identify which DLP policy is blocking legal discovery uploads and apply an exception or change the action to allow the upload. Next, test the policy change with a sample document from the legal team. For ongoing management, create a dedicated DLP policy for legal users with audit-only enforcement. This keeps your security posture intact while allowing authorized legal workflows to proceed without interruption.