When HR teams upload sensitive investigation documents to OneDrive, Microsoft Purview Data Loss Prevention policies may block the upload or generate false positive alerts. This happens because DLP rules scan file content for patterns like Social Security numbers, bank account numbers, or confidential keywords — patterns that are common in HR case files. The result is a blocked upload, a policy tip notification, or an alert sent to the compliance team, even though the upload is fully authorized.
This article explains why DLP blocks legitimate HR uploads and provides three methods to fix the problem: creating a DLP policy override for the HR site, using a priority action to exempt specific users, and configuring a file-level exception with sensitive info type exclusions.
Key Takeaways: Fixing False Positive DLP Alerts for HR Uploads
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Create a policy override for the HR site’s SharePoint document library to exclude it from scanning.
- Exchange admin center > Mail flow > Rules: Add a priority action to exempt HR investigation team members from DLP policy enforcement during uploads.
- DLP policy > Advanced DLP rules > Conditions > Content contains: Add a file-level exception by excluding specific sensitive info types that trigger false alerts.
Why DLP Blocks Legitimate HR Investigation Uploads
Microsoft Purview DLP policies inspect file content in OneDrive, SharePoint, and Exchange. When a file contains data that matches a built-in or custom sensitive info type, the policy can block the upload, send a policy tip, or generate an alert. HR investigation documents often include employee identifiers, salary figures, medical information, and disciplinary notes — all of which match multiple sensitive info types by default.
The root cause is that DLP policies are scoped broadly — they apply to all sites or all users in a tenant. Without site-level or user-level exclusions, every upload that contains a Social Security number, driver’s license number, or credit card number triggers a DLP action. HR teams performing authorized investigations have a legitimate business need to upload these documents, yet the policy treats them as policy violations.
A second contributing factor is the use of the default DLP policy template named U.S. Personally Identifiable Information (PII) Data. This template includes 14 sensitive info types, many of which overlap with HR document content. When the policy is set to block access or encrypt content, legitimate uploads fail with a policy tip that says “This file is blocked by your organization’s security policy.”
Three Methods to Fix DLP False Positives for HR Uploads
Choose the method that matches your administrative permissions and the scope of the problem. Method 1 requires SharePoint admin or global admin rights. Method 2 requires Exchange admin or compliance admin rights. Method 3 requires DLP policy editor rights in the Microsoft Purview compliance portal.
Method 1: Create a DLP Policy Override for the HR Site
This method excludes the entire HR document library from DLP scanning. Use this when the HR site is a dedicated SharePoint site for investigation files only.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a global admin or compliance admin account. - Navigate to Data Loss Prevention
Select Data Loss Prevention from the left navigation, then choose Policies. - Select the active DLP policy
Click the policy name that is blocking the HR uploads. If you have multiple policies, identify the one with the highest priority that applies to SharePoint sites or OneDrive accounts. - Edit the locations scope
In the policy editor, go to Locations and click Edit. Under Choose locations, select SharePoint sites or OneDrive accounts. Click Choose sites or Choose accounts. - Add the HR site as an exclusion
Select Exclude specific sites and then click Add site. Enter the URL of the HR SharePoint site (for example,https://yourtenant.sharepoint.com/sites/HRInvestigations). Click Add. - Save and apply the policy
Click Next through the remaining pages, then click Submit. Wait 15 to 30 minutes for the change to propagate.
Method 2: Use a Priority Action to Exempt Specific Users
This method keeps DLP scanning active for all users but allows specific HR team members to upload files without triggering alerts. Use this when you want to maintain DLP protection for other users.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a compliance admin account. - Navigate to Data Loss Prevention
Select Data Loss Prevention from the left navigation, then choose Policies. - Select the active DLP policy
Click the policy name that is blocking the HR uploads. - Edit the policy rules
Under Policy settings, click Edit next to Rules. Find the rule that triggers the block (for example, “Block access to sensitive content”). Click the rule name to open it. - Add a user exclusion condition
In the rule editor, scroll to Conditions. Click Add condition and select Except if. Choose Sender is from the list. Enter the email addresses of the HR investigation team members (for example,hr.investigator@yourcompany.com). - Set the action to allow
Under Actions, change the action from Block to Allow or Notify only. This ensures that even if the file matches a sensitive info type, the upload proceeds and only a policy tip is shown. - Save the rule and the policy
Click Save to close the rule editor, then click Next through the remaining pages and click Submit.
Method 3: Configure a File-Level Exception with Sensitive Info Type Exclusions
This method keeps full DLP enforcement but excludes specific sensitive info types that are causing false positives. Use this when you know which data types (for example, Social Security numbers) are the cause of the block.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a compliance admin account. - Navigate to Data Loss Prevention
Select Data Loss Prevention from the left navigation, then choose Policies. - Select the active DLP policy
Click the policy name that is blocking the HR uploads. - Edit the rule that triggers the block
Under Policy settings, click Edit next to Rules. Click the rule name that contains the block action. - Add a content contains exception
In the rule editor, scroll to Conditions. Click Add condition and select Except if. Choose Content contains sensitive info type. Click Add and select the sensitive info types that are causing false positives (for example, U.S. Social Security Number (SSN)). Click Add to confirm. - Save the rule and the policy
Click Save to close the rule editor, then click Next through the remaining pages and click Submit.
If DLP Alerts Still Block HR Uploads After the Fix
DLP Policy Tips Still Appear for Excluded Users
If you used Method 2 but policy tips still appear, check the rule priority. DLP policies process rules in order from highest priority (lowest number) to lowest priority (highest number). If a higher-priority rule does not have the user exclusion, it will still block the upload. Move the rule with the exclusion to a higher priority by editing the policy and dragging the rule to the top of the list.
Uploads Are Blocked on OneDrive Personal Accounts
Method 1 excludes only SharePoint sites, not OneDrive personal sites. If HR team members upload investigation files to their personal OneDrive, the DLP policy still applies. Use Method 2 to exempt the user accounts, or configure the DLP policy to exclude specific OneDrive accounts by following the same exclusion steps in Method 1 but selecting OneDrive accounts instead of SharePoint sites.
Third-Party DLP Solutions Also Block Uploads
If your organization uses a third-party DLP solution alongside Microsoft Purview, the third-party policy may be the cause. Check the third-party DLP console for policies that apply to SharePoint or OneDrive. Configure an exclusion for the HR site or user in that console separately.
Policy Override vs User Exemption vs Sensitive Info Type Exclusion: Key Differences
| Item | Policy Override (Method 1) | User Exemption (Method 2) | Info Type Exclusion (Method 3) |
|---|---|---|---|
| Scope | Entire SharePoint site or OneDrive account | Specific users or email addresses | Specific sensitive info types across all locations |
| Effect on DLP protection | No DLP scanning on excluded site or account | DLP scanning remains active for non-exempt users | DLP scanning remains active but skips excluded info types |
| Best for | Dedicated HR investigation site with no other sensitive data | HR team members who need to upload to multiple sites | When only one or two info types cause false positives |
| Propagation time | 15 to 30 minutes | 15 to 30 minutes | 15 to 30 minutes |
| Admin permission required | Global admin or SharePoint admin | Compliance admin or global admin | Compliance admin or global admin |
You can now configure a DLP policy override, user exemption, or sensitive info type exclusion to stop false positive alerts for HR investigation uploads. Test the fix by having an HR team member upload a sample file that previously triggered the block. For ongoing management, review DLP alert reports weekly in the Microsoft Purview compliance portal under Data Loss Prevention > Alerts. A final tip: use the Test mode in the DLP policy editor before switching to Enforce to confirm that exclusions work as expected.