OneDrive for Business DLP alerts troubleshooting for HR investigations: block legitimate uploads

When an HR investigator uploads a sensitive employee file to OneDrive for Business, a Data Loss Prevention policy may incorrectly block the upload and generate a false positive DLP alert. This happens when the DLP rule matches on sensitive information types like Social Security numbers or bank account numbers that are present in legitimate HR documents. This article explains why DLP blocks legitimate uploads during HR investigations and provides the exact steps to troubleshoot the alert, exempt the investigator, and prevent future false positives without weakening your security posture.

Why DLP Blocks Legitimate HR Uploads in OneDrive for Business

Data Loss Prevention policies in Microsoft 365 use content analysis to detect sensitive information types such as credit card numbers, Social Security numbers, and passport numbers. When an HR investigator uploads a performance review, termination letter, or benefits form, that file often contains one or more of these sensitive data types. The DLP engine has no way to distinguish between a malicious data exfiltration attempt and a legitimate HR operation unless you configure explicit exemptions.

The default DLP policy behavior for OneDrive is to block the upload and send an alert to the compliance team. This creates a false positive that wastes investigator time and delays the HR case. The root cause is not a bug but a missing exclusion rule for trusted roles. Microsoft 365 does not automatically exempt HR investigators from DLP scanning because it cannot infer their job role from their account attributes alone.

Additionally, DLP policies that use the High volume detection threshold may trigger on a single file if the file contains multiple sensitive instances, such as a spreadsheet with 100 employee Social Security numbers. HR investigators commonly batch upload such files, which increases the chance of a false positive.

Steps to Troubleshoot and Resolve DLP False Positives for HR Uploads

Follow these steps in order. You need Global Admin or Compliance Admin permissions in Microsoft 365.

1. Identify the DLP policy that triggered the alert
   Open the Microsoft Purview compliance portal at https://compliance.microsoft.com. Go to Data Loss Prevention > Alerts. Find the alert related to the blocked HR upload. Click the alert to open its details. The policy name appears in the Policy field. Write down the policy name.
2. Review the matched sensitive information types
   In the same alert details pane, scroll to Matched items. Expand the file entry to see which sensitive information types were detected. Common matches for HR files include U.S. Social Security Number, ABA Routing Number, and U.S. Bank Account Number. Note the exact sensitive info type.
3. Confirm the file is legitimate HR content
   Open the Activity explorer in the compliance portal. Filter by User and enter the HR investigator name. Filter by File path and paste the full OneDrive path from the alert. Verify that the file name and location match the expected HR investigation workflow. If the file is indeed HR-related, proceed to create an exclusion.
4. Create a DLP policy exclusion for HR investigators
   In the compliance portal, go to Data Loss Prevention > Policies. Select the policy you identified in step 1. Click Edit policy. On the Locations page, ensure OneDrive accounts is selected. On the Rules page, select the rule that triggered the alert. Click Edit rule. Scroll to Exclusions. Under Exclude certain users and groups, click Add a user or group. Enter the HR investigator account or a security group that contains all HR investigators. Click Add. Save the rule and the policy.
5. Test the exclusion by re-uploading the file
   Ask the HR investigator to re-upload the same file to the same OneDrive folder. The upload should complete without a DLP block. If the block persists, wait 15 minutes for policy replication and try again. If it still blocks, verify that the user is correctly added to the exclusion list and that no other DLP policy is matching the file.
6. Reduce alert noise with a lower severity threshold
   If you want to keep DLP scanning active for HR but reduce false alert volume, edit the rule and change Severity from High to Low or Medium. This prevents the alert from appearing in the high-priority alert queue while still logging the event in Activity explorer for audit purposes.

If DLP Alerts Still Appear After the Main Fix

Multiple DLP policies match the same upload

Your tenant may have more than one DLP policy that applies to OneDrive. The exclusion you added to one policy does not affect other policies. Use the Activity explorer to identify all policies that matched the file. Run the following PowerShell command as Global Admin to list all DLP policies applied to OneDrive:

Get-DlpCompliancePolicy | Where-Object {$_.ExchangeLocation -ne $null -or $_.OneDriveLocation -ne $null}

Add the HR investigator exclusion to each matching policy using the same steps described above.

DLP policy uses a custom sensitive info type that is too broad

If your organization created a custom sensitive information type for employee ID numbers or payroll codes, it may match on legitimate HR files. Open the custom sensitive info type in Data classification > Sensitive info types. Review the pattern and confidence level. Increase the minimum confidence level from 75 to 85 or 90 to reduce false matches. Alternatively, add a keyword exclusion like “HR Investigation” or “Confidential HR” to the DLP rule.

The HR investigator is using a shared device or unmanaged computer

DLP policies can be configured to block uploads from unmanaged devices regardless of the user. Check the rule condition Device is not managed by Microsoft Intune or Device is not compliant. If the investigator uses a personal laptop, the upload will be blocked even if the user is excluded. The solution is to either require the investigator to use a managed device or remove the device condition from the DLP rule for the HR exclusion scope.

DLP Policy Exclusion vs DLP Policy Override: Key Differences

Item	DLP Policy Exclusion	DLP Policy Override
Description	Permanently exempts a user or group from DLP scanning for a specific policy	Allows a user to bypass a DLP block at upload time with a business justification
Configuration location	DLP policy rule > Exclusions > Exclude certain users and groups	DLP policy rule > User notifications > Notify users when action is taken
User interaction required	None after configuration	User must select a reason from a dropdown list at upload time
Audit trail	No event generated for excluded uploads	Override reason logged in Activity explorer
Best for HR investigations	Yes, when the same users repeatedly upload sensitive HR files	No, because it requires user action and creates an audit gap if the user ignores the prompt

Use the exclusion method for HR investigators who handle sensitive files as part of their daily workflow. Use the override method for one-off scenarios where a non-HR employee needs to upload a sensitive file temporarily.

After configuring the exclusion, verify the fix by having the HR investigator upload a test file containing sample sensitive data like a fake Social Security number from the Microsoft test data set. Confirm that the upload succeeds and no new alert appears in the DLP alerts queue within 30 minutes.

For ongoing monitoring, create a custom DLP alert policy that triggers only when a non-excluded user uploads a file with sensitive HR data. This keeps the HR team productive while maintaining DLP coverage for the rest of the organization. Use the Activity explorer filter User not in security group to build this alert.