Your organization uses Data Loss Prevention policies to prevent sensitive information like credit card numbers or social security numbers from leaving via email. The new Outlook for Windows includes DLP policy tips that warn users before they send a message containing sensitive data. However, the location of these settings and the limits of what they can enforce are often misunderstood. This article explains where DLP policy tips appear in the new Outlook, how administrators configure them in the Microsoft 365 Purview portal, and the practical boundaries of these protections in the new Outlook client.
Key Takeaways: New Outlook DLP Settings and Limits
- Microsoft 365 Purview compliance portal > Data Loss Prevention > Policies: All DLP rules for Exchange Online and new Outlook are created and managed here, not inside the Outlook app itself.
- DLP policy tip in the new Outlook warning bar: The tip appears as a yellow bar below the ribbon when the system detects sensitive content, allowing the sender to override with a business justification.
- No DLP rule creation in new Outlook: Users cannot create, edit, or disable DLP policies from within the new Outlook client; all configuration is server-side.
How DLP Policies Work in the New Outlook
Data Loss Prevention in the new Outlook is not a feature you toggle inside the application. It is a server-side policy enforced by Exchange Online and the Microsoft 365 Purview compliance portal. When a user composes an email that contains sensitive data defined by an active DLP rule, the Exchange transport engine scans the message before it leaves the outbox. If a match is found, the engine can block the message, send it to a moderator, or display a policy tip in the new Outlook client.
The new Outlook for Windows uses the same Exchange Web Services and Graph APIs that power the Outlook on the web experience. This means DLP policy tips appear in the same warning bar position and behave identically to the OWA implementation. The tip is a yellow notification bar that appears directly below the ribbon area when the system detects a policy violation. The user can read the tip, remove the sensitive content, or click an override link to provide a business justification and send the message anyway.
Prerequisites for DLP Policy Tips in New Outlook
Before DLP tips appear in the new Outlook, the following conditions must be met:
- The user must have a Microsoft 365 E3, E5, or equivalent subscription that includes DLP licensing.
- An active DLP policy must be created in the Purview compliance portal and applied to Exchange Online.
- The policy must have the “Notify users with a policy tip” action enabled for the specific rule.
- The new Outlook client must be connected to Exchange Online. DLP tips do not work with on-premises Exchange mailboxes.
Where to Configure DLP Settings for the New Outlook
Administrators do not configure DLP inside the new Outlook application. The settings are located in the Microsoft 365 Purview compliance portal. Follow these steps to create or modify a DLP policy that affects the new Outlook client.
- Open the Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the Compliance Administrator or DLP Administrator role. - Navigate to DLP policies
In the left navigation menu, select Data Loss Prevention > Policies. This page lists all existing DLP policies in your tenant. - Create a new policy or edit an existing one
Click + Create policy to start a new policy. To edit an existing policy, click the policy name and then click Edit policy. - Choose a location
On the Locations page, select Exchange email to apply the policy to all Exchange Online mailboxes. The new Outlook client uses Exchange Online, so this location is required for policy tips to appear. - Define the rule conditions and actions
On the Policy settings page, click + Create rule. Set the condition to detect sensitive info types such as credit card number, U.S. social security number, or custom patterns. Under Actions, select Notify users with a policy tip and check the option to show the tip in Outlook and Outlook on the web. - Test and deploy the policy
Set the policy to Test mode first to verify that the tip appears correctly in the new Outlook. After testing, change the mode to Turn it on immediately.
The policy tip text can be customized. In the same rule action section, click Customize the policy tip text to write a message that appears in the yellow bar. This text supports up to 500 characters and can include placeholders like %sensitive_type% to show the detected data type.
Practical Limits of DLP in the New Outlook
DLP policy tips in the new Outlook have several practical boundaries that administrators and users need to understand. These limits affect what the system can detect, when the tip appears, and what actions are available.
DLP Tips Only Appear During Compose
The policy tip appears only while the user is composing a new email or replying to an existing thread. It does not appear when reading received messages, viewing drafts, or opening sent items. The tip is a real-time scan triggered when Exchange processes the message before it reaches the outbox. If a user saves a draft with sensitive content and closes it, the tip will reappear when they reopen and send the message.
No DLP Enforcement for Attachments in the New Outlook
The new Outlook client does not support server-side scanning of file attachments for DLP violations. While Exchange Online can scan email body and subject text, the built-in sensitive info types do not extend to content inside attached Office documents or PDFs. To scan attachments, you must use Microsoft Purview Data Loss Prevention with an E5 license, which uses a separate scanning pipeline outside the new Outlook client. This is a common misunderstanding: the policy tip in the compose window will not flag a credit card number inside an attached Excel file.
Override Options Are Limited to the Policy Configuration
When a policy tip appears, the user can click Override and type a business justification to send the message. However, this override behavior is entirely controlled by the policy rule. The administrator can disable overrides entirely, require a justification, or require the user to report a false positive. If the policy does not allow overrides, the user sees the tip but cannot send the message until they remove the sensitive content. The new Outlook does not provide any additional override options beyond what the policy defines.
DLP Tips Are Not Available in Offline or Cached Mode
The new Outlook for Windows relies on a network connection to Exchange Online to evaluate DLP rules. If the client is offline or working from a cached copy of the mailbox, the system does not scan the message for sensitive data. The policy tip will appear only after the user clicks Send and the message is submitted to Exchange. In this case, the tip appears in the sent item folder as a warning, but the message is already delivered. This is a critical limit for users who frequently compose emails without connectivity.
DLP in New Outlook vs Classic Outlook: Key Differences
| Item | New Outlook for Windows | Classic Outlook for Windows |
|---|---|---|
| Policy tip location | Yellow warning bar below ribbon | Yellow warning bar below ribbon |
| Configuration portal | Purview compliance portal only | Purview compliance portal only |
| Attachment content scanning | Not supported | Not supported |
| Offline DLP evaluation | No, requires network connection | No, requires network connection |
| Custom policy tip text | Supported, up to 500 characters | Supported, up to 500 characters |
| Override with justification | Yes, if enabled in policy | Yes, if enabled in policy |
If DLP Policy Tips Do Not Appear in New Outlook
When a DLP policy is active but tips do not show in the new Outlook, check these common causes.
The Policy Is Not Applied to Exchange Email
A DLP policy that targets SharePoint, OneDrive, or Teams only will not generate tips in Outlook. Open the policy in the Purview portal and verify that Exchange email is selected in the Locations tab. If the location is missing, edit the policy and add Exchange email.
The Policy Is in Test Mode Without Policy Tips
Test mode policies can be configured to show tips or to run silently. In the policy rule, confirm that the Notify users with a policy tip action is checked. If the rule uses test mode with notifications disabled, no tip appears.
The User License Does Not Include DLP
DLP policy tips require a Microsoft 365 E3, E5, or equivalent license assigned to the user. Users with Exchange Online Plan 1 or Microsoft 365 Business Basic licenses do not receive policy tips. Verify the user license in the Microsoft 365 admin center under Users > Active users > Licenses and apps.
DLP in the new Outlook is a server-side enforcement mechanism that appears as a policy tip during compose. Administrators configure all rules in the Purview compliance portal, not inside the Outlook client. The system scans email body and subject text but not attachment content, and it requires a network connection to evaluate policies. To test your DLP configuration, send a test email containing a known sensitive data type like a credit card number 4111111111111111 and confirm the yellow warning bar appears. For attachment scanning, consider upgrading to Microsoft 365 E5 and enabling endpoint DLP or using the automatic sensitivity labeling feature in Purview.