As a OneDrive administrator, you may receive Data Loss Prevention alerts when HR staff upload sensitive investigation files. These alerts can block or quarantine files that are legitimate, causing workflow interruptions and delays. This occurs because DLP policies are configured to detect sensitive information types such as Social Security numbers or financial data, which HR documents often contain. This article provides a checklist to identify false-positive DLP alerts, adjust policy rules, and ensure HR investigations proceed without unnecessary blocks.
Key Takeaways: Resolving DLP False Positives for HR Investigations
- Microsoft 365 Defender > DLP policies > Policy settings: Adjust the sensitivity thresholds or add a policy override for specific HR user groups.
- OneDrive admin center > Sharing > Sync: Disable sync for HR SharePoint sites if DLP scanning during sync causes false alerts.
- Microsoft Purview compliance portal > DLP > Policy tips: Enable end-user policy tips so HR staff can override blocks with a business justification.
Why DLP Alerts Block Legitimate HR Uploads
Data Loss Prevention policies in Microsoft 365 scan files for sensitive information types. When an HR investigator uploads a file containing employee Social Security numbers, bank account details, or medical information, DLP may classify the file as a violation. The default action for high-confidence matches is to block the upload and notify the administrator.
The root cause is that DLP policies are often created with broad rules that apply to all users and all locations. HR departments routinely handle files that contain the exact data types DLP is designed to protect. Without exceptions for specific user groups or business processes, these files trigger alerts and blocks.
DLP Sensitivity Levels and False Positives
Each DLP rule has a confidence level based on the number and proximity of sensitive data matches. A file with 10 or more Social Security numbers, for example, triggers a high-confidence match. HR files that list multiple employees in a spreadsheet will exceed this threshold. The system does not distinguish between a legitimate HR record and an unauthorized data exfiltration attempt.
Policy Scope and Exclusion Gaps
Many organizations apply DLP policies to all SharePoint sites and OneDrive accounts. HR-specific sites are often included in the same policy scope. Without explicit exclusions for HR site collections or user groups, all uploads to those locations are subject to the same rules. This creates a situation where legitimate HR work is blocked by security controls designed for other departments.
Checklist to Stop DLP from Blocking Legitimate HR Uploads
Use this checklist to audit and adjust your DLP configuration. Each item addresses a specific cause of false-positive blocks.
- Identify the DLP policy causing the block
Open the Microsoft Purview compliance portal. Go to Data Loss Prevention > Policies. Review the policy that triggered the alert. Note the policy name, rule name, and the sensitive info types it scans for. Example: US Social Security Number (SSN) or EU Debit Card Number. - Review the alert details in Microsoft 365 Defender
Go to Microsoft 365 Defender > Incidents & alerts. Locate the alert for the blocked HR upload. Examine the matched data types and the confidence level. This tells you which rule fired and whether the match was high or low confidence. - Create an HR-specific DLP policy with lower sensitivity
In the Purview compliance portal, create a new DLP policy. Name it HR Investigation Files. Set the scope to the HR SharePoint site and the HR OneDrive accounts. Choose a higher threshold, such as 50 instances of a sensitive type, before triggering a block. This allows small HR files to pass while still catching bulk data leaks. - Add an override option for HR users
In the same policy, under User notifications, enable policy tips. Select the option to allow users to override the block with a business justification. HR staff can then upload files and enter a reason such as Employee investigation file. This creates an audit trail without stopping work. - Exclude the HR site collection from the default DLP policy
Edit the existing DLP policy that blocks uploads. Under Locations, remove the HR SharePoint site and HR OneDrive accounts. Leave the default policy active for all other sites. HR files will then be governed only by the custom policy you created. - Test the new policy with a sample HR file
Ask an HR user to upload a test file containing dummy sensitive data. Confirm that the file uploads without a block. If the block persists, lower the sensitivity threshold or add the user to an exception group. - Monitor DLP alerts for residual false positives
After applying changes, monitor the alerts tab in Microsoft 365 Defender for one week. Look for any continued blocks from HR users. Adjust the custom policy thresholds as needed.
If DLP Still Blocks Legitimate Uploads
DLP policy tips are not showing for HR users
Policy tips require that the user is using OneDrive sync or the web browser. If tips are not appearing, verify that the user is signed into OneDrive with a work account and that the policy tip setting is enabled at the rule level. In the DLP rule, under User notifications, set Notify users with a policy tip to On and select the relevant rule.
The HR site is still being scanned by the default policy
DLP policies apply to all locations unless explicitly excluded. If the HR site is part of a broader site collection, add an exclusion for the HR subsite URL. In the policy, under Locations > SharePoint sites, choose Include and then Exclude specific sites. Enter the HR site URL.
DLP blocks sync uploads but not web uploads
The OneDrive sync client scans files differently than the web upload. If sync uploads are blocked but web uploads succeed, the sync client may be using a different DLP detection method. In the OneDrive admin center, under Sync, disable sync for the HR SharePoint site. Instruct HR users to upload files through the web browser instead. This is a temporary workaround while you adjust the DLP rules.
DLP Policy Actions for HR Files: Block vs Override vs Audit
| Item | Block action | Override with justification | Audit only |
|---|---|---|---|
| Description | File upload is prevented and user sees an error | File upload succeeds after user provides a reason | File upload succeeds and an alert is sent to admin |
| Best for | High-risk data with no business need | HR investigations where data is sensitive but necessary | Low-sensitivity data that needs monitoring |
| User experience | Blocked with no option to proceed | Prompted to enter a reason | No interruption |
| Audit trail | Alert in Microsoft 365 Defender | Alert plus justification text | Alert only |
| Configuration | Set action to block | Enable policy tips and set override option | Set action to notify only |
For HR investigations, the Override with justification option provides the best balance of security and usability. It allows the upload to proceed while recording the reason for compliance audits.
Conclusion
You can now identify which DLP policy is blocking legitimate HR uploads and adjust it using the checklist. Start by reviewing the alert in Microsoft 365 Defender, then create a custom DLP policy for the HR site with a higher sensitivity threshold and override capability. The policy tip override feature in Microsoft Purview is the most direct way to let HR staff justify their uploads. For ongoing management, monitor the DLP alerts weekly and adjust thresholds as new sensitive data types are added to your environment.