When your organization uses Data Loss Prevention policies in Microsoft 365, DLP alerts can mistakenly block or flag legitimate file uploads to OneDrive. This problem often surfaces during legal discovery, where attorneys, paralegals, or compliance officers need to upload sensitive but authorized documents. The root cause is typically an overbroad DLP rule, an incorrect sensitivity label, or a missing policy override for legal hold scenarios. This article provides a structured checklist for OneDrive administrators to identify why DLP alerts are blocking legitimate uploads, adjust policy exclusions, and create a secure workflow for legal discovery without compromising data protection.
Key Takeaways: Checklist for DLP Blocking Legal Uploads to OneDrive
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Review and edit DLP rules that apply to OneDrive locations to verify they include legal discovery exceptions.
- Microsoft Purview compliance portal > Data Classification > Sensitivity labels: Ensure documents used in legal discovery have labels that are excluded from blocking actions in your DLP rules.
- Microsoft 365 admin center > Users > Active users > Manage product licenses: Confirm that users performing legal uploads have the necessary licenses for DLP override and audit logging.
Why DLP Alerts Block Legitimate Uploads During Legal Discovery
Data Loss Prevention policies in Microsoft 365 scan file content and metadata in OneDrive for patterns that match sensitive information types. During legal discovery, users upload documents that contain personally identifiable information, financial data, or attorney-client privileged content. DLP rules cannot automatically distinguish between a malicious exfiltration attempt and a lawful upload for litigation or regulatory response. The result is a false positive alert that blocks the upload or quarantines the file.
Three common configurations cause this problem:
- Overly broad DLP rules: Policies that block all occurrences of a sensitive type without exceptions for legal hold or eDiscovery workflows.
- Missing user or group exclusions: Legal teams or specific discovery custodians are not added to the policy exclusion list.
- Incorrect sensitivity label configuration: Documents that are manually or automatically labeled as highly confidential may trigger blocking actions even when the upload is authorized.
Microsoft 365 DLP includes a feature called policy tips that can notify users and allow overrides. However, if your DLP rules are set to block without override, legitimate uploads will fail silently. The following checklist addresses each of these root causes.
Step-by-Step Checklist to Fix DLP Blocking Legitimate Legal Uploads
Use this checklist in order. Each step targets a specific configuration area in the Microsoft 365 admin portals. Perform these steps with an account that has Global Administrator or Compliance Administrator role.
Step 1: Identify Which DLP Rule Is Triggering the Alert
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your admin credentials. - Navigate to DLP alerts
Select Data Loss Prevention > Alerts. Locate the alert that matches the blocked upload time and user. Click the alert to view details. - Note the policy name and rule name
In the alert details pane, copy the Policy name and Rule name. This tells you exactly which DLP rule caused the block. - Check the sensitive information type detected
Scroll to Matched items and note the sensitive info type, such as U.S. Social Security Number or Credit Card Number. This helps you decide whether the detection is a false positive.
Step 2: Review and Edit the DLP Rule for Legal Discovery Exceptions
- Open the DLP policy editor
In the Purview portal, go to Data Loss Prevention > Policies. Find the policy name from the alert and click it to open the policy details. - Edit the specific rule
Click the rule name from Step 1. Under Actions, verify whether the rule is set to Block or Block with override. For legal discovery, change the action to Block with override if it is currently set to block without override. - Add user or group exceptions
In the rule editor, locate Exceptions. Click Add exception and select Users or groups. Add the legal team members or the specific discovery custodian accounts. This ensures their uploads bypass the block. - Set a policy tip for override justification
Under User notifications, enable Notify users in Office 365 apps with a policy tip. Check Allow users to override the policy and require a business justification. Users can then enter a note like Legal discovery case 2024-015 to proceed. - Save the rule and policy
Click Save on the rule, then Save on the policy. Wait up to 1 hour for the changes to propagate across Microsoft 365.
Step 3: Verify Sensitivity Label Exclusions
- Open the sensitivity label configuration
In the Purview portal, go to Information Protection > Sensitivity labels. - Identify the label on the blocked file
Ask the user who attempted the upload to check the file properties. In OneDrive or the Office app, the label appears near the file name. If the label is something like Highly Confidential, note its name. - Edit the label to exclude from DLP blocking
Click the label name, then click Edit label. Under Auto-labeling for files and emails, ensure the label is not set to automatically apply a DLP block. If the label has a Protection setting that triggers DLP, change it to None or a less restrictive setting for the discovery group. - Publish the label to a limited set of users
If the label is only needed for legal discovery, create a new label policy that assigns the label only to the legal team. This prevents accidental application to other users.
Step 4: Test the Fix with a Controlled Upload
- Ask a legal team member to upload a test document
Use a file that contains a known sensitive type, such as a sample with a dummy SSN. The user should receive a policy tip with an override option. - Confirm the override works
Have the user click the policy tip, enter a justification, and upload the file. The file should appear in OneDrive without a DLP alert. - Check the audit log
In the Purview portal, go to Audit. Search for FileUploaded events from the test user. Verify that no DlpRuleMatch event appears for that upload.
If DLP Still Blocks Uploads After the Main Fix
DLP policy is set to block all uploads from unmanaged devices
Legal discovery often involves contractors or external counsel who use unmanaged devices. If your DLP rule includes a condition for Device > Unmanaged devices, uploads from these devices will be blocked regardless of user exceptions. To fix this, edit the rule and remove the unmanaged device condition, or create a separate rule for legal discovery that allows uploads from any device with a justification.
Conditional Access policy blocks the upload before DLP
A Conditional Access policy in Azure AD can block file uploads to OneDrive before DLP even evaluates the content. Check the user’s sign-in logs in the Azure AD admin center. If the sign-in is blocked by a Require compliant device or Require approved client app policy, the user will never see a DLP policy tip. Create a Conditional Access policy exception for the legal team that allows uploads from their specific devices.
OneDrive sync app blocks files locally
The OneDrive sync app can also block files if it detects a DLP policy violation locally. This appears as a red circle with a white X on the file icon. The solution is to instruct users to upload files through the OneDrive web browser interface instead of the sync app. The web interface provides the policy tip override option, while the sync app only shows a block notification.
DLP Block vs DLP Alert with Override: Key Differences for Legal Discovery
| Item | DLP Block Without Override | DLP Block With Override |
|---|---|---|
| User experience | Upload fails with generic error | User sees policy tip and can override with justification |
| Audit log entry | DlpRuleMatch with Block action | DlpRuleMatch with Override action and justification text |
| Admin notification | Alert sent to admin by default | Alert sent only if threshold is exceeded |
| Best for legal discovery | Not suitable; blocks all uploads | Recommended; allows authorized uploads with audit trail |
After completing this checklist, you can allow legal discovery uploads to OneDrive without disabling DLP protections for the rest of the organization. The override feature combined with user justification creates an audit trail that satisfies compliance requirements. For ongoing management, review DLP alerts weekly and add new legal team members to the exception list as cases begin. Use the Microsoft 365 admin center > Reports > Usage dashboard to monitor upload volumes from the legal team and verify that no new false positives appear.