As a OneDrive administrator, you rely on Data Loss Prevention policies to detect sensitive HR files like employee contracts, performance reviews, and salary data. When DLP alerts miss files stored in OneDrive, HR investigations stall and compliance gaps appear. This problem typically occurs because DLP policies are not scoped to cover all OneDrive locations, file types, or user actions. This article provides a checklist to audit and fix DLP coverage for OneDrive, ensuring HR investigation files are never missed.
Key Takeaways: Fix DLP Alerts Missing OneDrive Files for HR
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Audit existing DLP policies to confirm OneDrive locations are included and not excluded by scope filters.
- DLP policy > Locations > OneDrive accounts: Verify that all HR user OneDrive sites are explicitly added, especially for users in dedicated HR SharePoint groups.
- DLP policy > Rules > Conditions: Ensure sensitive info types like “Employee ID” or “Salary Information” are selected and file extension filters do not block HR file formats.
Why DLP Alerts Miss OneDrive Files for HR Investigations
Data Loss Prevention policies in Microsoft Purview scan content across Exchange, SharePoint, OneDrive, and Teams. When DLP alerts miss OneDrive files, the root cause is almost always a policy configuration gap. OneDrive locations are treated as separate site collections in SharePoint. If a DLP policy is scoped to SharePoint only, or if the OneDrive accounts of HR staff are not included in the policy location list, those files are never scanned.
Another common cause is the use of exclusion filters. Administrators sometimes exclude certain OneDrive sites by URL or by user group to reduce noise. If HR user OneDrive sites are accidentally excluded, DLP will not generate alerts for their files. Additionally, DLP policies rely on sensitive information types. If the policy uses default types like “Credit Card Number” but not HR-specific types like “National ID Number” or “Employee Salary”, then HR files containing those patterns will not trigger alerts.
File extension filters can also block detection. If a DLP rule is set to scan only .docx and .pdf files but HR staff store salary data in .xlsx or .csv files, those files are ignored. Finally, DLP policies have a detection latency of up to 15 minutes for new files. If investigators check immediately after a file is uploaded, they may see no alert even though the policy is working correctly.
Checklist: Audit and Fix DLP Coverage for OneDrive HR Files
Use the following checklist to verify and correct DLP policy coverage for OneDrive files related to HR investigations. Perform these steps in the Microsoft Purview compliance portal.
- Open Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in as a Compliance Administrator or Global Administrator. Select Data Loss Prevention from the left navigation, then click Policies. - Review each DLP policy for location scope
Click a policy name to open it. Under Locations, confirm that OneDrive accounts is toggled on. If it is off, click Edit and enable OneDrive accounts. If the policy uses specific locations, click Choose locations and verify that all HR user OneDrive URLs are listed. To find HR user OneDrive URLs, run the SharePoint Online Management Shell commandGet-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'"and filter by HR department. - Check location exclusions
In the same policy, scroll to Exclude specific locations. If any OneDrive URLs are listed there, remove them unless they belong to non-HR users. Click Save. - Verify sensitive info types for HR data
Under Rules, click the rule that should detect HR files. In the Conditions section, confirm that sensitive info types like Employee ID, National ID Number, Salary Information, and Bank Account Number are selected. If not, click Edit condition and add them from the list of built-in types. You can also create custom sensitive info types for HR-specific patterns like employee codes. - Audit file extension filters
In the same rule, check Advanced conditions. If a condition like File extension equals is present, verify it includes .xlsx, .csv, .docx, .pdf, and .txt. HR staff often use spreadsheets for salary data. Add missing extensions and click Save. - Test the policy with a sample HR file
Create a test file containing HR sensitive data, such as a text file with “Employee ID: 12345, Salary: 75000”. Upload it to a monitored HR user’s OneDrive. Wait 15 minutes. In the DLP policy, click Alerts and verify an alert appears. If not, use the DLP policy test feature under Data Loss Prevention > Policies > Test to simulate the file. - Enable audit logging for DLP rule matches
Go to Audit in the Purview portal and confirm audit logging is enabled. Without audit logs, you cannot see which DLP rule matched or why a file was missed. If audit is off, click Start recording user and admin activity.
If DLP Alerts Still Miss OneDrive Files for HR
OneDrive files are not scanned at all
If DLP policies are correctly configured but no alerts appear for any OneDrive files, check the service health. Go to Microsoft 365 admin center > Health > Service health and look for incidents under Microsoft Purview or Data Loss Prevention. A known issue in some tenants causes DLP scanning to stop for OneDrive after a policy update. In that case, create a new test policy with minimal settings and see if alerts appear. If they do, recreate the original policy from scratch.
DLP alerts appear for some OneDrive users but not HR users
This indicates a location exclusion or group filtering issue. Open the DLP policy and check if it uses Distribution groups or Security groups to include or exclude users. HR staff might be in a separate security group that is excluded. Remove the group exclusion or add the HR group to the included groups list. Also verify that the HR users have OneDrive licenses assigned. DLP cannot scan OneDrive sites for users who do not have a SharePoint Online license.
DLP alerts miss files with HR data in specific formats
If HR files use non-standard patterns, create a custom sensitive info type. For example, if employee IDs follow the format “HR-XXXXX”, go to Data Loss Prevention > Classifiers > Sensitive info types > Create and define a pattern. Add this custom type to the DLP rule. Then test with a sample file containing that pattern.
DLP Policy Scope vs OneDrive Location Coverage: Comparison
| Item | Policy Scope (All locations) | Policy Scope (Specific locations) |
|---|---|---|
| Description | DLP scans all OneDrive accounts automatically | DLP scans only OneDrive accounts you list |
| Setup effort | No manual URL entry required | Requires listing each HR user OneDrive URL |
| Risk of missing HR files | Low, unless exclusion filters are used | High if new HR users are not added to the list |
| Best for | Tenants with a small HR team and few policy exceptions | Tenants that need to exclude non-HR OneDrive sites |
Use the All locations scope for HR DLP policies when possible. If you must use specific locations, automate the addition of new HR users with a PowerShell script that runs weekly and adds new HR user OneDrive URLs to the policy.
You can now audit your DLP policies and ensure HR investigation files in OneDrive are always covered. Next, review DLP policy alerts for false positives by checking the DLP rule match details in the audit log. An advanced tip: use PowerShell cmdlet Set-DlpComplianceRule to bulk-update file extension conditions across multiple rules at once.