As a OneDrive administrator, you may discover that Data Loss Prevention alerts fail to flag sensitive files stored in OneDrive for Business during a legal discovery review. This problem often occurs because DLP policies are not configured to scan OneDrive locations or because specific file types and sharing scenarios are excluded from the default policy scope. This article explains the root causes of missing DLP alerts for OneDrive files and provides a step-by-step checklist to verify and adjust your DLP configuration. You will learn how to confirm that DLP policies cover OneDrive, audit policy rules for common gaps, and ensure that legal discovery workflows receive complete alert data.
Key Takeaways: DLP Alert Gaps for OneDrive Legal Discovery
- Microsoft 365 Defender > DLP policies > Locations: Confirm that OneDrive accounts are selected under the policy scope, not just Exchange or SharePoint.
- DLP policy > Advanced DLP rules > Conditions: Verify that file extension and content inspection rules include Office files, PDFs, and other formats common in legal discovery.
- Microsoft 365 compliance center > Audit log: Cross-check DLP alert events against the unified audit log to identify gaps in policy application for OneDrive files.
Why DLP Alerts Miss OneDrive Files in Legal Discovery
Data Loss Prevention policies in Microsoft 365 apply to workloads separately. A DLP policy created for Exchange email does not automatically cover OneDrive for Business. When an administrator creates a DLP policy and selects only Exchange or SharePoint locations, OneDrive files remain unmonitored. This is the most common root cause of missing alerts during legal discovery.
A second cause is the default DLP rule scope. Out-of-the-box DLP templates often exclude certain file types, such as .msg or .zip files, which may contain sensitive legal documents. Additionally, DLP policies do not scan files shared externally through anonymous links unless the policy explicitly includes external sharing detection. When a legal discovery request targets files shared with external parties, these gaps lead to incomplete alert data.
A third cause is the policy test mode. DLP policies in test mode with policy tips enabled do not generate alerts in the DLP alerts dashboard. Administrators may assume alerts are working when they are only displaying policy tips to users. For legal discovery, alerts must be generated and stored in the Microsoft 365 audit log.
Checklist: Verify and Fix DLP Coverage for OneDrive
Use this checklist to confirm that your DLP policies cover OneDrive files for legal discovery. Each step includes the exact menu path and the setting to verify.
- Open DLP policies in Microsoft 365 Defender
Go to Microsoft 365 Defender > Data Loss Prevention > Policies. Select each policy that should apply to legal discovery data. - Check the policy locations
Under Locations, confirm that OneDrive accounts is selected. If it is not, click Edit locations, select OneDrive accounts, and choose All accounts or specific user groups. - Verify the policy applies to all OneDrive users
In the same locations panel, expand OneDrive accounts. Ensure the scope is set to All users or includes the specific users or groups relevant to legal discovery. - Review advanced DLP rules for file type coverage
Under Rules, click the rule name. In Conditions, check Content contains. Add sensitive info types such as U.S. Social Security Number or ABA Routing Number that match your legal discovery criteria. - Include external sharing detection
In the same rule, under Conditions, add Content is shared with and select People outside my organization. This ensures files shared externally generate alerts. - Check the policy mode
Under Policy settings, confirm the mode is Turn on policy immediately or Test mode with policy tips and alerts. Avoid Test mode with policy tips only because it does not generate alerts. - Enable DLP alerts for the policy
Under Actions, scroll to Send alert to admin. Verify that Send alert when a rule match occurs is enabled and that the alert severity is set to Low, Medium, or High as needed. - Save and apply the policy
Click Save. Wait up to 24 hours for the policy to apply to all OneDrive files. For immediate testing, upload a test file with sensitive content to a OneDrive account and share it externally. - Verify alerts in the DLP alerts dashboard
Go to Microsoft 365 Defender > Data Loss Prevention > Alerts. Confirm that alerts appear for the test file. If no alerts appear, review the policy rules again. - Cross-check alerts in the unified audit log
Go to Microsoft 365 compliance center > Audit. Search for DLPRuleMatch events for the test file. If the event exists, the policy is working. If not, the policy is not scanning OneDrive files.
If DLP Alerts Still Miss OneDrive Files
After completing the checklist, some issues may persist. The following sections cover specific failure patterns and their fixes.
DLP alerts appear for Exchange but not for OneDrive
This indicates the policy location is set to Exchange only. Edit the policy and add OneDrive accounts as described in step 2 of the checklist. If the policy uses a custom scope, verify that the OneDrive location is not excluded in the scope configuration.
DLP alerts show for internal shares but not for external shares
The rule condition for external sharing is missing. Edit the DLP rule and add the condition Content is shared with > People outside my organization. Without this condition, files shared via anonymous links or with external guests are not flagged.
DLP alerts do not appear for PDF or image files
The DLP rule may not include content inspection for these file types. In the rule, under Conditions, add File extension is and include .pdf, .jpg, .png, and .tiff. DLP uses optical character recognition to scan text in images, but this must be enabled in the rule. Go to Content contains > Add > Trainable classifiers and select a classifier that matches your data.
DLP alerts are generated but not visible in the alerts dashboard
This occurs when the alert threshold is set too high. In the DLP rule, under Actions > Send alert to admin, reduce the Minimum number of matches value to 1. Also verify that the alert severity is not set to None.
DLP Policy Scenarios for OneDrive Legal Discovery: Key Differences
| Item | Policy scope includes OneDrive | Policy scope excludes OneDrive |
|---|---|---|
| Description | DLP scans all OneDrive files for sensitive content | DLP only scans Exchange and SharePoint files |
| Alert generation | Alerts appear for OneDrive file matches | No alerts for OneDrive file matches |
| Legal discovery coverage | Complete coverage for OneDrive files | OneDrive files are invisible to DLP alerts |
| Audit log events | DLPRuleMatch events include OneDrive file metadata | No DLP events for OneDrive files |
| External sharing detection | Detects files shared with external parties | Cannot detect external sharing in OneDrive |
Your DLP policy must include OneDrive accounts in its scope to generate alerts for legal discovery. Without this scope, OneDrive files are completely excluded from DLP monitoring.
Now you can verify and adjust your DLP policies to cover OneDrive files for legal discovery. Next, review your DLP alert thresholds and ensure that the unified audit log captures all DLP rule matches. As an advanced tip, create a separate DLP policy specifically for legal discovery data and set its priority to the highest value so it overrides broader policies.