You have set up Data Loss Prevention policies in Microsoft 365, but DLP alerts do not fire for OneDrive files that should be caught by your retention cleanup rules. This happens because DLP policies and retention labels operate on different scanning triggers and scopes within OneDrive. This article explains why DLP alerts can miss OneDrive files, provides a step-by-step admin checklist to align DLP detection with retention cleanup, and covers related failure patterns.
Key Takeaways: Closing the Gap Between DLP and Retention in OneDrive
- Microsoft 365 compliance center > Data loss prevention > Policy > Locations: Verify that OneDrive accounts are explicitly included and that the policy scope covers all users in the retention cleanup scope.
- Microsoft 365 compliance center > Information governance > Retention labels > Auto-apply: Ensure DLP rules reference the same sensitive info types that retention auto-labeling uses for cleanup triggers.
- Microsoft 365 compliance center > Audit > Search: Run a unified audit log query to confirm DLP rule matches are actually generated for the OneDrive files in question.
Why DLP Alerts Miss OneDrive Files Targeted for Retention Cleanup
DLP policies in Microsoft 365 scan content at specific points: when a file is created, modified, shared externally, or accessed from an unapproved device. Retention policies, on the other hand, apply labels based on content age, metadata, or auto-classification rules that run on a separate schedule. When a file sits in OneDrive without triggering any of those DLP scanning events, no alert is generated even if the file matches a sensitive info type that would cause a retention label to eventually delete it.
A common root cause is that the DLP policy is scoped to Exchange or SharePoint Online but not to OneDrive accounts. Another cause is that the DLP rule uses a condition, such as “content contains” a specific sensitive type, but the file has not been opened or shared since the DLP policy was deployed. Retention cleanup actions, such as deleting files older than 90 days, run independently and do not force a DLP rescan. The result is a blind spot: files that are eligible for retention deletion are never flagged by DLP.
Admin Checklist to Fix DLP Alert Gaps for OneDrive Retention Cleanup
Use this checklist to audit and reconfigure your DLP policies so they detect the same files that retention cleanup targets. Run each step in the Microsoft 365 compliance center.
- Open the Microsoft 365 compliance center
Sign in with an account that has Compliance Administrator or Global Administrator role. Navigate to Data loss prevention > Policies. - Select the DLP policy that should cover OneDrive
Click the policy name. In the policy details pane, click Edit policy. - Verify OneDrive is included in the locations
Under Locations, confirm that OneDrive accounts is toggled to On. If it is off, turn it on and select All users or the specific user groups that match your retention cleanup scope. - Check the DLP rule conditions
Under Rules, click the rule name and then Edit rule. Go to Conditions. Confirm that the condition Content contains sensitive info types lists the same types that your retention auto-labeling rule uses. Add any missing types. - Enable advanced DLP rules for file scanning
In the same rule, scroll to Advanced DLP rules. Turn on Scan content from OneDrive for Business if it is not already enabled. This forces DLP to scan files even when they are not being actively modified or shared. - Set the DLP rule action to generate an alert
Under Actions, select Send alert to admin and specify the alert threshold. For retention cleanup, set the threshold to 1 event so every match triggers an alert. - Review the retention label auto-apply policy
Go to Information governance > Labels > Auto-apply. Open the label policy that runs retention cleanup. Note the sensitive info types it uses. Compare them to the DLP rule conditions you just edited. Add any missing types to the DLP rule. - Run a test file through the pipeline
Upload a test file containing a known sensitive info type, such as a credit card number or passport number, to a OneDrive account in the scope. Wait 24 hours. Check the DLP alerts page in the compliance center to confirm an alert was generated. - Check the unified audit log for DLP rule matches
Go to Audit > Search. Run a search for DLPRuleMatch with the date range covering the test upload. If no matches appear, your DLP policy is not scanning OneDrive files correctly. Return to step 3 and confirm the location scope.
If DLP Alerts Still Miss OneDrive Files
DLP policy shows OneDrive as included but alerts never fire
This usually means the DLP rule condition uses a custom sensitive info type that has not been published to OneDrive. Open the custom sensitive info type in the compliance center under Classification > Sensitive info types. Verify that its publishing status shows Published to OneDrive. If not, edit the type and republish it. Wait up to 48 hours for the change to propagate.
Retention cleanup deletes files that DLP never scanned
Retention cleanup actions do not trigger a DLP scan. To catch files before deletion, schedule a PowerShell script that runs weekly to force a DLP rescan. Use the Start-DlpEvaluation cmdlet from the Security and Compliance PowerShell module. Run Start-DlpEvaluation -Identity "user@domain.com" -Location OneDrive for each user in the retention scope. This cmdlet is available in Exchange Online PowerShell v2.
DLP alerts appear for SharePoint but not for OneDrive
The DLP policy might be scoped to SharePoint sites but not to OneDrive accounts. Edit the policy and under Locations, add OneDrive accounts. If the policy uses a custom scope, ensure the OneDrive accounts are part of the included groups.
DLP Scanning vs Retention Auto-Labeling: Key Differences for OneDrive
| Item | DLP Scanning | Retention Auto-Labeling |
|---|---|---|
| Trigger | File create, modify, share, or access from unapproved device | Schedule-based or metadata change |
| Scope | Exchange, SharePoint, OneDrive, Teams chat and channel messages | SharePoint, OneDrive, Exchange mailboxes, Teams |
| Scan frequency | Event-driven; no periodic rescan by default | Runs every 7 days for auto-apply labels |
| Alert generation | Immediate when rule matches during scan | No alert; label is applied silently |
| File types supported | Office documents, PDF, CSV, text files, images with OCR | Same as DLP plus email messages |
To close the gap, enable advanced DLP scanning for OneDrive and run scheduled DLP evaluations using PowerShell. This ensures that files targeted for retention cleanup are also caught by DLP alerts.
You can now audit your DLP policies to include OneDrive accounts, align sensitive info types with retention auto-labeling, and enable advanced scanning. Next, run a weekly PowerShell script using Start-DlpEvaluation to force DLP scans on files that retention cleanup will delete. For advanced protection, enable DLP rule matching for all OneDrive file types, including PDF and image files with embedded text.