Data Loss Prevention alerts in Microsoft 365 are designed to detect sensitive content in OneDrive for Business files. When DLP alerts fail to fire for files stored in HR investigation folders, compliance teams lose visibility into policy violations. This problem usually occurs because the DLP policy scope does not include the specific OneDrive site or because the HR folder uses a custom sensitivity label that the policy excludes. This article explains why DLP alerts miss HR investigation files in OneDrive and provides step-by-step fixes to restore full detection coverage.
Key Takeaways: How to Fix DLP Alerts Missing HR Investigation Files in OneDrive
- Microsoft 365 Compliance Center > DLP Policies > Policy Settings > Locations: Check that the OneDrive location is selected and that the policy covers all sites or the specific HR site.
- Microsoft 365 Compliance Center > DLP Policies > Policy Settings > Advanced DLP Rules: Verify that custom sensitivity labels used by HR folders are included in the rule conditions.
- Microsoft 365 Compliance Center > Alerts > DLP Alert Configuration: Ensure alert severity thresholds are low enough to trigger notifications for HR investigation files.
Why DLP Alerts Miss OneDrive Files in HR Investigation Folders
DLP policies in Microsoft 365 scan OneDrive for Business files for sensitive data types such as Social Security numbers, credit card numbers, or custom keywords. When a DLP alert does not fire for a file in an HR investigation folder, one of three root causes is usually responsible.
First, the DLP policy may be scoped to only specific OneDrive sites. If the HR team stores investigation files in a site that is not included in the policy scope, DLP will never scan those files. Second, the HR folder may use a custom sensitivity label that the DLP rule does not reference. DLP rules can be configured to trigger only when certain labels are detected. If the label is missing from the rule, the alert will not fire. Third, the DLP policy may have a high alert threshold that suppresses low-confidence matches. For example, a policy configured to alert only when 100 instances of a sensitive data type are found will not trigger for a single HR document containing one Social Security number.
Understanding these root causes is essential before applying the fixes. The following sections walk through each fix in detail.
Steps to Fix DLP Alerts Missing HR Investigation Files in OneDrive
Perform these steps in order. After each step, test the DLP policy by uploading a test file containing a sensitive data type to the HR investigation folder.
Step 1: Verify the DLP Policy Includes the Correct OneDrive Sites
- Open the Microsoft 365 Compliance Center
Sign in to https://compliance.microsoft.com with an account that has Compliance Administrator or DLP Compliance Management role. - Navigate to DLP policies
Go to Data Loss Prevention > Policies. Locate the DLP policy that should detect HR investigation files. - Edit the policy locations
Click the policy name, then click Edit policy. Under Locations, select Sites. If the policy is set to All sites, it covers all OneDrive for Business sites. If it is set to Choose sites, click Choose sites and add the specific HR investigation site URL. Click Save.
Step 2: Include the HR Folder’s Sensitivity Label in the DLP Rule
- Open the DLP rule editor
In the same policy, click Edit policy > Configure rules. Find the rule that should trigger for HR files and click Edit. - Add the sensitivity label condition
Under Conditions, click Add condition > Content contains > Sensitivity labels. Select the label applied to HR investigation folders. If the label does not appear, verify that the label is published in the Microsoft 365 Compliance Center under Information Protection > Labels. - Save and test
Click Save, then click Save again on the policy page. Upload a test file with the HR label to the investigation folder. Verify that a DLP alert appears within 15 minutes.
Step 3: Lower the Alert Threshold for HR Investigation Files
- Open the DLP rule’s incident report settings
In the same rule editor, scroll to Incident reports. Click Edit next to Send an alert to the admin. - Reduce the minimum instance count
Set Minimum number of instances to 1. Set Minimum confidence level to High. This ensures that a single instance of a sensitive data type with high confidence triggers an alert. - Save and test
Click Save, then click Save on the policy page. Upload a test file containing one Social Security number to the HR folder. Confirm that an alert appears in the Alerts dashboard under Data Loss Prevention > Alerts.
Step 4: Verify That DLP Scanning Is Not Disabled for the HR Site
- Check site-level DLP settings
In the HR OneDrive site, go to Settings > Site information > View all site settings > Site collection features. Ensure that the Data Loss Prevention feature is activated. - Confirm that the site is not excluded
In the Microsoft 365 Compliance Center, go to Data Loss Prevention > Policies > Policy settings > Locations. Verify that the HR site is not listed under Excluded sites. If it is, remove it.
If DLP Alerts Still Miss HR Investigation Files After the Main Fix
DLP Alert Does Not Appear in the Alerts Dashboard
If the alert does not appear after applying all steps, check the DLP policy’s audit log. Go to Audit in the Microsoft 365 Compliance Center and search for the file name. Look for a DlpAudit event. If no event exists, the file was never scanned. This usually means the policy location is still incorrect. Double-check that the HR site URL is spelled exactly as it appears in the OneDrive admin center.
DLP Alert Fires but Contains No File Details
When a DLP alert fires but shows no file information, the HR investigation folder may be using a document library that is not indexed for DLP. Go to the document library settings in the HR site, click Advanced settings, and confirm that Allow items from this document library to appear in search results is set to Yes. DLP scanning relies on search indexing.
DLP Alert Fires for Some HR Files but Not Others
If only some files trigger alerts, the HR team may be using multiple sensitivity labels. Open the DLP rule and add all labels that HR uses for investigation files. Also verify that the files are not encrypted with a label that prevents DLP scanning. Labels configured with user-defined permissions can block DLP from reading the content.
DLP Policy Scope vs Sensitivity Label Rules: Key Differences for HR Investigations
| Item | DLP Policy Scope | Sensitivity Label Rules |
|---|---|---|
| Definition | Determines which OneDrive sites are scanned by the DLP policy | Determines which files trigger the DLP rule based on their label |
| Configuration location | Microsoft 365 Compliance Center > DLP Policies > Locations | Microsoft 365 Compliance Center > DLP Policies > Rule conditions |
| Effect on HR files | If the HR site is excluded, no files in that site are ever scanned | If the HR label is excluded, files with that label are scanned but do not trigger the rule |
| Typical misconfiguration | Policy set to Choose sites but HR site not added | Rule condition does not include the custom HR sensitivity label |
| Fix | Add the HR site URL to the policy’s site list | Add the HR label to the rule’s content conditions |
Both settings must be correctly configured for DLP alerts to fire on HR investigation files. Verifying the scope first and then the label rule covers the two most common failure points.
After confirming the DLP policy scope and sensitivity label conditions, test with a file that contains a known sensitive data type such as a Social Security number in the format 123-45-6789. Wait up to 15 minutes for the alert to appear in the Alerts dashboard. If the alert still does not appear, review the DLP policy’s incident report configuration to ensure that alerts are enabled for the rule. For ongoing HR investigations, consider creating a dedicated DLP policy that applies only to the HR site and uses a low threshold of 1 instance to guarantee that no file goes undetected.