You configure Data Loss Prevention (DLP) policies in Microsoft Purview to detect when users share sensitive files externally from OneDrive for Business. However, you start seeing DLP alerts for uploads that are legitimate business actions, such as sending a contract to a client or sharing a project plan with a partner. This happens because DLP policy conditions or scope settings are too broad, or because external sharing audit events are being misclassified by the policy. This article explains why DLP policies flag legitimate external uploads and provides steps to adjust policy conditions, scope, and exceptions so that real business workflows are not interrupted.
Key Takeaways: Fixing DLP False Positives for External Sharing in OneDrive
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Adjust policy scope to exclude specific OneDrive sites or groups that handle partner sharing.
- DLP rule conditions > Content contains: Narrow sensitive info types or add exceptions for known safe senders or domains.
- DLP rule actions > Block external sharing: Change action from “Block all” to “Block with override” to allow users to justify legitimate uploads.
Why DLP Policies Block Legitimate External Uploads from OneDrive
Data Loss Prevention policies in Microsoft Purview inspect files for sensitive information when they are shared externally from OneDrive for Business. The policy triggers on audit events such as “File shared externally” or “File uploaded to external location.” When a policy condition matches, it can block the upload or send an alert.
The most common reason for false positives is that the DLP rule uses a broad condition like “Content contains any sensitive info type” without exceptions. For example, a policy that blocks all files containing credit card numbers will block a legitimate file upload to a partner site if that file happens to contain a credit card number used for payment reference. Another cause is that the policy scope includes all OneDrive sites without excluding those used for regular partner collaboration.
External sharing audit events in OneDrive are generated every time a user sends a sharing invitation to an external email address or uploads a file to a folder shared with an external user. DLP policies see these events as potential data leaks, even when the sharing is part of a normal business process. Understanding what triggers the audit event helps you narrow the policy to only flag truly risky behavior.
Steps to Tune DLP Policy Conditions and Scope for OneDrive External Sharing
Follow these steps to reduce false positives while still monitoring for actual data leaks.
- Open the DLP policy in Microsoft Purview
Go to Microsoft Purview compliance portal > Data Loss Prevention > Policies. Select the policy that is generating the false alerts. Click Edit policy. - Review the policy scope for OneDrive locations
Under Locations, note whether the policy applies to All OneDrive accounts or specific ones. To exclude a trusted partner site, click Choose locations and then Exclude specific OneDrive accounts. Enter the email addresses of the trusted partner accounts. - Narrow the rule conditions
Click Edit rule next to the rule that triggers the alert. Under Conditions, review Content contains. If the rule uses Any of these sensitive info types, consider changing it to All of these to require multiple indicators before triggering. Alternatively, remove sensitive info types that cause false positives for your business. - Add exceptions for known safe senders or domains
Under Exceptions, click Add exception and choose Sender domain is or Recipient domain is. Enter the domain of your partner companies, for example partnercompany.com. This prevents the rule from blocking uploads to that domain. - Change the action from block to block with override
Under Actions, for Block external sharing, select Block with override. This allows users to upload the file and provide a business justification. The alert is still raised, but the upload is not stopped. Review these overrides in the DLP alerts dashboard. - Save and test the policy
Click Save then Test the policy with a sample file that was previously blocked. Verify that the file is now allowed or that the override prompt appears. Monitor DLP alerts for the next 24 hours to confirm false positives decrease.
If DLP Alerts Still Block Legitimate Uploads After Tuning
DLP rule applies to files already shared externally
A DLP rule can apply to files that were shared externally before the policy was created. When a user modifies such a file, the policy re-evaluates it and may block the upload. To fix this, edit the rule and under Conditions set Content is shared to Only with people inside my organization. This excludes files that are already shared externally from being re-scanned.
User receives “This file can’t be uploaded because of a policy” error
The error message is generic and does not tell the user which policy blocked the upload. To identify the policy, check the Activity explorer in Microsoft Purview. Go to Data Loss Prevention > Activity explorer. Filter by Event type = File uploaded and Workload = OneDrive. Look for the event with a Block action and note the Policy name. Then return to Policies and adjust that policy as described above.
DLP alert is raised but no block occurred
This happens when the rule uses the Audit only action instead of Block external sharing. The file is uploaded, but an alert is generated. If you want to stop receiving these alerts for legitimate uploads, edit the rule and under User notifications set Notify users in Office 365 with a policy tip to Off. This prevents the alert from being created. Alternatively, add exceptions as shown earlier.
DLP Policy Actions for External Sharing: Block vs Block with Override vs Audit Only
| Item | Block | Block with Override | Audit Only |
|---|---|---|---|
| Description | Prevents the file upload and shows an error | Prevents upload unless user provides a justification | Allows the upload and only logs an alert |
| User experience | Upload fails with policy message | User sees a dialog to explain why the upload is needed | Upload succeeds with no notification |
| Alert generated | Yes | Yes | Yes |
| Best use case | High-risk data like PII or trade secrets | Moderate-risk data where business need may exist | Low-risk data or testing new policies |
Use Block with override for most external sharing scenarios to avoid blocking legitimate uploads while still maintaining visibility.
After adjusting your DLP policy, monitor the Alerts dashboard in Microsoft Purview for the next week to confirm that false positives have stopped. If you still see alerts for trusted partner domains, verify that the exception you added matches the exact domain used in the sharing invitation. For example, if partners use a subdomain like files.partnercompany.com, add that specific domain as an exception. You can also create a separate DLP policy with a narrow scope and low sensitivity threshold specifically for partner collaboration, leaving the broader policy for all other OneDrive accounts.