Data Loss Prevention policies in Microsoft 365 can block legitimate document uploads to OneDrive for Business during legal discovery workflows. This happens when DLP rules incorrectly classify sensitive information types or when policy thresholds trigger false positives on files that are part of a legal hold or eDiscovery collection. This article explains why DLP blocks occur during legal discovery and provides step-by-step troubleshooting steps to identify the policy, exempt specific users or sites, and verify that uploads proceed without compromising compliance.
Key Takeaways: DLP False Positives During Legal Discovery
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Locate the active DLP policy that blocks uploads and review its rules.
- DLP policy > Rules > Exclusions: Add the legal discovery site URL or specific user group to the exclusion list to bypass blocking.
- OneDrive admin center > Sharing > Sync: Verify that sync is not disabled for the user or site, as sync blocking can also prevent uploads.
Why DLP Blocks Legitimate Uploads During Legal Discovery
DLP policies in Microsoft 365 use content analysis to detect sensitive information such as credit card numbers, bank account details, or health records. When a policy rule matches a file being uploaded to OneDrive, the service blocks the upload and logs an alert in the Microsoft Purview compliance portal. During legal discovery, files often contain sensitive data by nature — for example, contracts, financial statements, or personally identifiable information related to litigation. The DLP engine cannot distinguish between a legitimate discovery upload and a policy violation. This results in false positive blocks that stop legal counsel or eDiscovery administrators from uploading required documents.
The most common root cause is a DLP policy rule set to block all occurrences of a sensitive information type, without an exclusion for the legal discovery site or user group. Another cause is the priority order of DLP rules — if a rule with a block action appears above a rule that allows uploads, the block action takes precedence. Additionally, if a policy is scoped to all Microsoft 365 workloads without site-level exclusions, every upload to OneDrive is scanned. Understanding these mechanics helps you narrow down which policy rule is causing the block.
Steps to Identify and Resolve DLP Blocks for Legal Discovery Uploads
Follow these steps to locate the DLP policy that blocks uploads, create an exclusion for the legal discovery site, and verify that legitimate files can be uploaded. You need Global Admin or Compliance Admin permissions in Microsoft 365.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your admin account. In the left navigation, select Data Loss Prevention then Policies. This page lists all active DLP policies in your tenant. - Identify the policy that blocks uploads
Review each policy and note its scope — whether it applies to all users, specific groups, or all SharePoint and OneDrive sites. Look for a policy with a rule that has an action set to Block or Block with override. If you have multiple policies, check the priority order. The policy with the highest priority executes first. - Review the DLP alert details
In the same portal, go to Data Loss Prevention > Alerts. Find the alert that matches the blocked upload. Open the alert and examine the Activity tab. It shows the file name, user, site URL, and the sensitive information type that triggered the match. Copy the site URL — for example,https://yourtenant-my.sharepoint.com/personal/user_domain_com. - Create an exclusion for the legal discovery site or user
Open the DLP policy identified in step 2. Go to Rules and select the rule that caused the block. Under Exceptions, click Add exception. Choose Site is from the drop-down list. Paste the site URL from step 3. Alternatively, choose User is and select the user or group responsible for legal discovery. This exemption tells the DLP engine to skip scanning for that rule on that site or user. - Set the exception to not exclude
In the exception configuration, ensure the condition is set to Site is not or User is not to exclude the specific site or user from the rule. If you use Site is, the rule will only apply to that site, which is the opposite of what you want. Save the rule and the policy. - Test the upload again
Ask the legal user to upload the same file that was previously blocked. The upload should complete without a DLP alert. If the block persists, wait up to 30 minutes for policy changes to propagate, then retry. If the block still occurs, repeat steps 1 through 5 and verify that no other DLP policy with a higher priority is still blocking the upload.
If Uploads Still Fail After the Exclusion
Another DLP policy with higher priority blocks the file
Multiple DLP policies can apply to the same site or user. The policy with the highest priority executes first. If you excluded the site in one policy but another policy with a higher priority still blocks, the upload fails. Check the priority order on the Data Loss Prevention > Policies page. Move the excluded policy above the blocking policy, or add the same exclusion to the higher-priority policy.
OneDrive sync is disabled for the user or site
DLP blocks are not the only reason uploads fail. If OneDrive sync is disabled for the user or site, uploads via the web or sync client are blocked. Go to the Microsoft 365 admin center > Settings > Org settings > OneDrive > Sync. Ensure that sync is allowed for the user or site. If sync is restricted, enable it or use the Allow syncing only on PCs joined to specific domains option to limit sync while still allowing the legal discovery site.
The file exceeds the maximum upload size
OneDrive for Business has a file size limit of 250 GB per file. If the file is larger, the upload fails regardless of DLP settings. Check the file size. If it exceeds the limit, split the file into smaller parts or use a compression tool. DLP scanning also has a file size limit — files over 100 MB may not be scanned for sensitive information types. This can cause the upload to proceed but without DLP protection, which might be acceptable for legal discovery files that are already under legal hold.
DLP Alert vs DLP Block: Key Differences for Legal Discovery
| Item | DLP Alert | DLP Block |
|---|---|---|
| User impact | Upload completes, admin receives an alert | Upload is prevented, user sees an error message |
| Policy action | Audit only or notify admin | Block or block with override |
| Use in legal discovery | Preferred — allows upload while tracking activity | Problematic — stops discovery workflow |
| Override option | Not applicable | User can override if policy allows and justification is provided |
For legal discovery, configure DLP policies to use Alert actions instead of Block actions on the sites and users involved. This gives you visibility into sensitive data uploads without interrupting the discovery process. If a block is unavoidable, ensure the policy includes an override option so the user can provide a business justification.
You now know how to identify the DLP policy that blocks legitimate uploads during legal discovery and how to create site-level or user-level exclusions. Next, review all DLP policies in your tenant and change block actions to alert actions for site collections used by legal teams. As an advanced tip, use Microsoft 365 admin center > Compliance > Information Protection > Auto-labeling to automatically apply retention labels to files uploaded to legal discovery sites, which provides an additional layer of protection without blocking uploads.