You configured Data Loss Prevention policies in Microsoft Purview to protect sensitive content in OneDrive for Business. During retention cleanup operations, you notice that DLP alerts do not fire for files stored in OneDrive. This can leave sensitive data exposed when retention labels expire and files are deleted without a compliance review. The root cause is often a mismatch between the DLP policy scope, the retention label configuration, and the OneDrive site location. This article explains why DLP alerts miss OneDrive files during retention cleanup and provides step-by-step troubleshooting steps to resolve the issue.
Key Takeaways: DLP Alerts for OneDrive Retention Cleanup
- Microsoft Purview compliance portal > Data Loss Prevention > Policies > Policy settings > Locations: DLP policies must include OneDrive accounts as a location and specify all user sites, not just selected sites.
- Microsoft Purview compliance portal > Records Management > Retention labels > Auto-apply label policy: Retention labels must be auto-applied to OneDrive content using a sensitivity-based or keyword-based rule; manual labels are often missed during cleanup.
- Microsoft 365 admin center > Health > Service health > OneDrive for Business: Check for known DLP alerting delays or throttling issues that affect OneDrive specifically.
Why DLP Alerts Miss OneDrive Files During Retention Cleanup
Data Loss Prevention policies in Microsoft Purview scan content at rest and in transit. When a retention label expires and a file is deleted, the DLP system may not evaluate the file if the policy scope does not cover the OneDrive site. The most common technical causes are:
1. DLP policy scope excludes OneDrive. DLP policies can target Exchange, SharePoint, OneDrive, Teams, and Devices. If OneDrive is not selected as a location, no OneDrive files are evaluated. Even when OneDrive is selected, the policy must include all user sites or specific site URLs. A scope limited to selected sites often misses newly created users or renamed sites.
2. Retention labels are not applied to OneDrive content. Retention cleanup events trigger DLP evaluation only if the file has an active retention label. If the label is applied manually by users, many files remain untagged. Auto-apply label policies must be configured to scan OneDrive content and assign labels based on sensitive information types or trainable classifiers.
3. DLP alerting delay or throttling. Microsoft Purview applies rate limits to DLP alert generation. During bulk cleanup operations, such as a retention label expiring on thousands of files, the system may throttle alerts. OneDrive files are often processed after SharePoint files, causing a perceived miss.
4. File types or sensitivity labels not covered. DLP policies can target specific sensitive information types like credit card numbers or passport IDs. If the retention cleanup involves files that do not match the defined sensitive types, no alert is generated. Similarly, if the DLP policy uses sensitivity labels but the files are not labeled, alerts are skipped.
Steps to Troubleshoot DLP Alerts Missing OneDrive Files
Follow these steps in order. Each step addresses one of the root causes listed above.
Step 1: Verify DLP Policy Location Includes OneDrive
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a Compliance Administrator or DLP Compliance Management role. - Navigate to the DLP policy
Select Data Loss Prevention > Policies. Click the policy that should alert on OneDrive retention cleanup. - Check the Locations section
On the policy details page, click Edit policy. Under Locations, confirm that OneDrive accounts is toggled On. - Verify site inclusion
Click OneDrive accounts. Ensure the radio button All users and groups is selected. If Choose users and groups is selected, verify that all relevant users are listed. Add missing users by clicking Edit and searching for their names. - Save the policy
Click Next through each section, then click Submit. Wait up to 24 hours for the policy to apply to all OneDrive sites.
Step 2: Configure Auto-Apply Retention Labels for OneDrive
- Go to Records Management
In the Microsoft Purview compliance portal, select Records Management > Label policies > Auto-apply a label. - Create or edit an auto-apply policy
Click Create auto-apply label policy. Give the policy a name, such as OneDrive Sensitive Content Retention. - Choose the content type
Under Choose the type of content you want to apply this label to, select Apply label to content that contains sensitive information or Apply label to content that matches a trainable classifier. This ensures the label is assigned based on content, not manual user action. - Select sensitive information types
Click Choose sensitive info types and add the types relevant to your organization, such as U.S. Social Security Number or Credit Card Number. - Set the retention label
Under Choose a label, select the retention label that triggers cleanup after a defined period, for example Delete after 3 years. - Scope the policy to OneDrive
Under Locations, toggle OneDrive accounts to On. Select All users and groups. - Finish and test
Click Next and submit the policy. After 24 hours, upload a test file containing a credit card number to a OneDrive folder. Verify that the retention label is auto-applied by checking the file properties.
Step 3: Check DLP Alerting Throttling and Delays
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and select Health > Service health. - Check OneDrive for Business
Locate OneDrive for Business in the list. Click it to view current advisories. Look for any advisory titled DLP alerting delays or Throttling on compliance actions. - Review DLP alert history
In the Microsoft Purview compliance portal, go to Data Loss Prevention > Alerts. Filter by Date and Policy. If you see alerts for SharePoint but not OneDrive, the delay is likely the cause. Wait 48 hours and recheck. - Contact Microsoft Support
If no alerts appear after 48 hours and the policy is correctly scoped, open a support ticket. Reference the advisory ID from the Service health dashboard.
Step 4: Verify Sensitive Information Types Match the Files
- Open the DLP policy
In Microsoft Purview, go to Data Loss Prevention > Policies. Click the policy you are troubleshooting. - Check the sensitive info types
Click Edit policy. Under Locations, click OneDrive accounts. Then go to Policy settings > Advanced DLP rules. Expand the rule and click Edit condition. - Confirm the condition includes OneDrive content
Ensure the condition says Content contains sensitive info type and lists the exact types present in the retained files. For example, if the files contain passport numbers, add Passport Number to the list. - Test with a known file
Upload a file with the exact sensitive type to OneDrive. Trigger the retention cleanup manually by deleting the file or using a simulated cleanup. Check if a DLP alert appears within 24 hours.
If OneDrive Still Has Issues After the Main Fix
DLP alerts appear for SharePoint but not OneDrive
This indicates the DLP policy scope is correct for SharePoint but missing for OneDrive. Revisit Step 1 and ensure the OneDrive location includes all users. If the policy uses a custom scope, verify that the OneDrive site URLs are correct. A common mistake is using the SharePoint site URL instead of the OneDrive personal site URL. OneDrive personal site URLs follow the format https://yourtenant-my.sharepoint.com/personal/user_domain_com.
Retention label is applied but DLP alert still does not fire
The DLP policy may have a rule that excludes files with specific labels. In the DLP policy, check the Advanced DLP rules for an Exclude condition. If the retention label is listed as an exclusion, remove it. Also verify that the DLP rule is set to Generate alert and not just Notify user.
Retention cleanup runs but no files are evaluated
This can happen when the retention label is set to Delete without review and the DLP policy is configured for Review required. DLP evaluation occurs only when the file is still accessible. If the label deletes the file immediately, DLP cannot scan it. Change the retention label to Delete with review and set a review period of at least 7 days.
DLP Alerting vs Retention Cleanup: Key Differences
| Item | DLP Alerting | Retention Cleanup |
|---|---|---|
| Purpose | Detect and alert on sensitive data | Delete or retain files based on policy |
| Trigger | Content scan, user action, policy match | Retention label expiration or manual deletion |
| Scope | Exchange, SharePoint, OneDrive, Teams, Devices | SharePoint, OneDrive, Exchange mailboxes |
| Alert generation | Real-time with possible delay up to 24 hours | No alerts by default |
| Dependency | Sensitive info types or sensitivity labels | Retention labels and auto-apply policies |
You now understand why DLP alerts can miss OneDrive files during retention cleanup. Start by verifying the DLP policy location includes all OneDrive accounts. Next, configure auto-apply retention labels to ensure all sensitive content is tagged. Always check for DLP alerting delays in the Service health dashboard. As an advanced tip, use the DLP simulation mode in Microsoft Purview to test policies on OneDrive content before enabling enforcement. This prevents missed alerts during production cleanup operations.