You have set up Data Loss Prevention policies in Microsoft 365 to audit external sharing of OneDrive files. But DLP alerts for external sharing audits are missing files that you know were shared. This happens because DLP policies for OneDrive rely on specific audit log events and policy scope settings that are easy to misconfigure. This article explains why alerts miss files and provides step-by-step troubleshooting to fix the issue.
Key Takeaways: Fix DLP Alerts Missing OneDrive External Shares
- Microsoft 365 Defender > DLP > Policies > Policy settings > Locations > OneDrive accounts: Ensure OneDrive is included in the policy scope and that “All users” or the correct user group is selected.
- Microsoft 365 Defender > DLP > Policies > Policy settings > Advanced DLP rules > Conditions > Content is shared with: Verify the rule condition is set to “People outside my organization” for external sharing audits.
- Microsoft 365 compliance portal > Audit > Audit log search: Check that “FileSharedExternal” and “SharingInvitationCreated” events appear for the missing files; DLP alerts depend on these audit events.
Why DLP Alerts Miss OneDrive Files in External Sharing Audits
DLP policies in Microsoft 365 scan OneDrive files when they are shared externally. The policy checks the file content against sensitive information types, such as credit card numbers or passport IDs. If the policy detects a match, it generates an alert. However, DLP alerts can miss files for three main reasons:
Policy scope does not cover the OneDrive account. DLP policies must be explicitly applied to OneDrive locations. If the policy only covers SharePoint or Exchange, OneDrive files are not scanned. Even if you select “All users” in the policy, you must also select “OneDrive accounts” as a location.
Rule conditions do not match external sharing events. DLP rules have conditions for how content is shared. For external sharing audits, the condition must be set to “with people outside my organization.” If the condition is set to “only with people inside my organization” or is missing, the rule will not trigger for external shares.
Required audit events are not generated or are delayed. DLP relies on audit log events such as “FileSharedExternal” and “SharingInvitationCreated.” If audit logging is disabled or the events are not yet processed, DLP will not see the sharing activity. Audit events can take up to 24 hours to appear in some cases.
Steps to Troubleshoot Missing DLP Alerts for OneDrive External Sharing
- Verify DLP policy scope includes OneDrive accounts
Sign in to Microsoft 365 Defender at security.microsoft.com. Go to Data Loss Prevention > Policies. Select the DLP policy that should audit external sharing. Under “Locations to apply the policy,” ensure “OneDrive accounts” is toggled on. If it is off, turn it on and select “Choose distribution groups” or “All users” as needed. Save the policy. Wait 15 minutes for the change to apply. - Check DLP rule conditions for external sharing
In the same policy, click “Edit policy” or “Edit rules.” Select the rule that should trigger on external shares. Under “Conditions,” look for “Content is shared from Microsoft 365.” Click that condition. Set the dropdown to “with people outside my organization.” If the condition is missing, add it by clicking “Add condition” and selecting “Content is shared from Microsoft 365.” Save the rule. - Review audit log for the missing file events
Go to Microsoft 365 compliance portal at compliance.microsoft.com. Select Audit > Audit log search. Set the date range to include the time when the file was shared. Search for “FileSharedExternal” and “SharingInvitationCreated.” If these events do not appear for the missing file, DLP cannot detect the share. Check that audit logging is enabled in the compliance portal under Audit > Enable auditing. If audit is enabled but events are missing, wait up to 24 hours and search again. - Confirm sensitive information types are correctly defined
In the DLP rule, review the sensitive info types listed under “Content contains.” For example, if you expect alerts for credit card numbers, ensure “Credit Card Number” is selected. Open the sensitive info type to verify the confidence level and minimum count. If the file contains a credit card number but the count is below the minimum, DLP will not trigger. Lower the minimum count if needed. - Test with a known sensitive file
Create a file in OneDrive that contains a test sensitive data pattern, such as a fake credit card number 4111 1111 1111 1111. Share the file with an external user using the “Share” button and entering an external email address. Wait 30 minutes. Check Microsoft 365 Defender for an alert under Incidents or Alerts. If no alert appears, repeat steps 1 through 4 with this specific file to isolate the issue. - Verify user license and permissions
DLP alerts require the user who shared the file to have an appropriate Microsoft 365 license, such as Microsoft 365 E5 or Microsoft 365 E5 Compliance. Go to Microsoft 365 admin center > Users > Active users. Select the user who shared the file. Under Licenses and apps, confirm they have a license that includes DLP. Also ensure the user has permissions to share files externally; this is controlled in SharePoint admin center > Policies > Sharing.
If DLP Alerts Still Miss OneDrive Files After Troubleshooting
DLP policy is in test mode and not generating alerts
Check the policy mode in Microsoft 365 Defender. Go to Data Loss Prevention > Policies. Select the policy and look at “Policy mode.” If it is set to “Test without policy tips,” alerts are generated but no user notifications appear. If it is set to “Test with policy tips,” users see notifications and alerts are generated. If it is set to “Turn off policy,” no scanning occurs. Change the mode to “Test with policy tips” or “Turn on policy immediately” if needed.
File was shared via anonymous link instead of direct external share
DLP policies for external sharing only trigger when a file is shared with a specific external user by email invitation. If the file was shared using an “Anyone” link or an anonymous guest link, DLP may not detect it as an external share. Check the sharing method in OneDrive. Go to the file, select Share, and look at the link type. If it says “Anyone with the link,” the DLP rule condition for “with people outside my organization” may not apply. To audit anonymous links, use SharePoint sharing policies and Azure AD Conditional Access instead.
DLP alert threshold is set too high
DLP rules have an alert threshold that limits how many alerts are generated in a time window. In Microsoft 365 Defender, go to Data Loss Prevention > Policies > Edit policy > Rules > Edit rule > Alert settings. The default threshold is 10 alerts per 24 hours. If the threshold is reached, no further alerts are created until the window resets. Increase the threshold or disable it for testing.
DLP Policy Scope vs Audit Log Events: Key Differences
| Item | DLP Policy Scope | Audit Log Events |
|---|---|---|
| Purpose | Defines which locations and users are scanned for sensitive content | Records all sharing and access activities for compliance review |
| Configuration location | Microsoft 365 Defender > DLP > Policies > Locations | Microsoft 365 compliance portal > Audit > Audit log search |
| Effect on alerts | If OneDrive is not selected, no DLP alerts for that location | If audit events are missing, DLP cannot detect the share |
| Common misconfiguration | Selecting only SharePoint and forgetting OneDrive accounts | Audit logging disabled or filtered by date range |
You can now check DLP policy scope, rule conditions, and audit logs to find why OneDrive files are missing from external sharing alerts. Start by verifying the policy includes OneDrive accounts and that the rule condition is set to “with people outside my organization.” For a concrete advanced tip, use PowerShell cmdlet Get-DlpCompliancePolicy and Get-DlpComplianceRule to export all policy settings and compare them against audit events in bulk.