When Data Loss Prevention alerts in Microsoft Purview fail to flag sensitive files stored in OneDrive, finance review workflows can break. The most common root cause is a mismatch between the DLP policy scope and the actual location of the files, often combined with incorrect licensing or policy configuration. This article explains why DLP alerts miss OneDrive files, how to verify your policy setup, and the exact steps to ensure alerts fire correctly for finance review documents.
Key Takeaways: Fixing DLP Alerts for OneDrive Finance Files
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: Verify the policy scope explicitly includes OneDrive accounts for all finance team members.
- Policy location tab > Choose locations > OneDrive accounts: Ensure the policy applies to the correct user group or site, not just Exchange or SharePoint.
- Policy rule conditions > Content contains sensitive info type: Confirm the rule uses the exact sensitive info type for financial data, such as Credit Card Number or U.S. Bank Account Number.
Why DLP Alerts Miss OneDrive Files in Finance Reviews
Microsoft Purview DLP policies can be scoped to Exchange, SharePoint, OneDrive, Teams, and Devices. A common misconfiguration is creating a policy that targets Exchange and SharePoint only, leaving OneDrive out of scope. Even when OneDrive is selected, the policy may apply to specific user groups, and if the finance reviewers are not in those groups, their files are not scanned.
Another frequent cause is the absence of the correct sensitive information type in the policy rule. Finance review files often contain credit card numbers, bank account details, or tax identification numbers. If the DLP rule is looking for a different data type, it will not trigger alerts on those files.
Additionally, DLP policies take up to 24 hours to fully apply to new or modified files in OneDrive. If the policy was recently created or updated, alerts may not appear immediately. Finally, the user must be licensed with Microsoft 365 E5, Microsoft 365 E5 Compliance, or a standalone DLP license. Without the correct license, the policy does not evaluate the user’s OneDrive files.
Steps to Fix DLP Alerts Missing OneDrive Files for Finance Reviews
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has Compliance Administrator or DLP Administrator role. - Locate the DLP policy for finance reviews
Navigate to Data Loss Prevention > Policies. Find the policy that is supposed to alert on finance files. If no policy exists for finance reviews, create a new one. - Edit the policy and check the locations
Click the policy name, then select Edit policy. Under Locations, ensure OneDrive accounts is checked. If it is not, select it. Then click Choose locations to specify which OneDrive accounts: choose All users and groups or select the specific finance team group. - Verify the policy rule conditions
Under Policy rules, click Edit rule. Ensure the condition Content contains sensitive info type includes the correct financial data types. For finance reviews, common types include U.S. Bank Account Number, Credit Card Number, and U.S. Individual Taxpayer Identification Number (ITIN). Add any missing types. - Set the action to generate an alert
Under Actions, confirm that Send alert to admin is enabled. Specify the alert threshold and recipients. For finance reviews, set the threshold to 1 to ensure no file is missed. - Save and wait for policy propagation
Click Save, then confirm the policy update. DLP changes can take up to 24 hours to apply to existing files. For new files, the policy applies within a few minutes. - Test the policy with a sample file
Create a test file in OneDrive containing simulated sensitive data, such as an example credit card number. After 15 minutes, check the DLP alerts in the Alerts page under Data Loss Prevention. If the alert appears, the fix is complete.
If Alerts Still Do Not Appear
If alerts remain missing after following the steps above, check the user license. Open Microsoft 365 admin center > Users > Active users, select the affected user, and go to the Licenses and apps tab. Ensure the user has Microsoft 365 E5 or Microsoft 365 E5 Compliance license assigned. Without this license, DLP policies do not evaluate OneDrive files for that user.
Common DLP Alert Issues and How to Resolve Them
DLP Alerts Appear for Exchange but Not OneDrive
This happens when the DLP policy is scoped to Exchange only. Edit the policy and add OneDrive accounts as described in the steps above. Also verify that the OneDrive site URLs are not excluded under Advanced DLP rules.
Finance Team Members Are Not in the Policy Scope
If the policy targets specific groups, ensure all finance reviewers are members of that group. Go to Microsoft 365 admin center > Groups > Active groups, select the group, and add missing users. Then wait for group membership to sync, which typically takes 30 minutes.
Sensitive Info Type Is Not Matching the File Content
Some finance files use custom or non-standard formats. For example, a bank account number stored without spaces might not match the default sensitive info type. Create a custom sensitive info type in Microsoft Purview that matches the exact pattern used by your finance team. Then add that custom type to the DLP rule.
DLP Policy Is in Test Mode Without Alerts
Check the policy mode. If the policy is set to Test without notifications, alerts are not generated. Change the mode to Test with notifications or Turn it on immediately to receive alerts.
DLP Policy Locations for Finance Files: Comparison
| Item | Exchange | OneDrive |
|---|---|---|
| Description | Scans emails and attachments for sensitive data | Scans files stored in user OneDrive accounts |
| Common use for finance | Detect credit card numbers in outgoing email | Detect bank account numbers in stored review files |
| Alert generation | Real-time for email | Near real-time for new files; up to 24 hours for existing files |
| Licensing requirement | E3 with add-on or E5 | E5 or E5 Compliance |
Both locations can be included in the same DLP policy. For finance reviews, always include OneDrive to cover stored files and Exchange for email sharing.
By checking the policy scope, sensitive info types, and user licenses, you can restore DLP alerts for OneDrive finance files. Next, review your other DLP policies to ensure they cover all locations where finance data resides. As an advanced tip, use the Microsoft Purview Audit log to filter for DLP rule matches and confirm which files triggered alerts in the past 30 days.