Data loss prevention DLP alerts in Microsoft Purview are not triggering for OneDrive files in departments that handle regulated data such as finance, legal, or healthcare. This occurs when the OneDrive site is not scoped in the DLP policy or when the policy uses a location filter that excludes the specific department site collections. This article explains why DLP policies miss files in regulated departments and provides the exact steps to fix the issue.
Key Takeaways: Fix DLP Alerts Not Triggering on OneDrive Files for Regulated Departments
- Microsoft Purview compliance portal > Data loss prevention > Policies: Verify that OneDrive locations are included and that the policy scope covers all site collections for regulated departments
- DLP policy > Locations > OneDrive accounts: Use “Choose distribution groups” or “Choose specific sites” to target only the department site collections instead of all users
- DLP policy > Policy settings > Advanced DLP rules: Add a condition for “Site collection URL” or “Department” property to ensure alerts fire only for regulated departments
Why DLP Alerts Miss OneDrive Files in Regulated Departments
Microsoft Purview Data Loss Prevention policies scan content across Exchange, SharePoint, OneDrive, and Teams. When a DLP policy is configured to apply to “All users” or “All sites,” it may still miss files in OneDrive if the policy location filter excludes certain site collections. By default, OneDrive for Business creates a separate site collection for each user. DLP policies use the OneDrive accounts location to scan these site collections. If the policy scope is set to “All users” but the department’s users belong to a distribution group that is excluded, or if the policy uses a custom scope that does not include the department’s site URLs, alerts will not trigger.
Another common cause is that the DLP policy rule itself contains conditions that do not match the files in the regulated department. For example, a policy may look for credit card numbers but exclude files labeled “Internal” or stored in a specific folder. If the department’s files are stored in a OneDrive folder that is excluded by the policy condition, alerts will be missed.
Finally, the DLP policy may be in test mode or have alert thresholds set too high. Test mode logs events but does not send alerts, and high thresholds suppress notifications for small numbers of matches. These settings are often overlooked when deploying DLP for regulated departments.
Steps to Fix DLP Alerts Not Triggering for OneDrive Files in Regulated Departments
- Open the DLP policy in Microsoft Purview
Sign in to the Microsoft Purview compliance portal athttps://compliance.microsoft.com. Go to Data loss prevention > Policies. Find the DLP policy that is missing alerts and click the policy name to open its details. - Verify OneDrive locations are included
In the policy editor, click “Locations.” Confirm that “OneDrive accounts” is toggled to On. If it is Off, turn it On. If it is On but still missing alerts, click “Choose distribution groups” or “Choose specific sites” to verify that the regulated department’s users or site collections are selected. Add any missing distribution groups or site URLs. - Check the policy scope
Click “Policy settings” and then “Edit scope.” Ensure the scope is set to “All users” or to the specific distribution group that contains the regulated department users. If the scope excludes the department, change it to include them. Click “Save.” - Review advanced DLP rules for site-level conditions
Click “Policy settings” and then “Edit rules.” For each rule, click “Conditions” and check if any condition uses “Site collection URL” or “Department.” If a condition restricts the rule to certain sites, ensure the regulated department’s OneDrive site URL is included. To find the site URL, go to the SharePoint admin center, open the user’s OneDrive site, and copy the URL from the address bar. Add it as a value in the condition. - Adjust alert thresholds and test mode
In the rule editor, click “Actions” and then “Generate an alert.” Set the alert threshold to a low value such as 1 match to ensure every violation triggers an alert. If the policy is in test mode, change it to “Turn on the policy” or keep test mode but enable “Send alerts” in the test settings. Click “Save” and then “Save” on the policy. - Test the policy with a sample file
Create a file on the regulated department user’s OneDrive that contains a sensitive information type defined in the policy, such as a fake credit card number 4111 1111 1111 1111. Save the file. Wait up to 15 minutes for the policy to evaluate. Check the Activity explorer in Purview under Data loss prevention > Activity explorer. If the file appears as a match, the policy is detecting it. If not, repeat steps 2 through 5.
If DLP Alerts Still Miss Files After the Main Fix
DLP policy shows matches in Activity explorer but no alerts are sent
This means the policy is detecting violations but the alert action is not configured correctly. Go back to the rule editor and verify that “Generate an alert” is enabled. Also check the alert email settings: under “Actions,” confirm that “Send an email notification to the user” and “Notify the compliance admin” are configured with the correct recipients. If the alert threshold is set to a high number, reduce it to 1.
OneDrive files are not scanned at all
If the OneDrive location shows as “Off” in the DLP policy, the policy cannot scan those files. Turn On the OneDrive accounts location. If the location is On but scanning still fails, verify that the users have OneDrive licenses assigned in the Microsoft 365 admin center. Users without a OneDrive license are not scanned even if the location is On. Also confirm that the users are not excluded by an inclusion or exclusion list in the policy.
DLP alerts trigger for one department but not another regulated department
This usually means the policy scope or conditions are not uniform across departments. Open the policy and check the “Locations” settings again. If you used “Choose specific sites,” ensure the missing department’s OneDrive site URLs are added. If you used distribution groups, verify that the department’s users are members of the selected group. In the Microsoft 365 admin center, check group membership for each regulated department.
DLP Policy Location Options for OneDrive: Scope vs Specific Sites
| Item | All Users Scope | Choose Specific Sites |
|---|---|---|
| Description | Scans OneDrive for all licensed users in the tenant | Scans only OneDrive sites that you explicitly add by URL |
| Best for | Tenant-wide policies that apply to every department | Regulated departments that need targeted scanning without affecting other users |
| Alert reliability | High if no exclusion lists are used | High if all department site URLs are added correctly |
| Maintenance effort | Low – no manual URL updates needed | Medium – must add new user sites when employees join the department |
| Risk of missing files | Low unless a condition excludes the file | High if a new user’s site URL is not added |
Use the “All Users” scope for broad compliance policies such as HIPAA or PCI DSS. Use “Choose Specific Sites” when you need to limit scanning to a specific regulated department and avoid false positives in other parts of the organization. If you choose specific sites, create a process to add new user OneDrive URLs whenever a new employee joins the regulated department.
You can now verify that DLP alerts trigger correctly for OneDrive files in regulated departments by following the location and condition checks described above. Next, review the Activity explorer weekly to confirm that all regulated department users appear in the event logs. As an advanced tip, use the “Site collection URL” condition in your DLP rule combined with a dynamic membership group in Azure AD so that new department users are automatically included without manual URL updates.