Data Loss Prevention alerts in Microsoft 365 are designed to detect and flag sensitive content in OneDrive for Business files. When DLP alerts miss files that your legal discovery process requires, eDiscovery searches return incomplete results. This gap often occurs because DLP policies are not applied to the correct locations or because the files exist in unindexed locations such as shared folders or external user OneDrive accounts. This guide explains why DLP alerts can miss OneDrive files for legal discovery and provides the exact configuration steps to fix the issue.
Key Takeaways: Fix DLP Alerts That Miss OneDrive Files for Legal Discovery
- Microsoft 365 Defender > Data Loss Prevention > Policies > Edit policy > Locations: Ensure DLP policies include OneDrive accounts for all users, not just a subset.
- Compliance portal > eDiscovery > Content search > Add search conditions: Include file types and sensitivity labels to narrow the search scope for legal discovery.
- OneDrive admin center > Settings > Sync > Block sync of specific file types: Prevents sync of files that DLP would flag, but does not replace DLP alert configuration.
Why DLP Alerts Miss OneDrive Files in Legal Discovery
DLP policies in Microsoft 365 scan content in Exchange, SharePoint, OneDrive, and Teams. When a policy is created, the administrator selects which locations to monitor. If the OneDrive location is set to include only specific users instead of all users, files stored in OneDrive accounts for users not included in the policy will not trigger DLP alerts. Legal discovery processes rely on DLP alerts to identify potentially relevant files. When alerts are missing, eDiscovery searches may fail to return files that contain sensitive data such as personally identifiable information, financial records, or trade secrets.
Another common cause is that DLP policies apply only to files stored in the user’s primary OneDrive location. Files shared through OneDrive or stored in external user OneDrive accounts are not scanned unless the DLP policy explicitly includes those locations. Additionally, if the DLP policy uses a custom condition that does not match the file’s metadata or content, the alert will not fire. Legal discovery teams must ensure that DLP policies are configured to cover all OneDrive accounts and that the policies use appropriate conditions to detect the specific data types relevant to the case.
Steps to Configure DLP Policies for Complete OneDrive Coverage
Follow these steps to ensure DLP policies scan all OneDrive files for legal discovery.
- Open the Microsoft 365 Defender portal
Go to https://security.microsoft.com and sign in with an account that has the Compliance Administrator role or the DLP Compliance Management role. - Navigate to DLP policies
In the left menu, select Data Loss Prevention then Policies. The list of existing DLP policies appears. - Edit the relevant DLP policy
Click the policy name that should apply to legal discovery. If no policy exists, click Create policy and select Custom. - Set the locations to include all OneDrive accounts
On the Locations page, toggle OneDrive accounts to On. Then click Choose locations and select All users. Do not select specific users unless the policy must be scoped to a subset for legal reasons. - Configure the conditions for sensitive content
On the Policy settings page, click Create or customize advanced DLP rules. Add conditions such as Content contains sensitive info type and select the relevant types like Credit Card Number or U.S. Social Security Number. For legal discovery, also add Content contains sensitivity label and choose labels used by your organization for legal hold or confidential documents. - Set the action for DLP alerts
Under Actions, select Send alert to admin and choose the severity level. Ensure Notify users is enabled if you want to track user notification as part of the discovery process. - Test the policy
Upload a test file with the sensitive content type to a OneDrive account. Verify that a DLP alert appears in the Microsoft 365 Defender portal under Incidents.
Steps to Run an eDiscovery Content Search for OneDrive Files
Even with DLP alerts configured, legal discovery may require a direct content search. Use these steps to ensure the search covers all OneDrive locations.
- Open the Microsoft 365 Compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the eDiscovery Manager role. - Create a new content search
In the left menu, select eDiscovery then Content search. Click New search. - Name the search
Enter a descriptive name such as Legal Discovery – OneDrive – Q1 2025. - Add the location
On the Locations page, toggle OneDrive accounts to On. Click Choose users, groups, or teams and select All users. - Add search conditions
On the Conditions page, add Sensitivity and select the labels used for legal hold. Add File type and include .docx, .xlsx, .pptx, and .pdf to capture most documents. - Run the search
Click Submit to start the search. After completion, review the results under the Searches tab.
If DLP Alerts Still Miss Files After Configuration
DLP alerts do not appear for files shared with external users
DLP policies do not scan files that are stored in an external user’s OneDrive unless the external user is part of your tenant. To include externally shared files, ensure the DLP policy location includes Teams chat and channel messages and SharePoint sites where the file might be shared. For legal discovery, run a content search that includes all SharePoint sites associated with the case.
DLP alerts fire but eDiscovery search does not return the same files
This mismatch occurs when the DLP policy uses a condition that the eDiscovery search does not replicate. For example, a DLP policy may scan for a custom sensitive info type that the eDiscovery search does not include. To fix this, export the DLP policy rules from the Microsoft 365 Defender portal and use the same conditions in the eDiscovery content search.
OneDrive files are not indexed for search
Files with unsupported file extensions or corrupted files may not be indexed by Microsoft 365 search. DLP alerts rely on the same index. To check indexing status, go to the Compliance portal > Content search > select the search > View results > Files with errors. Re-upload or convert unsupported file types to a supported format such as .docx or .pdf.
DLP Policies vs eDiscovery Content Search: Key Differences for Legal Discovery
| Item | DLP Policies | eDiscovery Content Search |
|---|---|---|
| Purpose | Detect and prevent data loss in real time | Search and export content for legal or compliance cases |
| Scope | OneDrive, SharePoint, Exchange, Teams | OneDrive, SharePoint, Exchange, Teams, and other locations |
| Alert generation | Generates incidents in Microsoft 365 Defender | No alerts; returns search results only |
| User notification | Can notify users when policy is triggered | No user notification |
| Export capability | Cannot export files directly | Exports files to a .csv or PST file |
| Retention | Alerts retained for 30 days | Search results retained until deleted |
DLP policies and eDiscovery content search serve different functions. DLP alerts are proactive and designed to prevent data leaks. eDiscovery searches are reactive and used to collect evidence. For legal discovery, use both tools together. Configure DLP policies to generate alerts for sensitive content, then use eDiscovery content search to export the flagged files.
To verify that DLP alerts are working for legal discovery, run a test with a known sensitive file. Upload a document containing a credit card number to a OneDrive account. Check the Microsoft 365 Defender portal under Incidents for the alert. If the alert appears, run an eDiscovery content search for the same file. If both return the file, your configuration is correct. If not, review the DLP policy locations and conditions. For advanced scenarios, consider using Microsoft Purview Data Lifecycle Management to apply retention labels that automatically trigger eDiscovery holds on OneDrive files.