You see a DLP policy tip in OneDrive warning that a file contains sensitive information, yet the upload finishes without being blocked. This behavior is confusing because most users expect a DLP tip to prevent the upload entirely. The cause is that DLP policy tips in OneDrive are advisory by default — they inform but do not enforce a block unless the policy is configured with a restrict action. This article explains why the tip appears, how DLP enforcement works in OneDrive, and what settings control whether the upload is allowed or blocked.
Key Takeaways: DLP Tips in OneDrive — Advisory vs Blocking
- DLP policy tip settings in Microsoft Purview compliance portal: A tip alone does not block uploads; the policy must include a restrict action to prevent the file from being saved or shared.
- OneDrive sync app behavior vs web upload: DLP tips appear only on the OneDrive web interface, not in the sync app, so files synced via the desktop client bypass inline blocking.
- Audit log and alert configuration: To detect uploads that trigger tips, enable DLP alerts and review audit logs in the Microsoft 365 Defender portal.
Why a DLP Tip Appears Without Blocking the Upload
Data Loss Prevention policies in Microsoft 365 use three possible actions: notify the user, restrict access, or block the action. A policy tip is a notification action — it shows a yellow or red banner on the OneDrive web page that warns about sensitive content. By itself, this action does not stop the file from being uploaded. The upload completes because the policy lacks a restrict action, such as “Block users from sharing and restrict access to content” or “Block users from receiving email.”
Another reason is that DLP enforcement in OneDrive applies only to specific scenarios. For example, when a file is uploaded to OneDrive via the web browser, the DLP engine scans the content. If the policy has only a notify action, the user sees the tip and can continue. When the file is uploaded through the OneDrive sync app or mobile app, no inline tip appears at all — the sync app does not display DLP tips. The file is scanned after upload, and any violation is logged but not blocked retroactively. This gap often surprises administrators who expect consistent enforcement across all upload methods.
Steps to Configure DLP to Block Uploads After a Tip
To make a DLP tip actually prevent the upload, you must edit the policy in the Microsoft Purview compliance portal and add a restrict action. Follow these steps for OneDrive-specific policies.
- Open the Microsoft Purview compliance portal
Sign in to compliance.microsoft.com with an account that has the Data Loss Prevention or Compliance Administrator role. - Locate the DLP policy for OneDrive
Go to Data Loss Prevention > Policies. Find the policy that applies to OneDrive locations. If you have not created a policy yet, click Create policy and select OneDrive as the location. - Edit the policy rules
Click the policy name, then select Edit next to the rule that triggers the tip. Scroll to the Actions section. - Add a restrict action for content
Under Protect sensitive content, check the box Block users from sharing and restrict access to content. This action prevents the file from being saved or shared. Optionally, enable Block users from receiving email for email scenarios. - Configure the tip message
In the same rule, expand User notifications. Ensure Notify users in Office 365 service is selected. Customize the tip text to inform the user that the upload is blocked, not just warned. - Save and test the policy
Click Save and then Turn on if the policy was in test mode. Upload a file containing sensitive data, such as a credit card number, to OneDrive via the web browser. You should now see a red tip that says the file cannot be uploaded.
If OneDrive Still Allows Uploads After Adding a Restrict Action
DLP policy is in test mode with policy tips only
When you create a new DLP policy, the default setting is test mode with policy tips shown but no action taken. Even if you add a restrict action, the policy will not enforce it until you change the mode. Go to Data Loss Prevention > Policies, select your policy, click Edit next to Policy settings, and set the mode to Turn on the policy immediately. If you want to test without blocking, use test mode with the restrict action disabled.
File is uploaded via the OneDrive sync app
The sync app does not display DLP tips or enforce inline blocking. After the file syncs to the cloud, DLP scans it and logs the violation. To block the file from being accessible, use the restrict action that applies after upload. This action hides the file from other users and prevents sharing, but the file remains in the user’s OneDrive. To remove the file, configure a DLP policy that triggers a Power Automate flow to delete or quarantine the file.
Multiple DLP policies conflict
If two DLP policies apply to the same file and location, the most restrictive action wins. However, if one policy has a notify action and another has a block action, the block action overrides. Check the priority order in Data Loss Prevention > Policies. Drag a policy to a higher position to enforce its actions first.
DLP Tip Behavior on OneDrive Web vs Sync App vs Mobile: Key Differences
| Item | OneDrive Web | OneDrive Sync App | OneDrive Mobile App |
|---|---|---|---|
| DLP tip display | Yellow or red banner at top of page | No tip displayed | No tip displayed |
| Upload blocking with restrict action | Blocked during upload | Not blocked; file syncs then may be restricted after scan | Not blocked; file uploads then may be restricted after scan |
| Audit log generation | Logged as FileUploaded with DLP rule match | Logged as FileSynced with DLP rule match | Logged as FileUploaded with DLP rule match |
| User notification method | Inline tip in browser | Email notification if configured | Email notification if configured |
Now you understand why a DLP tip can appear without stopping the upload. To enforce blocking, add a restrict action to your DLP policy and ensure the policy is turned on. For files uploaded through the sync app, configure post-upload restrictions and alerts. As an advanced step, create a DLP policy that uses a Power Automate flow to automatically move violating files to a quarantine library for review.