You receive an error that your shared link violates a Data Loss Prevention rule when you try to share a file from OneDrive for Business. This happens because Microsoft 365 DLP policies automatically scan shared content for sensitive information such as credit card numbers, social security numbers, or confidential business data. When a match is found, the system blocks the sharing action to prevent data leakage. This article explains why DLP rules block sharing and provides steps to resolve the issue for both users and administrators.
Key Takeaways: Resolving DLP-Triggered Sharing Blocks in OneDrive
- Microsoft 365 admin center > Data loss prevention > Policies: Locate the specific DLP policy blocking the file and review its rules for sensitive info types.
- Microsoft 365 admin center > Data loss prevention > Alerts: Check the DLP alerts dashboard to see which file and user triggered the violation.
- OneDrive sharing dialog > Manage access > Remove direct access: Temporarily revoke all sharing on the file, then re-share with a limited audience to test if the block persists.
Why a Shared Link Triggers a DLP Rule Violation
Data Loss Prevention policies in Microsoft 365 are designed to detect and block sharing of content that contains sensitive information. When you create a shared link in OneDrive for Business, the system scans the file for patterns defined in active DLP policies. If the file contains data that matches a sensitive info type such as a credit card number, passport number, or bank account number, the sharing action is blocked and the user sees an error message. The DLP policy can also block sharing based on file name keywords, file size, or file type. The block applies to all link types including Anyone, People in your organization, and Specific people, depending on how the policy is configured. This behavior helps organizations prevent accidental data leaks but can also block legitimate sharing if the policy rules are too broad.
How DLP Policies Are Applied to OneDrive
DLP policies are created in the Microsoft 365 compliance portal and can be scoped to specific locations including Exchange, SharePoint, OneDrive, and Teams. When a policy targets OneDrive, it scans files at rest and during sharing events. The scanning engine uses built-in sensitive info types or custom ones defined by your organization. When a match is found, the policy can take actions such as blocking sharing, sending a notification to the user, generating an alert for administrators, or applying a block access action to the shared link.
Steps to Fix a DLP-Triggered Sharing Block
- Identify the blocked file and the DLP policy involved
Open the Microsoft 365 compliance portal at compliance.microsoft.com. Go to Data loss prevention > Alerts. Look for an alert that matches the approximate time of the sharing block. Click the alert to see the file name, the user who attempted sharing, and the name of the DLP policy that triggered the block. Write down the policy name and the sensitive info type that was detected. - Review the DLP policy rules
In the compliance portal, go to Data loss prevention > Policies. Locate the policy from step 1 and open it. Review the rules under the Rules section. Identify which rule contains the sensitive info type that matched your file. Check the Actions section for that rule to see if it is set to Block sharing or Block only when sharing with external users. This tells you exactly what action is being taken. - Determine if the file contains real sensitive data
Open the file that was blocked. Look for the sensitive content that triggered the DLP match. If the file contains actual sensitive information such as a real credit card number or social security number, you should not share it. Contact your organization’s compliance team for guidance. If the file contains test data, sample data, or a false positive, proceed to step 4. - Remove the sensitive data from the file
Edit the file in OneDrive for Business or in the desktop app. Remove or replace the sensitive content with generic placeholder text. Save the file. After saving, wait 5 to 10 minutes for the DLP scan to re-evaluate the file. Then try sharing the file again using the OneDrive share dialog. - Use an alternative sharing method with limited access
If the block persists, revoke all existing sharing on the file. In OneDrive, select the file and click Share. Click the dropdown arrow next to the link type and choose Specific people. Enter the email address of the recipient and set the permission to View or Edit as needed. Click Apply and then Send. This method often bypasses broad DLP rules that target Anyone or People in your organization links. - Request an exception from your administrator
If you need to share the file with the sensitive data intact for legitimate business reasons, contact your Microsoft 365 administrator. Provide the file name, the DLP policy name, and a business justification. The administrator can create an exception rule in the DLP policy to allow sharing of that specific file or a class of files.
If the DLP Block Continues After Removing Sensitive Data
The file still shows the same DLP error after editing
The DLP scan may not have re-scanned the file yet. In OneDrive for Business, click the file name and select Version history. Delete the most recent version if possible, or check if an older version still contains the sensitive data. The DLP engine scans the latest version only. If the issue persists, have the administrator run a manual DLP re-scan using the compliance portal.
The DLP policy is too broad and blocks many legitimate files
This is a policy configuration issue. The administrator should review the DLP policy rules and consider narrowing the scope. For example, change the rule from blocking all sharing to blocking only sharing with external users. Or add an exception for files that contain a specific custom tag or label. The administrator can also reduce the confidence level threshold for sensitive info types to reduce false positives.
The DLP policy blocks sharing but the file contains no real sensitive data
This is a false positive. The administrator can test the file by using the DLP Test feature in the compliance portal. Go to Data loss prevention > Test. Upload a copy of the file and run the test to see which sensitive info type is matched. Based on the result, the administrator can fine-tune the policy rules or submit feedback to Microsoft for false positive classification.
Sharing Options Before and After a DLP Block: Key Differences
| Item | Before DLP Block | After DLP Block |
|---|---|---|
| Link types available | Anyone, People in your org, Specific people, Direct access | Only Specific people may work depending on policy scope |
| User notification | None | Error message with policy name and compliance contact info |
| Administrator alert | None | Alert generated in DLP alerts dashboard and optionally sent by email |
| File version history | All versions accessible | Only latest version is scanned; older versions may still contain sensitive data |
| Remediation path | Not applicable | Remove sensitive data, request exception, or use Specific people link |
After resolving the DLP block, you can share the file normally using the appropriate link type. If the file was blocked because of a false positive, ask your administrator to adjust the DLP policy rules to exclude that file name or location. As a best practice, store files that contain sensitive data in a document library with restricted permissions rather than in your personal OneDrive. This reduces the chance of accidental sharing violations.