After switching from Classic Outlook to the new Outlook for Windows, you may find that your organization’s Data Loss Prevention policies no longer appear to block sensitive emails or attachments. This happens because the new Outlook uses a different underlying platform for policy enforcement, and administrators must reconfigure certain settings. This article explains why DLP behavior changes, how to verify that DLP is active, and what steps you can take to ensure your data remains protected in the new Outlook.
Key Takeaways: DLP in New Outlook
- Microsoft 365 Compliance Center > Data Loss Prevention > Policies: Verify that DLP policies are configured to apply to Exchange Online mailboxes, which the new Outlook uses.
- New Outlook > File > Options > Mail > Message Format: Ensure emails are sent in HTML format so DLP rules can scan content correctly.
- New Outlook > Settings > Mail > Compose and Reply > Sensitivity Labels: Enable sensitivity labels for manual DLP enforcement on outgoing messages.
Why DLP Behavior Changes After Switching From Classic Outlook
Classic Outlook connects to your mailbox using MAPI over HTTP and processes DLP policies locally through the Outlook client. The new Outlook is a web-based application that connects to Exchange Online via REST APIs. DLP policies in the new Outlook are enforced server-side by Exchange Online Protection and the Microsoft 365 Compliance Center. This shift means that DLP rules that were previously applied by the Classic Outlook client may not transfer automatically. You must verify that your DLP policies are configured to apply to Exchange Online mailboxes in the Compliance Center.
How the New Outlook Handles DLP
In the new Outlook, DLP scanning occurs when a user sends an email. The Exchange Online transport pipeline inspects the message body, subject, and attachments for sensitive data patterns defined in your organization’s DLP policies. If a policy match is found, the email is blocked or a policy tip is shown. This server-side enforcement is independent of the Outlook client version. However, the new Outlook does not support all Classic Outlook DLP features, such as custom policy tips that appear in the compose window. Administrators must update DLP rules to use Exchange mail flow rules or sensitivity labels for equivalent protection.
Steps to Verify and Enable DLP in New Outlook
Follow these steps to ensure DLP policies are active after switching to the new Outlook. You need Global Admin or Compliance Admin permissions in the Microsoft 365 Compliance Center.
- Open the Microsoft 365 Compliance Center
Go to https://compliance.microsoft.com and sign in with your administrator account. In the left navigation, select Data Loss Prevention. - Check Existing DLP Policies
Click Policies to view all DLP policies. Select a policy that should apply to email. In the policy details, verify that Exchange is listed under Locations. If Exchange is missing, click Edit and add Exchange as a location. - Configure Policy for Exchange Online
Under the policy’s Locations section, ensure Exchange email is toggled to On. If you have specific distribution groups or users, set the scope to All users or select the appropriate groups. Click Save. - Enable Policy Tips for New Outlook
In the same policy, go to User notifications and set Notify users with tips and a policy tip to On. This shows a warning in the new Outlook compose window when a policy is triggered. - Test DLP in New Outlook
Open the new Outlook and compose a test email containing sensitive data such as a credit card number or Social Security number. Send the email to a non-admin user. If DLP is active, the email is blocked or a policy tip appears before sending.
If DLP Policy Tips Do Not Appear
If no policy tip shows in the new Outlook compose window, check the following: Ensure the DLP policy includes the Exchange location. Verify that the user’s mailbox is hosted in Exchange Online, not on-premises. Confirm that the new Outlook is connected to the same Microsoft 365 tenant where the DLP policy is defined. Finally, wait up to 24 hours for policy changes to propagate.
Common Issues After Switching to New Outlook
Below are frequent problems users encounter with DLP in the new Outlook and how to resolve them.
DLP Policy Blocks Emails That Were Allowed in Classic Outlook
Classic Outlook may have applied DLP rules differently because of local client-side scanning. In the new Outlook, all scanning is server-side. If a policy is too broad, it may block legitimate emails. To fix this, review the DLP policy conditions in the Compliance Center. Narrow the conditions by adding exceptions for specific recipients or domains. Test with a sample email before applying changes broadly.
Policy Tips Are Missing in the Compose Window
The new Outlook supports policy tips only when the DLP policy is configured with Notify users with tips enabled. If tips still do not appear, ensure the email is composed in HTML format, not plain text. Go to New Outlook > File > Options > Mail > Message Format and select HTML. Also check that the user has the latest version of the new Outlook by going to Settings > General > About Outlook and clicking Update Now.
DLP Policies for Attachments Not Working
Server-side DLP scans attachments for sensitive content. If attachments are not being scanned, verify that the DLP policy includes Attachments under Conditions. In the policy editor, add a condition for Content contains and select All attachment content. Save the policy and test with a file containing sensitive data.
Classic Outlook vs New Outlook: DLP Feature Comparison
| Item | Classic Outlook | New Outlook |
|---|---|---|
| Policy enforcement location | Client-side via Outlook add-in | Server-side via Exchange Online Protection |
| Policy tips in compose window | Supported with DLP add-in | Supported via Compliance Center policy tips |
| Custom policy tip text | Full customization in add-in | Limited to predefined templates or mail flow rules |
| Attachment scanning | Client-side scanning of file content | Server-side scanning of all attachment types |
| Offline DLP enforcement | Works when Outlook is cached | Requires internet connection for server-side check |
After switching to the new Outlook, you can continue using DLP by verifying your policies in the Microsoft 365 Compliance Center. Ensure that Exchange Online is included as a location and that policy tips are enabled. For advanced protection, consider configuring sensitivity labels to complement DLP rules. As an advanced tip, use the Microsoft 365 Defender portal to create DLP policies that apply to both email and Microsoft Teams messages in the new Outlook.