Data Loss Prevention policies in Microsoft 365 can protect sensitive files stored in OneDrive by blocking or warning users when they share specific data like credit card numbers or personally identifiable information. However, a DLP policy that is not scoped correctly will not apply to OneDrive documents even if the policy is active. This article explains how to check whether a DLP policy includes OneDrive locations and how to confirm the scope settings in the Microsoft 365 compliance portal.
You may discover that DLP rules are not triggering on files shared from OneDrive, or you may be setting up a new policy and need to verify that the scope covers the correct users and sites. The root cause is almost always a scope misconfiguration where OneDrive was never added as a location or where the policy targets a distribution group that does not include the affected users.
This guide walks through the exact steps to inspect and adjust DLP policy scope for OneDrive accounts, including the use of the Purview compliance portal and PowerShell verification commands.
Key Takeaways: Verifying DLP Policy Scope for OneDrive
- Microsoft Purview compliance portal > Data Loss Prevention > Policies: The primary location to view, edit, and test DLP policy scope for OneDrive locations.
- Locations tab > OneDrive accounts: Must be toggled to On and include the correct users, groups, or All users for the policy to apply.
- Test-DlpPolicy PowerShell cmdlet: Validates whether a specific DLP policy triggers on a given file in a OneDrive location without waiting for user actions.
What Is DLP Policy Scope and Why It Matters for OneDrive
DLP policy scope defines which locations, users, and groups a DLP rule applies to. In Microsoft 365, a single DLP policy can target Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages, and devices. If the scope does not include OneDrive accounts, the policy will never scan or protect files stored in OneDrive.
OneDrive accounts are listed under Locations as a separate item with its own toggle and inclusion rules. When you create or edit a DLP policy, the Locations tab shows each location type. The OneDrive accounts location can be set to All users, specific users, specific security groups, or turned off entirely.
Scope also includes advanced settings like whether the policy applies to shared content only or to all content. If the policy is set to detect sharing of sensitive info but the scope excludes external sharing scenarios, the policy may not trigger on files shared with external guests.
How DLP Policy Scope Differs from Policy Priority
Scope determines where a policy runs. Priority determines which policy wins when multiple policies could apply to the same item. A high-priority policy that does not include OneDrive locations will never run on OneDrive files, regardless of its priority number. Always check scope before adjusting priority.
Steps to Verify DLP Policy Scope for OneDrive Accounts
Follow these steps to confirm that a DLP policy includes OneDrive accounts and verify the scope settings are correct. You need the Microsoft Purview compliance portal and, optionally, the Security & Compliance PowerShell module.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the Data Loss Prevention admin role or Compliance admin role. - Navigate to Data Loss Prevention
In the left navigation, select Data Loss Prevention then Policies. A list of all DLP policies in your tenant appears. - Select the policy to inspect
Click the name of the policy you want to verify. Do not click the toggle switch. The policy details page opens. - Open the Locations tab
On the policy details page, select the Locations tab. This tab shows every location type the policy targets. - Check the OneDrive accounts toggle
Look for the row labeled OneDrive accounts. The toggle must be set to On. If it is Off, the policy does not apply to any OneDrive files. - Review the inclusion rules
If the toggle is On, click Edit next to OneDrive accounts. The inclusion pane shows whether the policy applies to All users or specific users and groups. Verify that the affected users are listed here. If you see no users listed and the option is set to Specific users or groups, the policy will not apply to anyone. - Check the advanced scope settings
On the same Locations tab, scroll to Advanced DLP rules if present. Some policies have a condition that restricts scope to content shared with people outside the organization. Confirm that the condition matches your intent. For example, if you want the policy to block all sharing of credit card numbers, the condition should not limit detection to external sharing only. - Use PowerShell to verify scope programmatically
Open the Security & Compliance PowerShell module as an administrator. RunConnect-IPPSSessionto authenticate. Then runGet-DlpCompliancePolicy -Identity "Policy Name" | Format-List ExchangeLocation, SharePointLocation, OneDriveLocation. The output shows the exact scope for each location. A value ofAllfor OneDriveLocation means all users are included. A specific GUID means only that user or group is included.
Testing DLP Policy Scope with a Sample File
After verifying the scope settings, run a test to confirm the policy triggers on an actual OneDrive file. Upload a text file containing a test credit card number like 4111111111111111 to a OneDrive account that is in scope. Share the file with an external user. Within minutes, the policy should generate an alert or block the share. If no action occurs, recheck the scope and ensure the policy is not in test mode without notifications.
Common Scope Misconfigurations and How to Fix Them
Even when the OneDrive accounts toggle is On, several scope-related issues can prevent a DLP policy from protecting files. The following sections describe the most frequent problems and their solutions.
OneDrive accounts toggle is On but no users are selected
When you set the inclusion rule to Specific users or groups but leave the list empty, the policy will not apply to any OneDrive account. Edit the policy, go to Locations, click Edit next to OneDrive accounts, and either select All users or add the correct users or groups. If you need to include all users, switch the radio button to All users.
Policy scope includes OneDrive but only for internal sharing
Some DLP policies are configured with a condition that restricts detection to content shared with people outside the organization. If the policy is meant to block internal sharing of sensitive data, this condition will prevent the policy from firing on internal shares. Edit the policy, go to Rules, select the rule, and remove the condition that limits scope to external sharing.
DLP policy is in test mode and does not block
A policy in test mode will generate alerts but will not block sharing. This is not a scope issue, but it looks like one because no action is taken. Check the policy status on the Policies page. If the status shows Test, edit the policy and change the mode to Turn it on immediately if you want enforcement.
OneDrive account is not licensed or is a personal account
DLP policies only apply to OneDrive for Business accounts that are part of a Microsoft 365 subscription. Personal OneDrive accounts are not covered. Verify that the user has an active OneDrive for Business license assigned in the Microsoft 365 admin center.
DLP Policy Scope Options: All Users vs Specific Users vs Groups
| Item | All Users | Specific Users or Groups |
|---|---|---|
| Description | Policy applies to every OneDrive account in the tenant | Policy applies only to OneDrive accounts of selected users or group members |
| Management overhead | Low – no need to update when users join or leave | High – must update the list when users change teams or leave the organization |
| Risk of missing users | None | High if a user is not added to the group or list |
| Best for | Tenant-wide compliance policies for regulated data | Policies that apply only to specific departments like Finance or HR |
| Performance impact | Higher scanning load, but Microsoft handles scaling | Lower scanning load because fewer accounts are scanned |
DLP policy scope is the most common reason a policy does not apply to OneDrive files. The scope settings control every aspect of where and when the policy runs, from the location toggle to the inclusion rules and advanced conditions.
You can now open any DLP policy in the Purview portal, check the OneDrive accounts toggle, and confirm the inclusion list contains the correct users or groups. Use the PowerShell Get-DlpCompliancePolicy cmdlet to audit scope across multiple policies at once. As a next step, review your tenant’s DLP policies quarterly to ensure scope still matches your organizational structure and compliance requirements.