u/ThatBoiAndy

DLP Policy Sanity Check

I've got a DLP policy running in simulation mode (TestWithoutNotifyUser) with a single rule. Two conditions, ANDed together:

  • Content is shared from Microsoft 365 → with people outside my organization
  • Content contains → [custom SIT]

Action is "Restrict access or encrypt -> Block only people outside your organization" (not firing, since it's simulation).

What I'm seeing:
Activity Explorer is full of "DLP rule matched" events with dozens from a single user's OneDrive, all with the same timestamp. When I drill into individual matches, they're files sitting in a Desktop-synced OneDrive folder (.../Desktop/[folder]/[subfolder]/...). Nothing in the event indicates an active send or share action. it looks like the initial content scan picking up files at rest.

My confusion:
If the rule requires BOTH "shared externally" AND "contains SIT" to match, why are at-rest files matching? A few theories I want to confirm or kill:

  1. Is the "shared with people outside my organization" condition evaluating the file's current sharing state (e.g., an existing Anyone-link or an external grant on the file or a parent folder), rather than an actual share event?
  2. Could an externally-shared parent folder be propagating that "shared externally" state down to every file inside it making it look like many separate incidents when it's really one over-permissive folder?
  3. Does simulation mode's initial scan evaluate the sharing condition against existing sharing state, so previously-shared content lights up all at once (hence the identical timestamps)?

Please save my life lol

reddit.com
u/ThatBoiAndy — 11 days ago