DLP Policy Sanity Check
I've got a DLP policy running in simulation mode (TestWithoutNotifyUser) with a single rule. Two conditions, ANDed together:
- Content is shared from Microsoft 365 → with people outside my organization
- Content contains → [custom SIT]
Action is "Restrict access or encrypt -> Block only people outside your organization" (not firing, since it's simulation).
What I'm seeing:
Activity Explorer is full of "DLP rule matched" events with dozens from a single user's OneDrive, all with the same timestamp. When I drill into individual matches, they're files sitting in a Desktop-synced OneDrive folder (.../Desktop/[folder]/[subfolder]/...). Nothing in the event indicates an active send or share action. it looks like the initial content scan picking up files at rest.
My confusion:
If the rule requires BOTH "shared externally" AND "contains SIT" to match, why are at-rest files matching? A few theories I want to confirm or kill:
- Is the "shared with people outside my organization" condition evaluating the file's current sharing state (e.g., an existing Anyone-link or an external grant on the file or a parent folder), rather than an actual share event?
- Could an externally-shared parent folder be propagating that "shared externally" state down to every file inside it making it look like many separate incidents when it's really one over-permissive folder?
- Does simulation mode's initial scan evaluate the sharing condition against existing sharing state, so previously-shared content lights up all at once (hence the identical timestamps)?
Please save my life lol