Resolve issues that affect DLP policy tips
If you encounter an issue that's related to Microsoft Purview Data Loss Prevention (DLP) policy tips, run an automated diagnostic for DLP policy tips in the Microsoft 365 admin center. The diagnostic analyzes the DLP policy and rule configuration for policy tips, identifies any issues, and suggests resolutions.
Run the diagnostic for DLP policy tips
Note
To run the diagnostic, you must be a Microsoft 365 global administrator.
To run the diagnostic, follow these steps:
Select the following button to open the diagnostic in the Microsoft 365 admin center.
Enter the following information:
- User principal name (UPN) or email address of the user
- DLP rule name or GUID
- Outlook or OWA (Outlook on the web)
Select Run Tests.
If you ran the diagnostic but your issue isn't resolved, check the following sections of this article.
DLP policies in Exchange Online
DLP policy tip settings are configured in DLP policies. If you created DLP policies in Exchange Online, we recommend that you migrate them to the Microsoft Purview compliance portal because legacy Exchange Online data loss prevention in the Exchange admin center is being deprecated. For policies that aren't migrated, you might see unexpected results, such as no display of policy tips.
For more information, see Policy tips in the Exchange admin center vs. the Microsoft Purview compliance portal.
Policy configuration errors
Policy is configured by using User notifications, but the status of the policy doesn't match the settings in the rule. Here's an example in which the policy is turned on but the policy status shows Test it out first.
A policy configuration error might also occur if the policy is configured by using two or more rules that detect the same sensitive data types that have the same Instance count value and confidence level.
This kind of setup is unnecessary and problematic. Only one rule is required.
Resolution
For these scenarios, create only one rule, and use detecting parameters that are based on the same sensitive data types.
Policy configurations not supported in Outlook 2013 and later versions
See Outlook 2013 and later supports showing policy tips for only some conditions and exceptions.
Not all policy conditions are met
This scenario occurs primarily if policy tips don't work as expected in SharePoint in Microsoft 365 and Microsoft OneDrive for work or school because there's an external sharing condition that's configured in a policy.
Note
Currently, content is not indexed as shared externally until an external party that's located outside the organization accesses the content for the first time.
MailTips aren't enabled (Outlook 2013 and later version clients only)
For Outlook 2013 and later version clients, make sure that MailTips are enabled. To enable MailTips in Outlook, first make sure that policy tips are enabled. To do this, follow these steps:
In Outlook, select File > Options > Mail.
Scroll to the MailTips section, and then select MailTips Options.
In the Select MailTips to be displayed selection dialog box, make sure that the Policy tip notification option is selected.
Under MailTip bar display options, make sure that the Display automatically when MailTips apply option is selected.
Select OK two times to close the File window.
Restart Outlook.
GetDLPPolicyTip call not found in Fiddler trace
If DLP policy tips don't work as expected, use a Fiddler trace to troubleshoot DLP policy tips.
Collect the Fiddler trace file when you reproduce the issue. Here's an example in which the DLP policy tip is triggered as expected.
In the POST request, check whether the
GetDLPPolicyTipcall is made in the trace file. For the previous example, you can see theGetDLPPolicyTipcall.
In the response, check the
DetectedClassificationIdsvalue. If the value field isn't empty, this indicates that the DLP policy matches the policy rule.
If you don't find the GetDLPPolicyTip call, and if the DetectedClassificationIds value field is empty in the response, follow these steps to resolve this issue:
- Check whether the DLP policy is enabled and configured correctly.
- Check whether your users enter the correct sensitive information and valid recipients or senders to trigger the policy.
Client doesn't support MailTips
There are several Outlook client licenses that don't support policy tips. Outlook license requirements for Exchange features lists the Outlook client licenses that support DLP policy tips.
Note
Policy tips are currently not supported for Outlook for Mac iOS clients. As a workaround, you can add text to the NDR response for your DLP policy rule that tells users to re-create their messages in the OWA client if they originally submitted the message by using Outlook for Mac. Use the OWA client to expose the policy tips functionality to users and enable them to override, report a false positive, or enter a business justification (depending on the "Notify" action that's specified in the DLP Policy rule). Users can then submit messages for delivery.
File-system configuration not supported
No policy tip is displayed if the following conditions are true:
- You're running Outlook 2013 or later version clients on Windows 7.
- You try to attach a file that's formatted as Adobe PDF version 10 or later versions to an email message that should trigger a DLP policy tip.
Resolution
To resolve this issue, carefully follow the steps in the "Resolution" section of Outlook doesn't display DLP policy tips for PDF attachments in Windows 7.
Invalid test data
When you evaluate the Instance count and confidence level of the DLP policy rule, the test data that's being used isn't valid based on Sensitive information type entity definitions. Make sure that the test data that you use is valid.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for