Impact of DLP policies on app@sharepoint service account

Question

Hey everyone,

I'm currently testing a DLP policy that block content matching a Sensitive Information Type from being shared outside OneDrive from Business. The DLP rule has Block with Override as action. This DLP policy is scoped to a list of users.

After a few days of tests I noticed this 'app@sharepoint' service account in the activity explorer. This account is not even in the list of users mentioned above. Its activity is related to Teams recordings, but it matches the DLP rule and the actions 'SPAccessTimeControl' & 'SPSharingNotifyUser' are applied.

I compared this activity with a manual test, and they are the same in terms of actions. See picture below:

My question is: How can I be sure my DLP policy is not impacting this service account? I cannot even exclude it from the DLP policy.

Answer 1

Hi @Mathéo Boute DLP policies can sometimes accidentally limit the app@sharepoint service account, which might interfere with automated tasks like Teams recordings. Since this account manages system processes, it can still be affected by DLP rules, even if it’s not specifically mentioned.

Here are a few key points to consider keeping everything running smoothly:

Impact of DLP Policies

1. DLP policies may inadvertently restrict access for the app@sharepoint service account.
2. This account is crucial for managing automated tasks, such as Teams recordings, SharePoint operations, and OneDrive background processes.
3. Since Microsoft Purview DLP does not support direct exclusions for service accounts, it may be challenging to remove app@sharepoint from policy enforcement.

Monitoring and Verification: To confirm whether your DLP policy is affecting this service account, follow these steps:

1. Check Activity Explorer in Microsoft Purview Filter by User: app@sharepoint. Look for "DLP rule matched" events to see if actions like SPAccessTimeControl or SPSharingNotifyUser are being enforced. Compare logs with a manual test to verify if DLP rules are triggering for this account.
2. Compare with Expected Behavior: If DLP logs show that app@sharepoint is flagged, it means the policy is treating it like a regular user account. If Teams recordings or other automated tasks are failing or delayed, this confirms an impact on functionality.

Recommendations to Minimize Disruptions, since direct exclusion isn’t an option, consider these alternatives to prevent unnecessary restrictions:

1. Refine DLP Policy Conditions: If Teams recordings are the primary concern, consider excluding .mp4 files from policy enforcement. Adjust sensitivity labels to prevent system-generated content from being incorrectly flagged.
2. Use Group-Based Scoping: Instead of applying the DLP policy to all OneDrive users, restrict it to specific security groups that do not include service accounts.
3. Implement a Testing Phase: Before enforcing a DLP policy organization-wide, test its impact on automated processes like SharePoint services. Monitor Activity Explorer to assess any unintended effects before rolling it out fully.
4. Communicate with IT and Security Teams: Work with your IT team to fine-tune the policy while maintaining strong data protection. If critical workflows are disrupted, contact Microsoft Support for further guidance or alternative solutions.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.