This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 48%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I have setup DLP rules that apply email messages in Exchange online. It is currently in report only mode. It is working, identifying things like a SSN in an email message or an attachment.
We use a trigger word in email subject lines that will send a message automatically through secure email messaging - for example if SendSecured (case insensitive) is anywhere in the subject line and it doesn't have to be the only thing on the subject line, it will flow through the secure messaging system.
Today, these messages, even though sent correctly based on our policies, are being reported by DLP.
How do I add an exception to the DLP rule (or policy) so that it only triggers when ExceptIf SubjectContainsWords "SendSecured" is true?
all my searches lead me back to https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-conditions-and-exceptions?view=o365-worldwide where it appears this is the correct exception parameter to apply, but I've not been able to figure out how to do this in PowerShell. I can see that the field is blank, but I can't figure out how to add this.
Please help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Is there any progress about your question so far? Have you tried the command below to meet your needs?
You could refer to the official ducument here which introduces the usages of this command: Set-DlpComplianceRule
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the suggestions. I didn't find the documentation very helpful from an example standpoint, but it's probably more me not really understanding.
In the end, I went back to the admin portal and made the policies only apply to Exchange instead of including SharePoint, Teams and OneDrive. Then the ExceptIfSubjectContainsWords exception setting option was available as a drop down. Much easier to include here. I'll have to create separate policies for the other services.
I didn't find a way to change the scope to just Exchange in the PowerShell commands.
Hi,
Thanks for your feedback, and we can see the introduction here about the parameter:
Hi @Joseph Saling ,
Just checking in to see if the below answer provided by @Vasil Michev helped. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
@PRADEEPCHEEKATLA the answer provided by @Vasil Michev , while appreciated, did not answer my query.
I had already reviewed the documentation and was trying to apply the setting via PowerShell to no effect. In the end, I believe this was because the rule I was trying to adjust was scoped to Exchange, OneDrive and SharePoint while the setting I was attempting to apply was ONLY available for Exchange.
As I posted in my follow up, I changed the scope of the rule to only apply to Exchange, then I was able to select the Subject matching field in the GUI dropdown box and enter my desired terms. This was easier than using PowerShell (in my opinion).
The cmdlet you need is Set-DlpComplianceRule, and in your case likely the -ExceptIfSubjectOrBodyMatchesPatterns parameter will do for the exception. To get the rule, use this:
Get-DlpComplianceRule -Policy DLPPolicyName
All the cmdlets require you to connect to the SCC endpoint: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps