Migrate Exchange Online data loss prevention policies to Microsoft Purview compliance portal

Exchange Online data loss prevention (DLP) policies are being deprecated. Much richer DLP functionality, including Exchange Online DLP, is offered in the Microsoft Purview compliance portal. You can use the DLP policy migration wizard to help you bring your Exchange Online DLP policies over to the compliance portal where you'll manage them.

The migration wizard works by reading the configuration of your DLP policies in Exchange and then creating duplicate policies in the compliance portal. By default the wizard creates the new versions of the policies in Test mode, so you can see what impact they'd have in your environment without enforcing any of the actions. Once you're ready to fully transition to the compliance portal versions, you must:

  1. Deactivate or delete the source policy in the Exchange Admin Center (EAC).
  2. Edit the compliance portal version of the policy and change its status from Test to Enforce.

Warning

If you do not delete or deactivate the source policy in the EAC before you set the Compliance center version to Enforce both sets of policies will be attempting to enforce actions and you will receive duplicate events. This is an unsupported configuration.

The migration wizard only migrates EXO policies and associated mail flow rules. Standalone Exchange mail flow rules aren't migrated.

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Migration workflow

There are four phases to migrating DLP policies from Exchange into the Unified DLP management console in the compliance portal.

  1. Prepare for migration
    1. Evaluate and compare your Exchange Online (EXO) DLP policies and your compliance portal DLP policies for duplicate functionality.
    2. Decide which EXO DLP policies you want to bring over exactly as they are, you can use the wizard to migrate these.
    3. Decide which EXO DLP policies you want to consolidate and consolidate them in the Exchange admin center, then use the migration wizard to bring them over into the compliance portal.
  2. Perform the migration - use the wizard
  3. Testing and validation - examine the results
  4. Activate the migrated policies

Before you begin

Licensing and versions

Before you get started with migrating DLP policies, you should confirm your Microsoft 365 subscription and any add-ons.

To access and use the policy migration wizard, you must have one of these subscriptions or add-ons

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

For a detailed list of DLP licensing requirements, see Microsoft 365 Licensing guidance for security & compliance, data loss prevention

Permissions

The account that you use to run the migration wizard must have access to both the Exchange Admin Console DLP page and to the Unified DLP console in the compliance portal.

Prepare for migration

  1. If you're unfamiliar with DLP, the compliance portal DLP console, or the Exchange Admin center DLP console, you should familiarize yourself before attempting a policy migration.
    1. Exchange Online data loss prevention (DLP) policies
    2. Learn about Endpoint data loss prevention
    3. Create, Test, and Tune a DLP policy
  2. Evaluate your Exchange DLP and compliance portal policies by asking these questions:
Question Action Migration procedure
Is the policy still needed? If not, delete or deactivate it don't migrate
Does it overlap with any other Exchange or compliance portal DLP policies? If yes, can you consolidate the overlapping policies? - If it overlaps with another Exchange policy, manually create the consolidated DLP policy in the Exchange Admin center, then use the migration wizard.
- If it overlaps with an existing compliance portal policy, you can modify the existing compliance portal policy to match, don't migrate the Exchange version
Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions? If yes, it's a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later migrate with the wizard

Migration

After you've evaluated all your Exchange and compliance portal DLP policies for need and compatibility, you can use the migration wizard.

  1. Open the Microsoft Purview compliance portal DLP console.
  2. If there are Exchange DLP policies that can be migrated, a banner will appear at the top of the page letting you know.
  3. Choose Migrate policies in the banner to open the migration wizard. All the Exchange DLP policies are listed. Previously migrated policies can't be selected.
  4. Select the policies you want to migrate. You can migrate them individually, or in groups using a phased approach or all at once. Select Next.
  5. Review the flyout pane for any warnings or messages. Resolve any issues before proceeding.
  6. Select the mode you want the new compliance portal policy created in, Active, Test, or Disabled. The default is Test. Select Next.
  7. If desired, you can create more policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any other locations that you pick here.

Important

Any Exchange DLP policy conditions and actions that are not supported by other DLP locations, like Devices, SharePoint, OneDrive, On-premises, MCAS or Teams chat and channel messages will be dropped from the additional policy. Also, there is pre-work that must be done for the other locations. See:

  1. Review the migration wizard session settings. Select Next.
  2. Review the migration report. Pay attention to any failures involving Exchange mail flow rules. You can fix them and remigrate the associated policies.

The migrated policies will now appear in the list of DLP policies in the compliance portal DLP console.

Common errors and mitigation

Error message Reason Mitigation/Recommended steps
A compliance policy with name <Name of the policy> already exists in scenario(s) Dlp. It's likely that this policy migration was done earlier and then reattempted in the same session Refresh the session to update the list of policies available for migration. All previously migrated policies should be in the Already migrated state.
A compliance policy with name <Name of the policy> already exists in scenario(s) Hold. A retention policy with the same name exists in the same tenant. - Rename the DLP policy in EAC to a different name.
- Retry the migration for the impacted policy.
DLP-group@contoso.com can't be used as a value for the Shared By condition because it's a distribution group or mail-enabled security group. Use Shared by Member of predicate to detect activities by members of certain groups. Transport rules allow groups to be used in the sender is condition but unified DLP doesn't allow it. Update the transport rule to remove all group email addresses from the sender is condition and add the group to the sender is a member of condition if necessary. Retry the migration for the impacted policy
Couldn't find recipient DLP-group@contoso.com. If newly created, retry the operation after sometime. If deleted or expired please reset with valid values and try again. It's likely that the group address used in sender is a member of or recipient is a member of condition is expired or invalid. - Remove/replace all the invalid group email addresses in the transport rule in Exchange admin center.
- Retry the migration for the impacted policy.
The value specified in FromMemberOf predicate must be mail enabled security group. Transport rules allow individual users to be used in the sender is a member of condition but unified DLP doesn't allow it. - Update the transport rule to remove all individual user email addresses from the sender is a member of condition and add the users to the sender is condition if necessary.
- Retry the migration for the impacted policy.
The value specified in SentToMemberOf predicate must be mail enabled security group. Transport rules allow individual users to be used under the recipient is a member of condition but unified DLP doesn't allow it. - Update the transport rule to remove all individual user email addresses from the recipient is a member of condition and add the users to the recipient is condition if necessary.
- Retry the migration for the impacted policy.
Using the <Name of condition> parameter is supported only for Exchange. Either remove this parameter or turn on only Exchange location. It's likely that another policy with the same name exists in compliance portal with other locations like SPO/ODB/Teams for which the mentioned condition isn't supported. Rename the DLP policy in Exchange admin center and retry the migration.

Testing and validation

Test and review your policies.

  1. Follow the Test a DLP policy procedures.
  2. Review the events created by the policy in Activity explorer.

Review the policy matches between Exchange Admin Center DLP and Microsoft Purview Unified DLP

To ensure that the migrated policies behave as expected, you can export the reports from both admin centers and do a comparison of the policy matches.

  1. Connect to Exchange Online PowerShell.

  2. Export the EAC DLP report. You can copy this cmdlet and insert the appropriate values:

    Get-MailDetailDlpPolicyReport -StartDate <dd/mm/yyyy -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, MessageId, DlpPolicy, TransportRule -Unique | Export-CSV <"C:\path\filename.csv">
    
  3. Export the Unified DLP report. You can copy this cmdlet and insert the appropriate values:

    Get-DlpDetailReport -StartDate <dd/mm/yyyy> -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, Location, DlpCompliancePolicy, DlpComplianceRule -Unique | Export-CSV <"C:\path\filename.csv">
    

Activate your migrated policies

Once you're satisfied with how your migrated policies are functioning, you can set them to Enforce.

  1. Open the Exchange Admin Center DLP console.
  2. Deactivate or delete the source policy.
  3. Open the Microsoft Purview compliance portal DLP console and select the policy you want to make active to edit it.
  4. Change the status to Turn on.