Use sensitivity labels as conditions in DLP policies
You can use sensitivity labels as a condition in DLP policies for these locations:
- Exchange email messages
Sensitivity labels appear as an option in the Content contains list.
Sensitivity Labels as a condition will not be available if you have selected Teams chat and channel messages as a location to apply the DLP policy.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Supported items, file types, scenarios, and policy tips
You can use sensitivity labels as conditions on these items and in the scenarios that follow.
|Service||Item type||Available to policy tip||Enforceable|
|SharePoint Online||items in SharePoint Online||yes||yes|
|OneDrive for Business||items||yes||yes|
|Teams||Teams and channel messages||not applicable||not applicable|
|Teams||attachments||yes **||yes **|
** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive and SharePoint. So if SharePoint or OneDrive are included as locations in your DLP policy, then labeled attachments sent in Teams will be automatically included in the scope of this condition. Teams as a location does not need to be selected in the DLP policy.
DLP's ability to detect sensitivity labels in SharePoint and OneDrive is limited. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.
Supported file types
|Workload||File types supported|
|Exchange emails||Office files (DOCX, XLSX, PPTX), PDF, PFILE (files which are labelled with protection using MIP SDK|
|SharePoint||Office files (DOCX, XLSX, PPTX), PDF|
|OneDrive for Business||Office files (DOCX, XLSX, PPTX), PDF|
|endpoint devices||Office files (DOCX, XLSX, PPTX), PDF|
DLP Admin will be able to see a list of all sensitivity labels in the tenant when they choose to include one or more sensitivity labels as a condition.
Using sensitivity labels as a condition is supported across all workloads as indicated in the support matrix above.
DLP policy tips will continue to be shown across workloads (except Outlook for Windows) for DLP policies that contain sensitivity label as a condition.
Sensitivity labels will also appear as a part of the incident report email if a DLP policy with sensitivity label as a condition is matched.
Sensitivity label details will also be shown in the DLP rule match audit log for a DLP policy match that contains sensitivity label as a condition.
Support policy tips
|Workload||Policy tips supported/not supported|
|Outlook for Windows||not supported|
|OneDrive for Business||supported|
|endpoint devices||not supported|