Get started with the data loss prevention simulation mode

Important

This feature is in preview. Preview features aren't meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback. We expect changes to this feature, so you shouldn't use it in production. Use it only in test and development environments.

You can use Microsoft Purview Data Loss Prevention (DLP) simulation mode to see:

  • The impact of a policy on your production environment without enforcement.
  • All the items that would be matched by a policy if it were enforced.

This article walks you through simulation mode prerequistes, configuration options and how to view simulation results.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

Licensing

See the Microsoft 365 guidance for security & compliance for details on the subscriptions that support DLP. If you are already licensed for DLP, you can use simulation mode. No additional licensing is required.

Permissions

The account you use to interact with simulation mode must be in the Information Protection admin role. For more information on the roles and role groups necessary to use simulation mode, see Permissions. For more information on roles and role groups in Microsoft Purview compliance, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance

System configuration

To see matched items from endpoint devices in their native application on the Items for review, you must configure evidence collection for file activities on devices.

Enable DLP simulation mode in DLP settings

You must enable simulation mode before you can use it in a policy.

  1. Open the Microsoft Purview compliance portal, navigate to Data loss prevention > Overview > Settings > Simulation mode (preview).

Manage DLP simulation mode

You can set a policy to be in simulation mode when you create it or after it's been created. You can also turn off simulation mode for a policy that's already in simulation mode.

  1. Use the steps in Create and Deploy data loss prevention policies to create a new policy or edit an existing policy.
  2. The last step in the policy configuration workflow is Simulate or turn on the policy. Select Run the policy in simulation mode to enable simulation mode. Select either Turn it on right away or Keep it off to disable simulation mode. You can further select:
    1. Show policy tips with in simulation mode to help educate your users when they take actions that might trigger policy actions.
    2. Turn the policy on if it's not edited within fifteen days of the simulation to turn the policy on without further interaction.
  3. Select Next and Submit.

After disabling, it can take up to 24 hours for the insights to stop appearing on the Overview page.

Viewing DLP policies in simulation mode

  1. Open the Data loss prevention page in the Microsoft Purview compliance portal.
  2. Select the Policies page in the left navigation pane.
  3. Select a policy with a status of In simulation or In simulation with notifications to open the fly out.
  4. Select View simulation to see the Simulation overview, Items for review, and Alerts tabs.

Note

  • Existing policies are running in test mode will automatically show up as running in simulation mode, and you can view the last 30 day data. You can restart the simulation as needed.
  • Simulation results only presents the first 100 matched items for review for SharePoint and OneDrive for Business sites. This may differ from the total number of matched items.
  • Simulation events will show up in activity explorer. You can filter on mode, which has simulate and enforce values.

See also