How DLP works between the Compliance portal and Exchange admin center
In Microsoft Purview, you can create a data loss prevention (DLP) policy in two different admin centers:
In the Microsoft Purview compliance portal, you can create a single DLP policy to help protect content in SharePoint, OneDrive, Exchange, Teams, and now Endpoint Devices. We recommend that you create a DLP policy here. For more information, see Create and Deploy data loss prevention policies.
In the Exchange admin center, you can create a DLP policy to help protect content only in Exchange. This policy can use Exchange mail flow rules (also known as transport rules), so it has more options specific to handling email. For more information, see DLP in the Exchange admin center.
DLP policies created in these admin centers work side by side - this article explains how.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
How DLP in the Compliance portal works with DLP and mail flow rules in the Exchange admin center
After you create a DLP policy in the Compliance portal, the policy is deployed to all of the locations included in the policy. If the policy includes Exchange, the policy is synced there and enforced in exactly the same way as a DLP policy created in the Exchange admin center.
If you've created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the compliance portal. However, rules created in the Exchange admin center take precedence. All Exchange mail flow rules are processed first, and then the DLP rules from the compliance portal are processed.
- Messages that are blocked by Exchange mail flow rules won't get scanned by DLP rules created in the compliance portal
- Messages that are quarantined by Exchange mail flow rules or any other filters run before DLP won't be scanned by DLP
- If an Exchange mail flow rule modifies a message in a way that causes it to match a DLP policy in the compliance portal, such as adding external users, then the DLP rules will detect it and enforce the policy as needed.
Also note that Exchange mail flow rules that use the stop processing action don't affect the processing of DLP rules in the compliance portal - they'll still be processed.
Policy tips in the Compliance portal vs. the Exchange admin center
Policy tips can work either with DLP policies and mail flow rules created in the Exchange admin center or with DLP policies created in the compliance portal, but not both. The reason for this is that these policies are stored in different locations but policy tips can draw only from a single location.
If you've configured policy tips in the Exchange admin center, any policy tips that you configure in the compliance portal won't appear to users in Outlook on the web or Outlook 2013 and later until you turn off the tips in the Exchange admin center. This ensures that your current Exchange mail flow rules will continue to work until you choose to switch over to the compliance portal.
While policy tips can draw only from a single location, email notifications are always sent, even if you're using DLP policies in both the compliance portal and the Exchange admin center.