Data loss prevention Exchange conditions and actions reference
Conditions in Microsoft Purview Data Loss Prevention (DLP) policies identify sensitive items that the policy is applied to. Actions define what happens as a consequence of a condition of exception being met.
- Conditions define what to include
- Actions define what happens as a consequence of condition being met
Most conditions have one property that supports one or more values. For example, if the DLP policy is being applied to Exchange emails, the The sender is condition requires the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words condition requires one property to specify the message header field, and a second property to specify the text to look for in the header field. Some conditions or exceptions don't have any properties. For example, the Attachment is password protected condition simply looks for attachments in messages that are password protected.
Actions typically require additional properties. For example, when the DLP policy rule redirects a message, you need to specify where the message is redirected to.
Tip
Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.
Exchange conditions for DLP policies
The tables in the following sections describe the conditions and exceptions that are available in DLP.
Senders
If you use the sender address as a condition the actual field where the value is looked for varies depending on the sender address location configured. By default, DLP rules use the Header address as the sender address.
At the tenant level, you can configure a sender address location to be used across all rules, unless overridden by a single rule. To set tenant DLP policy configuration to evaluate the sender address from the Envelope across all rules, you can run the following command:
Set-PolicyConfig -SenderAddressLocation Envelope
To configure the sender address location at a DLP rule level, the parameter is SenderAddressLocation. The available values are:
Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields). This is the default value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field).
Header or envelope (
HeaderOrEnvelope
) Examine senders in the message header and the message envelope.
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
Sender is | Condition: From Exception: ExceptIfFrom |
Addresses | Messages sent by the specified mailboxes, mail users, mail contacts, or Microsoft 365 groups in the organization. |
The sender is a member of | Condition: FromMemberOf Exception: ExceptIfFromMemberOf |
Addresses | Messages sent by a member of the specified distribution group, mail-enabled security group, or Microsoft 365 group. |
Sender IP address is | Condition: SenderIPRanges Exception: ExceptIfSenderIPRanges |
IPAddressRanges | Messages where the sender's IP address matches the specified IP address, or falls within the specified IP address range. |
Sender address contains words | Condition: FromAddressContainsWords Exception: ExceptIfFromAddressContainsWords |
Words | Messages that contain the specified words in the sender's email address. |
Sender address matches patterns | Condition: FromAddressMatchesPatterns Exception: ExceptIfFromAddressMatchesPatterns |
Patterns | Messages where the sender's email address contains text patterns that match the specified regular expressions. |
Sender domain is | Condition: SenderDomainIs Exception: ExceptIfSenderDomainIs |
DomainName | Messages where the domain of the sender's email address matches the specified value. If you need to find sender domains that contain the specified domain (for example, any subdomain of a domain), use The sender address matches (FromAddressMatchesPatterns) condition and specify the domain by using the syntax: '\.domain\.com$' . |
Sender scope | Condition: FromScope Exception: ExceptIfFromScope |
UserScopeFrom | Messages sent by either internal or external senders. |
The sender's specified properties include any of these words | Condition: SenderADAttributeContainsWords Exception: ExceptIfSenderADAttributeContainsWords |
First property: ADAttribute Second property: Words |
Messages where the specified Microsoft Entra ID attribute of the sender contains any of the specified words. |
The sender's specified properties match these text patterns | Condition: SenderADAttributeMatchesPatterns Exception: ExceptIfSenderADAttributeMatchesPatterns |
First property: ADAttribute Second property: Patterns |
Messages where the specified Microsoft Entra ID attribute of the sender contains text patterns that match the specified regular expressions. |
Recipients
When an email is sent to multiple recipients and the DLP policy rules allow only some of those emails to be delivered, the email might get bifurcated. For example, say that your DLP policy rules allow emails to be sent to email addresses within your organization and blocks emails from being sent to external email addresses.
There are several policy conditions that cause bifurcation; that allowing an email to be sent to some users but not to others. For more information about bifurcation and the details about how bifurcation works, see the article on Bifurcation.
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description | Bifurcating? |
---|---|---|---|---|
Recipient is | Condition: SentTo Exception: ExceptIfSentTo |
Addresses | Messages where one of the recipients is the specified mailbox, mail user, or mail contact in the organization. The recipients can be in the To, Cc, or Bcc fields of the message. | Yes |
Recipient domain is | Condition: RecipientDomainIs Exception: ExceptIfRecipientDomainIs |
DomainName | Messages where the domain of the recipient's email address matches the specified value. | Yes |
Recipient address contains words | Condition: AnyOfRecipientAddressContainsWords Exception: ExceptIfAnyOfRecipientAddressContainsWords |
Words | Messages that contain the specified words in the recipient's email address. Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address. |
No |
Recipient address matches patterns | Condition: AnyOfRecipientAddressMatchesPatterns Exception: ExceptIfAnyOfRecipientAddressMatchesPatterns |
Patterns | Messages where a recipient's email address contains text patterns that match the specified regular expressions. Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address. |
No |
Sent to member of | Condition: SentToMemberOf Exception: ExceptIfSentToMemberOf |
Addresses | Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the To, Cc, or Bcc fields of the message. | Yes |
The recipient's specified properties include any of these words | Condition: RecipientADAttributeContainsWords Exception: ExceptIfRecipientADAttributeContainsWords |
First property: ADAttribute Second property: Words |
Messages where the specified Microsoft Entra ID attribute of a recipient contains any of the specified words. Note that the Country attribute requires the two-letter country code value (for example, DE for Germany). |
Yes |
The recipient's specified properties match these text patterns | Condition: RecipientADAttributeMatchesPatterns ExceptIfRecipientADAttributeMatchesPatterns |
First property: ADAttribute Second property: Patterns |
Messages where the specified Entra ID attribute of a recipient contains text patterns that match the specified regular expressions. | Yes |
Recipient scope/Content is shared with | Condition: AccessScope Exception: ExceptIfAccessScope |
UserScopeFrom | Messages that are received by either internal or external recipients. | Yes |
Message subject or body
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
Subject contains words or phrases | Condition: SubjectContainsWords Exception: ExceptIf SubjectContainsWords |
Words | Messages that have the specified words in the Subject field. |
Subject matches patterns | Condition: SubjectMatchesPatterns Exception: ExceptIf SubjectMatchesPatterns |
Patterns | Messages where the Subject field contains text patterns that match the specified regular expressions. |
Content contains | Condition: ContentContainsSensitiveInformation Exception: ExceptIfContentContainsSensitiveInformation |
SensitiveInformationTypes | Messages or documents that contain sensitive information as defined by Microsoft Purview Data Loss Prevention (DLP) policies. |
Content is not labeled | Condition: ContentIsNotLabeled Exception:ExceptIfContentIsNotLabeled |
Sensitivity Labels | Messages where neither the email nor the attached documents contain any sensitivity labels as defined by Microsoft Purview Data Loss Prevention (DLP) policies. |
Subject or Body matches pattern | Condition: SubjectOrBodyMatchesPatterns Exception: ExceptIfSubjectOrBodyMatchesPatterns |
Patterns | Messages where the subject field or message body contains text patterns that match the specified regular expressions. |
Subject or Body contains words | Condition: SubjectOrBodyContainsWords Exception: ExceptIfSubjectOrBodyContainsWords |
Words | Messages that have the specified words in the subject field or message body |
Attachments
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
Attachment is password protected | Condition: DocumentIsPasswordProtected Exception: ExceptIfDocumentIsPasswordProtected |
None | Messages where an attachment is password protected (and therefore can't be scanned). Password detection works for Office documents, compressed files (.zip, .7z), and .pdf files. |
Attachment's file extension is | Condition: ContentExtensionMatchesWords Exception: ExceptIfContentExtensionMatchesWords |
Words | Messages where an attachment's file extension matches any of the specified words. |
Any email attachment's content could not be scanned | Condition: DocumentIsUnsupported Exception: ExceptIf DocumentIsUnsupported |
N/A | Messages where an attachment isn't natively recognized by Exchange Online. |
Any email attachment's content didn't complete scanning | Condition: ProcessingLimitExceeded Exception: ExceptIfProcessingLimitExceeded |
N/A | Messages where the rules engine couldn't complete the scanning of the attachments. You can use this condition to create rules that work together to identify and process messages where the content couldn't be fully scanned. |
Document name contains words | Condition: DocumentNameMatchesWords Exception: ExceptIfDocumentNameMatchesWords |
Words | Messages where an attachment's file name matches any of the specified words that are delimited between the start of the name, any non-alphanumeric character, or end of the name. |
Document name matches patterns | Condition: DocumentNameMatchesPatterns Exception: ExceptIfDocumentNameMatchesPatterns |
Patterns | Messages where an attachment's file name contains text patterns that match the specified regular expressions. This has been discontinued for SharePoint and OneDrive workloads. Existing rules can't be modified and new rules can't be created. Existing customers can continue to use this condition. |
Document property is | Condition: ContentPropertyContainsWords Exception: ExceptIfContentPropertyContainsWords |
Words | Messages with documents where an attachment's custom property matches the given value. |
Document size equals or is greater than | Condition: DocumentSizeOver Exception: ExceptIfDocumentSizeOver |
Size | Messages where any attachment is greater than or equal to the specified value. |
Any attachment's content includes any of these words | Condition: DocumentContainsWords Exception: ExceptIfDocumentContainsWords |
Words | Messages where an attachment contains the specified words. |
Any attachments content matches these text patterns | Condition: DocumentMatchesPatterns Exception: ExceptIfDocumentMatchesPatterns |
Patterns | Messages where an attachment contains text patterns that match the specified regular expressions. |
Message Headers
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
Header contains words or phrases | Condition: HeaderContainsWords Exception: ExceptIfHeaderContainsWords |
Hash Table | Messages that contain the specified header field, and the value of that header field contains the specified words. |
Header matches patterns | Condition: HeaderMatchesPatterns Exception: ExceptIfHeaderMatchesPatterns |
Hash Table | Messages that contain the specified header field, and the value of that header field contains the specified regular expressions. |
Message properties
Condition or Exception in DLP | Condition/Exception parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
With importance | Condition: WithImportance Exception: ExceptIfWithImportance |
Importance | Messages that are marked with the specified importance level. |
Content character set contains words | Condition: ContentCharacterSetContainsWords Exception: ExceptIfContentCharacterSetContainsWords |
CharacterSets | Messages that have any of the specified character set names. |
Has sender override | Condition: HasSenderOverride Exception: ExceptIfHasSenderOverride |
N/A | Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information, see Learn about data loss prevention |
Message type matches | Condition: MessageTypeMatches Exception: ExceptIfMessageTypeMatches |
MessageType | Messages of the specified type. Note: The available message types are Automatic reply, Auto-forward, Encrypted (S/MIME), Calendaring, Permission controlled (rights management), Voicemail, Signed, Read receipt, and Approval request. |
The message size is greater than or equal to | Condition: MessageSizeOver Exception: ExceptIfMessageSizeOver |
Size | Messages where the total size (message plus attachments) is greater than or equal to the specified value. Note: Message size limits on mailboxes are evaluated before mail flow rules. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message. |
Actions for DLP policies
This table describes the actions that are available in DLP.
Action in DLP | Action parameters in Security & Compliance PowerShell | Property type | Description |
---|---|---|---|
Restrict access or encrypt content in Microsoft 365 locations | BlockAccess | First property: Boolean Second property: BlockAccessScope |
This allows you to block the access or encrypt the content to the specified users. |
Set header | SetHeader | First property: Header Name Second property: Header Value |
The SetHeader parameter specifies an action for the DLP rule that adds or modifies a header field and value in the message header. This parameter uses the syntax "HeaderName:HeaderValue" . You can specify multiple header name and value pairs separated by commas |
Remove header | RemoveHeader | First property: MessageHeaderField Second property: String |
The RemoveHeader parameter specifies an action for the DLP rule that removes a header field from the message header. This parameter uses the syntax HeaderName or "HeaderName:HeaderValue . You can specify multiple header names or header name and value pairs separated by commas |
Redirect the message to specific users | RedirectMessageTo | Addresses | Redirects the message to the specified recipients. The message isn't delivered to the original recipients, and no notification is sent to the sender or the original recipients. |
Forward the message for approval to sender's manager | Moderate | First property: ModerateMessageByManager Second property: Boolean $true |
The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator (the user's manager or specified approvers). To forward the message to the user's manager for approval, use this syntax: @{ModerateMessageByManager = $true} |
Forward the message for approval to specific approvers | Moderate | First property: ModerateMessageByManager Second property: Boolean $false Third property: ModerateMessageByUser Fourth property: Addresses |
The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator (the user's manager or specified approvers). To forward the message to specified recipients for approval, use this syntax: @{ModerateMessageByManager = $false; ModerateMessageByUser = @("emailaddress1","emailaddress2",..."emailaddressN")} |
Add recipient | AddRecipients | First property: Field Second property: Addresses |
Adds one or more recipients to the To/Cc/Bcc field of the message. This parameter uses the syntax: @{<AddToRecipients \<CopyTo \| BlindCopyTo\> = "emailaddress"} |
Add the sender's manager as recipient | AddRecipients | First property: AddedManagerAction Second property: Field |
Adds the sender's manager to the message as the specified recipient type (To, Cc, Bcc), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in the Microsoft Entra ID. This parameter uses the syntax: @{AddManagerAsRecipientType = "\<To \| Cc \| Bcc\>"} |
Prepend subject | PrependSubject | String | Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text. To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the The subject contains words ( ExceptIfSubjectContainsWords ) exception to the rule. |
Apply HTML disclaimer | ApplyHtmlDisclaimer | First property: Text Second property: Location Third property: Fallback action |
Applies the specified HTML disclaimer to the required location of the message. This parameter uses the syntax: @{Text = " " ; Location = \<Append \| Prepend\>; FallbackAction = \<Wrap \| Ignore \| Reject\>} |
Remove message encryption and rights protection | RemoveRMSTemplate | N/A | Removes message encryption applied on an email |
Apply Branding to encrypted messages | ApplyBrandingTemplate | String | The ApplyBrandingTemplate parameter specifies an action for the DLP rule that applies a custom branding template for messages encrypted by Microsoft Purview Message Encryption. You identify the custom branding template by name. If the name contains spaces, enclose the name in quotation marks ("). |
Make external recipients open mail in encrypted message portal | EnforcePortalAccess | Boolean | The EnforcePortalAccess parameter controls whether external users are required to use the encrypted message portal to view encrypted messages |
Deliver the message to the hosted quarantine | Quarantine | n/a | Delivers the message to the quarantine in Exchange Online Protection (EOP). For more information, see Quarantined email messages in EOP. |
Modify Subject | ModifySubject | PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: - Replace all matches in the subject with the replacement text - Append to remove all matches in the subject and inserts the replacement text at the end of the subject. - Prepend to remove all matches and inserts the replacement text at the beginning of the subject. For more information, see the ModifySubject parameter description in the New-DlpComplianceRule reference article. |