Del via


Use sensitivity labels as conditions in DLP policies

You can use sensitivity labels as a condition in DLP policies for these locations:

  • Exchange email messages
  • SharePoint
  • OneDrive
  • Devices

Sensitivity labels appear as an option in the Content contains list.

sensitivity label as a condition.

Important

Sensitivity Labels as a condition will not be available if you have selected Teams chat and channel messages as a location to apply the DLP policy.

Tip

Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.

Supported items, file types, scenarios, and policy tips

You can use sensitivity labels as conditions on these items and in the scenarios that follow.

Supported items

Service Item type Available to policy tip Enforceable
Exchange email message yes yes
Exchange email attachment yes yes
SharePoint items in SharePoint yes yes
OneDrive items yes yes
Teams Teams and channel messages not applicable not applicable
Teams attachments yes ** yes **
Devices items yes yes
MCAS (preview) items yes yes

** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive and SharePoint. So if SharePoint or OneDrive are included as locations in your DLP policy, then labeled attachments sent in Teams are automatically included in the scope of this condition. Teams as a location doesn't need to be selected in the DLP policy.

Note

DLP's ability to detect sensitivity labels in SharePoint and OneDrive is limited. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.

Supported file types

Workload File types supported
Exchange emails Office files (DOCX, XLSX, PPTX), PDF, PFILE (files that are labeled with protection using MIP SDK)
SharePoint Office files (DOCX, XLSX, PPTX), PDF
OneDrive Office files (DOCX, XLSX, PPTX), PDF
endpoint devices Office files (DOCX, XLSX, PPTX), PDF

Supported scenarios

  • DLP Admin is able to see a list of all sensitivity labels in the tenant when they choose to include one or more sensitivity labels as a condition.

  • Using sensitivity labels as a condition is supported across all workloads, as indicated in the support matrix above.

  • DLP policy tips continue to be shown across workloads for DLP policies that contain one or more sensitivity labels as a condition.

  • Sensitivity labels appear as a part of the incident report email if a DLP policy with one or more sensitivity labels as a condition is matched.

  • Sensitivity label details are shown in the DLP rule match audit log for DLP policy matches that contain a sensitivity label as a condition.

Support policy tips

Workload Policy tips supported/not supported
OWA supported
Outlook for Windows supported
SharePoint supported
OneDrive supported
endpoint devices not supported