Configure policy tips for DLP policies
For each rule in a Microsoft Purview DLP policy, an organization can configure policy tips to:
- Notify the person the content conflicts with a DLP policy. As such, they can take action to resolve the conflict. You can use the default text (see the following tables) or enter custom text about your organization's specific policies.
- Allow the person to override the DLP policy. You can optionally:
- Require the person to enter a business justification for overriding the policy. The system logs this information. You can view it in the DLP reports in the Reports section of the portal.
- Allow the person to report a false positive and override the DLP policy. The system also logs this information for reporting. You can use false positives to fine tune your rules.
For example, an organization might have a DLP policy applied to OneDrive for Business sites. The policy detects personal customer content. This policy has the following rules:
- Rule 1. If the system detected fewer than five instances of this sensitive information in a document, and a user shared the document with people inside the organization:
- The Send a notification action displays a policy tip. For policy tips, no override options are necessary because this rule just notifies people and doesn't block access.
- Rule 2. If the system detected more than five instances of this sensitive information in a document, and a user shared the document with people inside the organization:
- The Block access to content action restricts the permissions for the file.
- The Send a notification action allows people to override the actions in this rule by providing a business justification. Your organization's business sometimes requires internal people to share personal information, and you don't want your DLP policy to block this work.
- Rule 3. If the system detected more than five instances of this sensitive information in a document, and a user shared the document with people outside the organization:
- The Block access to content action restricts the permissions for the file.
- The Send a notification action doesn't allow people to override the actions in this rule because a user shared the information externally. The system shouldn't allow anyone in an organization, under any circumstances, from sharing personal data outside the organization.
User Override support
The following list identifies important considerations to keep in mind when using a policy tip to override a rule:
The option to override is per rule. It overrides all the actions in the rule, with one exception. You can't override the Sending a notification action.
It's possible for content to match several rules in a DLP policy. However, the system only displays the policy tip from the most restrictive, highest-priority rule. For example, the system displays a policy tip from a rule that blocks access to content over a policy tip from a rule that just sends a notification. This design prevents people from seeing a cascade of policy tips.
If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.
If you set either the Without Justification option or the With Justification or False Positives option on the Notify + Allow Override action, ensure:
- You also set Block Access to true.
- The Block Access Scope has an appropriate value.
Otherwise, the system displays the policy tip, but the user doesn't see an option to override the email with justification.
Whether the Override option is available on a policy tip is dependent on the notification rule. The following table identifies the various rules that are available and whether each supports the ability to override the policy tip.
| Notification Rule | Notify/Block action | Override available? | Require Justification? |
|---|---|---|---|
| Notify only | Notify | No | No |
| Notify + Allow Override | Notify | No | No |
| Notify + Allow Override + False positive | Notify | No | No |
| Notify + Allow Override + With justification | Notify | No | No |
| Notify + Allow Override + False positive + Without justification | Notify | No | No |
| Notify + Allow Override + False positive + With justification | Notify | No | No |
| Notify + Block | Block | No | No |
| Notify + Block + Allow Override | Block | Yes | No |
| Notify + Block + Allow Override + False positive | Block | Yes | No |
| Notify + Block + Allow Override + With justification | Block | Yes | Yes |
| Notify + Block + Allow Override + False positive + Without justification | Block | Yes | No |
| Notify + Block + Allow Override + False positive + With justification | Block | Yes | Yes |
Policy tips on OneDrive for Business sites and SharePoint Online sites
When a document on a OneDrive for Business site or SharePoint Online site matches a rule in a DLP policy, and that rule uses policy tips, the policy tips display special icons on the document:
- If the rule sends a notification about the file, the Warning icon appears.
- If the rule blocks access to the document, the Blocked icon appears.
To take action on a document, you should first select an item. Then select the Information icon in the upper-right corner of the page to open the details pane and select the option to View the policy tip.
The policy tip lists the issues or problems with the content. If you configured a policy tip with these options, the user can select Resolve. The user can then select either Override the policy tip or Report a false positive.
The system syncs DLP policies to sites, and it periodically evaluates content against these policies asynchronously. As a result, a short delay might occur between the time you create a DLP policy, and the time the policy tips appear. There might be a similar delay from when you resolve or override a policy tip to when the icon disappears from the document on the site.
Default text for policy tips on sites
By default, policy tips display text similar to the following messages for an item on a site. You configure the notification text separately for each rule. As a result, the system displays text that differs depending on which rule matched.
| If the DLP policy rule does this action: | Then the default policy tip displays this message: |
|---|---|
| Sends a notification but doesn't allow override. | This item conflicts with a policy in your organization. |
| Blocks access, sends a notification, and allows override. | This item conflicts with a policy in your organization. If you don't resolve this conflict, the system might block access to this file. |
| Blocks access and sends a notification. | This item conflicts with a policy in your organization. The system blocks access to this item for everyone except its owner, last modifier, and the primary site collection administrator. |
Custom text for policy tips on sites
An organization can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications, custom text for policy tips doesn't accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.
Policy tips in Outlook on the web and Outlook 2013 and later
When a user composes a new email in Outlook on the web or Outlook 2013 and later, the system displays a policy tip if:
- The user added content that matches a rule in a DLP policy.
- That rule uses policy tips.
The policy tip appears at the top of the message, above the recipients, while the user composes the message.
Policy tips work whether the sensitive information appears in the message body or subject line. They also work when the sensitive information appears in a message attachment, as shown in the following screenshot.
If you configure the policy tips to allow override, the user can select Show Details and then Override.
If you select the Override option in the policy tip, a dialog window appears. In this window, you can enter a business justification for overriding the policy tip, or you can report a false positive. Then select the Override button.
Note
When a user adds sensitive information to an email, there might be latency between when they added the sensitive information and when the policy tip appears. Policy tips don't appear when the following two conditions occur:
- Emails are encrypted with Microsoft Purview Message Encryption.
- The policy that detects them uses the detect encryption condition.
Default text for policy tips in email
By default, policy tips display text similar to the following messages for email.
| If the DLP policy rule does this action: | Then the default policy tip displays this message: |
|---|---|
| Sends a notification but doesn't allow override. | Your email conflicts with a policy in your organization. |
| Blocks access, sends a notification, and allows override. | Your email conflicts with a policy in your organization. |
| Blocks access and sends a notification. | Your email conflicts with a policy in your organization. |
Policy tips in the Exchange admin center vs. the Microsoft Purview compliance portal
Policy tips can work with either of the following DLP policies, but not with both:
- DLP policies and mail flow rules created in the Exchange admin center
- DLP policies created in the Microsoft Purview compliance portal.
The reason for this condition is that the system can store DLP policies in different locations, but policy tips can only draw from a single location.
If you configured policy tips in the Exchange admin center for users in Outlook on the web and Outlook 2013 and later:
- The system doesn't display any policy tips that you configure in the Microsoft Purview compliance portal to those users.
- The system displays the policy tips configured in the Microsoft Purview compliance portal to those users if you turn off the tips in the Exchange admin center.
Note
This design ensures that your current Exchange mail flow rules continue to work until you choose to switch over to the Microsoft Purview compliance portal.
While policy tips can only draw from a single location, the system always sends email notifications. In fact, the system sends them even if you're using DLP policies in both the Microsoft Purview compliance portal and the Exchange admin center.
Policy tips in Excel, PowerPoint, and Word
When people work with sensitive content in the desktop versions of Excel, PowerPoint, and Word, policy tips can notify them in real time that the content conflicts with a DLP policy. This design requires that:
- The user who previously updated the Office document stored it on a OneDrive for Business site or SharePoint Online site.
- The DLP policy that experienced the content conflict includes the site.
- The user who created the DLP policy configured it to use policy tips.
Office desktop programs automatically sync DLP policies directly from Office 365. They then scan your documents to ensure:
- They don't conflict with your DLP policies.
- They display policy tips in real time.
Note
Office desktop apps scan documents themselves to determine if they should display DLP policy tips. They don't show policy tips that SharePoint Online sites or OneDrive for Business sites have already determined the system should show on a file. As a result, you may not always see a DLP policy tip in the desktop apps that you see in the SharePoint Online sites or OneDrive for Business sites. In contrast, the Office applications on the web only show DLP policy tips that SharePoint Online sites or OneDrive for Business sites have already determined the system should show.
Depending on how an organization configures the policy tips in the DLP policy, its users can choose to:
- Ignore the policy tip.
- Override the policy with or without a business justification.
- Report a false positive.
Policy tips appear on the Message Bar.
And policy tips also appear in the Backstage view (on the File tab).
If an organization configured policy tips in the DLP policy with the option to Override or Report a false positive, you can do so by selecting the Resolve button. In the dialog box that appears, you can select to Override a policy tip or Report a false positive.
In each of these Office desktop programs, users can choose to turn off policy tips. If turned off, policy tips that are just notifications don't appear on the Message Bar or Backstage view. However, policy tips about blocking and overriding still appear. Users also receive email notifications. In addition, turning off policy tips doesn't exempt the document from any DLP policies the system applied to it.
Default text for policy tips in Excel, PowerPoint, and Word
By default, policy tips display text similar to the following messages on the Message Bar and Backstage view of an open document. You configure the notification text separately for each rule. As such, the text that displays differs depending on which rule matches.
| If the DLP policy rule does this action: | Then the default policy tip displays this message: |
|---|---|
| Sends a notification but doesn't allow override. | This file conflicts with a policy in your organization. Go to the File menu for more information. |
| Blocks access, sends a notification, and allows override. | This file conflicts with a policy in your organization. If you don't resolve this conflict, the system might block access to this file. Go to the File menu for more information. |
| Blocks access and sends a notification. | This file conflicts with a policy in your organization. If you don't resolve this conflict, the system might block access to this file. Go to the File menu for more information. |
Custom text for policy tips in Excel, PowerPoint, and Word
You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications, custom text for policy tips doesn't accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.