Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can use sensitivity labels as a condition in DLP policies for these locations:
- Exchange email messages
- SharePoint
- OneDrive
- Devices
- Instances
- On-premises repositories
- Microsoft 365 Copilot
- Fabric and PowerBI workspaces
Sensitivity labels appear as an option in the Content contains list.
Important
The Sensitivity Labels condition isn't available if you select Teams chat and channel messages as a ___location to apply the DLP policy.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Supported items, file types, scenarios, and policy tips
You can use sensitivity labels as conditions on these items and in the following scenarios.
Supported items
| Service | Item type | Available to policy tip | Enforceable |
|---|---|---|---|
| Exchange | email message | Yes | Yes |
| Exchange | email attachment | Yes | Yes |
| SharePoint | items in SharePoint | Yes | Yes |
| OneDrive | items | Yes | Yes |
| Teams | Teams and channel messages | Not applicable | Not applicable |
| Teams | attachments | Yes ** | Yes ** |
| Devices | items | Yes | Yes |
| MCAS (preview) | items | Yes | Yes |
** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive and SharePoint. If you include SharePoint or OneDrive as locations in your DLP policy, labeled attachments sent in Teams are automatically included in the scope of this condition. You don't need to select Teams as a ___location in the DLP policy.
Note
DLP's ability to detect sensitivity labels in SharePoint and OneDrive is limited. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.
Supported file types
| Workload | File types supported |
|---|---|
| Exchange emails | Office files (DOCX, XLSX, PPTX), PDF, PFILE (files that are labeled with protection using MIP SDK) |
| SharePoint | Office files (DOCX, XLSX, PPTX), PDF |
| OneDrive | Office files (DOCX, XLSX, PPTX), PDF |
| endpoint devices | Office files (DOCX, XLSX, PPTX), PDF, PFILE (files that are labeled with protection using MIP SDK) |
Supported scenarios
DLP Admin can see a list of all sensitivity labels in the tenant when they choose to include one or more sensitivity labels as a condition.
All workloads support using sensitivity labels as a condition, as shown in the support matrix.
DLP policy tips continue to show across workloads for DLP policies that contain one or more sensitivity labels as a condition.
Sensitivity labels appear as part of the incident report email if a DLP policy with one or more sensitivity labels as a condition is matched.
Sensitivity label details show in the DLP rule match audit log for DLP policy matches that contain a sensitivity label as a condition.
Support policy tips
| Workload | Policy tips supported/not supported |
|---|---|
| OWA | supported |
| Outlook for Windows | supported |
| SharePoint | supported |
| OneDrive | supported |
| endpoint devices | not supported |