M365 Archive

MC1385588 - Microsoft Purview | Data Loss Prevention - Enriched Audit Data for Matched Rules in Exchange Online

Message Center

Summary

Microsoft Purview DLP for Exchange Online will enrich audit data with detailed matched conditions (e.g., sender, recipient, attachment, subject) when a DLP rule triggers. This enhancement, rolling out late June to July 2026, improves visibility without changing enforcement or requiring configuration.

Message ID

MC1385588

View in Message Center

Published

Jun 9, 2026

Service

Microsoft Purview

Tag

Feature update
Admin impact

Roadmap ID

562051

View roadmap details

Platforms

Web

More information

What and Why:

We are enhancing Microsoft Purview Data Loss Prevention (DLP) audit data for Exchange Online by adding enriched matched condition details whenever a DLP rule is triggered. Previously, audit records primarily surfaced sensitive information type (SIT) matches. With this update, audit records now include all contributing rule conditions, including non-SIT conditions such as sender and recipient attributes, attachment properties, subject keywords, and message metadata.

This change aligns with Microsoft’s enterprise-ready security and compliance commitments. It provides clearer insight into why a DLP rule was triggered without requiring manual cross-referencing of policy configurations and audit logs.

This message is associated with Roadmap ID 562051.

Rollout Schedule:

  • General Availability (Worldwide): Rollout begins late June 2026 and is expected to complete by late July 2026.

Impact on Your Organization:

Who is affected:

  • Administrators managing Microsoft Purview DLP policies scoped to Exchange Online
  • Security and compliance teams reviewing DLP alerts, audit logs, or Activity Explorer data

Platforms/Services:

  • Microsoft Purview
  • Exchange Online
  • Unified Audit Log
  • Activity Explorer
  • DLP Alerts and user notifications

What will happen:

  • When a DLP rule in Exchange Online matches content, audit records will include enriched matched condition data for all contributing conditions.
  • The enriched data includes the condition name, matched value, and the source that produced the match.
  • This information appears in DLP Alerts, Activity Explorer, the Unified Audit Log, and user notifications where applicable.
  • The feature is enabled by default.
  • No configuration changes or policy updates are required.
  • DLP enforcement behavior is unchanged.

Supported conditions and example output:

Attachment conditions

ConditionExample output
File extension isAttachment Extension: txt — Testing.txt
Document or attachment is password protectedFile.txt — Password Protected
Document could not be scannedFile.txt — Other Error
Document didn’t complete scanningFile.txt — Other Error
Attachment count over12 — Document1.pdf; Document2.pdf; Document3.pdf; Document4.pdf; Document5.pdf; ...+7 more

Sender conditions

ConditionExample output
Shared by users[email protected]
Sender domain iscontoso.com — [email protected]
Sender IP address is192.168.1.100 — [email protected]
Sender AD attribute contains wordsSales Department — [email protected]

Recipient conditions

ConditionExample output
Recipient domain isfabrikam.com — [email protected]
Shared with user[email protected] — USERNAME
Unique domain count over3 — contoso.com; fabrikam.com; adventureworks.net
Recipient AD attribute contains wordsSeattle — [email protected]; Portland — [email protected]

Subject and body conditions

ConditionExample output
Subject contains wordsMatchedword — Subject: this is Matchedword subject

Message conditions

ConditionExample output
Message size over5242880 — Q1 Financial Report with Attachments

How matched condition evidence is structured:

  • Condition name: The DLP rule condition evaluated (for example, “Sender domain is”).
  • Matched value: The specific value that satisfied the condition (for example, “contoso.com”).
  • Source: The originating item that produced the match (for example, “[email protected]”).

If multiple values match a condition, all contributing sources are listed. If more than five attachments match, the first five are shown followed by a count of additional matches (for example, “+7 more”).

Action Required / Recommendations:

No action is required. This feature is enabled automatically for all DLP policies scoped to Exchange Online.

  • Optionally validate enriched data by triggering a DLP rule match.
  • Review the matched event in Activity Explorer under Data Loss Prevention > Activity Explorer.
  • Review DLP Alerts for the same enriched matched condition details.

Note: Matched condition details may take up to 60 minutes to appear in Activity Explorer.

Compliance considerations:

AreaExplanation
Audit logging capabilitiesAudit records now include additional matched condition metadata for DLP rule evaluations in Exchange Online.
Admin monitoring and reportingAdmins gain increased visibility into DLP rule triggers via Activity Explorer, alerts, and audit logs.
Processing of existing customer dataExisting email metadata and DLP evaluation results are logged with richer detail; no new data types are introduced.