MC1387682 - Microsoft Purview Data Loss Prevention default protection controls for Exchange Online when classification fails

What and Why

Microsoft Purview Data Loss Prevention (DLP) is introducing new capabilities to detect and act on classification failures such as timeout, throttling, and scan errors. This update helps administrators surface previously undetected failures and apply appropriate protection, improving visibility and strengthening compliance outcomes across Exchange Online.

This message is associated with Microsoft 365 Roadmap ID 561916.

Rollout Schedule

• Public Preview: Rollout begins in mid-June 2026 and is expected to complete by early July 2026.
• General Availability (Worldwide): Rollout begins in mid-August 2026 and is expected to complete by late August 2026.

Impact on Your Organization

Who is affected

• Admins managing Microsoft Purview DLP policies in Exchange Online

Platforms/Services:

• Exchange Online
• Microsoft Purview Data Loss Prevention

What will happen

• The feature is turned off by default and requires explicit tenant-level opt-in.
• There is no change to existing behavior or user experience unless you enable the feature.
• Existing DLP conditions will expand to detect additional classification failure scenarios after opt-in is enabled.
• New classification failure categories include:
  • timeout
  • throttling
  • other scan errors.
• A new condition called DocumentScanFailures allows targeting specific failure types and must be used with existing scan conditions.
• You may see an increase in DLP alerts and rule matches after enabling the feature. This reflects previously undetected classification failures and does not indicate new issues.

Updated condition behavior

• Document couldn't be scanned will detect:
  • Text extraction failures
  • Classification failures such as timeout, throttling, and other scan errors after opt-in
• Document didn't complete scanning will detect:
  • Partial text extraction
  • Partial classification failures where some classifiers succeed and others fail

New condition

• DocumentScanFailures enables detection of specific failure types including timeout, throttled, and other errors.
• Must be used with either Document couldn't be scanned or Document didn't complete scanning.
• Cannot be used as a standalone condition.

Action Required and Recommendations

To prepare for this update:

• Review existing DLP policies that use these conditions:
  • Document couldn't be scanned
  • Document didn't complete scanning
• Plan when to enable the tenant-level opt-in based on your readiness.
• Enable the feature using PowerShell:
  • Connect using Connect-IPPSSession.
  • Run the following commands:

$json = '{"Classification":{"State":1}}'

Set-PolicyConfig -DlpErrorHandlingConfig $json

• Allow up to one hour for the configuration to take effect.
• Configure rule priority to ensure proper evaluation:
  • Place content-based rules above scan failure rules.
  • Scan failure conditions only evaluate classifiers that have already run.

Example rule order:

• Detect credit card numbers
  • Condition: Content contains credit card number
  • Action: Block
• Detect account numbers
  • Condition: Content contains account number
  • Action: Block
• Detect exact data match
  • Condition: Content contains EDM sensitive information type
  • Action: Block
• Catch full scan timeout failures
  • Condition: Document couldn't be scanned and DocumentScanFailures set to timeout
  • Action: Audit
• Catch partial scan throttling
  • Condition: Document didn't complete scanning and DocumentScanFailures set to throttled
  • Action: Audit
• Catch other scan errors
  • Condition: Document couldn't be scanned and DocumentScanFailures set to other
  • Action: Audit
• Monitor results using Activity Explorer and DLP alerts to understand classification failure patterns.
• Communicate this change to security and compliance teams.
• You can disable the opt-in setting to return to previous behavior if needed.

Compliance considerations