MC946947 - Microsoft Purview | Data Loss Prevention: Actionable email notifications for enhanced incident remediation

Microsoft Purview Data Loss Prevention user email notification will soon get advanced incident remediation capabilities. This new feature allows users to take remediation actions directly from their mailbox, streamlining the remediation process.

This message is associated with Microsoft 365 Roadmap ID 464996.

When this will happen:

Public Preview: We will begin rolling out in early December 2024 and expect to complete by early January 2025.

We will communicate the plan for General Availability in a separate post.

How this will affect your organization:

This feature will allow users to take remediation actions on Microsoft OneDrive files and Microsoft SharePoint files that cause a policy match.

Key actions in the actionable email notifications will include:

• Stop sharing file
• Delete file
• Apply sensitivity label on the file
• Apply retention label on the file
• Override the policy
• Report false positive
• Report unable to take action

This change will be available by default for admins to configure.

What you need to do to prepare:

Admin experience: Using the feature

To use this feature, follow these steps:

1. Create or edit a policy in Purview Data Loss Prevention for OneDrive or SharePoint.

2. Create a rule and select the required conditions and actions. Turn on User notifications and select Notify users in Office 365 service with a policy tip or email notifications. Then, select Preview and edit notification email:

3. A flyout will open where you can configure the actions in the notification email:

Note: You can only use markdown mode when configuring the email body with actions. HTML is not supported unless no action is selected.

4. After you have made the changes, select Save. Select the users who will be notified. Save the rule.

User experience

When a DLP rule matches a file, users selected in rule configuration will receive an email notification. The actions will be at the end of the email.

After selecting an action in an email, the user will experience this behavior:

• Stop sharing: Any sharing access and links on the file will be removed.
• Delete: File will be deleted
• Override (visible in email only if user override is enabled): User needs to enter the business justification if selected and policy will be overridden.
• Apply sensitivity or retention label: OneDrive or SharePoint folder or site where file is located will open, and the user can apply the sensitivity or the retention label in the file details section
• Report false positive: User needs to enter the justification and admin will be notified.
• Unable to take action: User needs to enter the justification and admin will be notified.

If the action is successful, the actions will be replaced by success message. For unsuccessful actions, an error message will be shown.

Admin experience: Auditing

Admin can track the action taken by users using the unified audit log in the Purview compliance portal and Advanced Hunting in the Defender security portal.

Filters to use in unified audit log:

1. For file activities in SharePoint and OneDrive (Delete, Unshare, Apply Retention Label, Apply Sensitivity Label):

Record types = SharepointFileOperation

File, folder, or site = "File URL (file link)"

2. For (Report False Positive, Unable to take action, Override):

Activities - operation names = DLPInfo

Record types = ComplianceDLPSharePoint

Learn more: Send email notifications and show policy tips for DLP policies | Microsoft Learn

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your users and admins about this change and update any relevant documentation.