MIP with DLP policy enabled

The issue you're experiencing with the DLP policy not matching on your On-Prem NAS shares while using the Microsoft Information Protection (MIP) Scanner could be due to several factors. Here are some potential reasons and steps you can take to troubleshoot the problem:

1. Policy Configuration: Ensure that the DLP policy is correctly configured to include the On-Prem NAS shares as a location. Sometimes, policies may not be applied to certain locations if they are not explicitly included.
2. SIT Detection: Verify that the sensitive information types (SITs) you are using in your DLP policy are correctly defined and that the MIP Scanner is capable of detecting these SITs in the files stored on your NAS shares. The scanner may have limitations in detecting certain types of sensitive information depending on the file formats or how the data is structured.
3. Execution Logs: Since the logs indicate that the policy is being executed but the status is "Skipped," it suggests that the policy conditions were not met for the files scanned. Check the content of the files to ensure that they actually contain the sensitive information types specified in your DLP policy.
4. Testing the Policy: To test the policy, you can change the DLP mode from "Test" to "Enforce" temporarily to see if it triggers any actions. Additionally, you can create a smaller test policy with fewer conditions or a different set of SITs to isolate the issue.
5. MIP Scanner Configuration: Ensure that the MIP Scanner is properly configured to scan the On-Prem NAS shares and that it has the necessary permissions to access the files. Review the scanner's settings and logs for any errors or warnings that might indicate configuration issues.
6. File Types: Confirm that the file types being scanned are supported by the DLP policy and the MIP Scanner. Some file types may not be compatible with the sensitive information types you are trying to detect.

If you continue to face issues, consider reaching out to Microsoft support for more in-depth troubleshooting specific to your environment.

References:

• Use sensitivity labels as conditions in DLP policies
• Implement data loss prevention (DLP) with information protection capabilities

Hi @Lakshmi Annamalai

It sounds like you're experiencing some issues with your DLP policy and MIP scanner when it comes to on-prem NAS shares. Let's break down the situation.

Based on your query, it seems that your DLP policy is set up correctly since it's visible to the scanner and is even being logged as executed. However, the important detail is that it's showing a status of "Skipped" for the sensitive info types (SITs) you specified, which indicates that it’s not matching the expected content.

Here are a few things you can check to troubleshoot the issue:

Policy Publishing: Ensure that your DLP policy is published. After creating the policy, it remains in draft mode and will only become active when published. You must have the appropriate permissions (Data source admin role) to do this.

Data Source Registration: Confirm that your NAS shares are properly registered within Microsoft Purview with data use management enabled. This is crucial because, without registration, the policies cannot be enforced correctly.

Scanning Configuration: Ensure that all integration runtimes and necessary configurations are set up correctly to allow the MIP Scanner to access your on-prem data.

Permissions: Check whether the MIP Scanner has access to the folders/files that should be scanned. Sometimes, permission issues may prevent the scanner from accessing the content it needs to evaluate.

Conditions Evaluation: Consider testing your policy against a known set of sample data that definitely contains one of the specified sensitive info types to see if it's able to classify it correctly. This can help determine if the issue is with the contents being scanned or the policy itself.

Policy Mode: Since you mentioned that your DLP Mode is set to 'Test', try switching it to 'Active' once the policy is validated with test data to see if it behaves differently.

If checking these areas doesn’t resolve the situation, here are some follow-up questions that could help clarify the issue:

1. What specific permissions do the MIP Scanner and the account that created the policy currently have?
2. Can you confirm the file/folder structure of your NAS shares? Are the targeted files accessible by the scanner?
3. Are there any other policies in place that might be conflicting with the DLP policy?
4. Have you recently made any changes to the data sources or network configurations that might affect scanning?
5. Is there any further logging or diagnostics available from the MIP Scanner that could provide more insight into why it indicates "No match"?

Hopefully, these steps and insights can help you troubleshoot the DLP policy issue you're facing! If you still have questions, feel free to ask!

References:

• Enable data use management
• Concepts for Microsoft Purview data owner policies
• Authoring and publishing data owner access policies
• Self-help diagnostics for Microsoft Purview
• Policy - Policy Creation
• Managing Microsoft Purview