MC1385588Microsoft Purview | Data Loss Prevention - Enriched Audit Data for Matched Rules in Exchange Online
Summary
Microsoft Purview DLP for Exchange Online will enrich audit data with detailed matched conditions (e.g., sender, recipient, attachment, subject) when a DLP rule triggers. This enhancement, rolling out late June to July 2026, improves visibility without changing enforcement or requiring configuration.
More information
What and Why:
We are enhancing Microsoft Purview Data Loss Prevention (DLP) audit data for Exchange Online by adding enriched matched condition details whenever a DLP rule is triggered. Previously, audit records primarily surfaced sensitive information type (SIT) matches. With this update, audit records now include all contributing rule conditions, including non-SIT conditions such as sender and recipient attributes, attachment properties, subject keywords, and message metadata.
This change aligns with Microsoft’s enterprise-ready security and compliance commitments. It provides clearer insight into why a DLP rule was triggered without requiring manual cross-referencing of policy configurations and audit logs.
This message is associated with Roadmap ID 562051.
Rollout Schedule:
- General Availability (Worldwide): Rollout begins late June 2026 and is expected to complete by late July 2026.
Impact on Your Organization:
Who is affected:
- Administrators managing Microsoft Purview DLP policies scoped to Exchange Online
- Security and compliance teams reviewing DLP alerts, audit logs, or Activity Explorer data
Platforms/Services:
- Microsoft Purview
- Exchange Online
- Unified Audit Log
- Activity Explorer
- DLP Alerts and user notifications
What will happen:
- When a DLP rule in Exchange Online matches content, audit records will include enriched matched condition data for all contributing conditions.
- The enriched data includes the condition name, matched value, and the source that produced the match.
- This information appears in DLP Alerts, Activity Explorer, the Unified Audit Log, and user notifications where applicable.
- The feature is enabled by default.
- No configuration changes or policy updates are required.
- DLP enforcement behavior is unchanged.
Supported conditions and example output:
Attachment conditions
| Condition | Example output |
|---|---|
| File extension is | Attachment Extension: txt — Testing.txt |
| Document or attachment is password protected | File.txt — Password Protected |
| Document could not be scanned | File.txt — Other Error |
| Document didn’t complete scanning | File.txt — Other Error |
| Attachment count over | 12 — Document1.pdf; Document2.pdf; Document3.pdf; Document4.pdf; Document5.pdf; ...+7 more |
Sender conditions
| Condition | Example output |
|---|---|
| Shared by users | [email protected] |
| Sender domain is | contoso.com — [email protected] |
| Sender IP address is | 192.168.1.100 — [email protected] |
| Sender AD attribute contains words | Sales Department — [email protected] |
Recipient conditions
| Condition | Example output |
|---|---|
| Recipient domain is | fabrikam.com — [email protected] |
| Shared with user | [email protected] — USERNAME |
| Unique domain count over | 3 — contoso.com; fabrikam.com; adventureworks.net |
| Recipient AD attribute contains words | Seattle — [email protected]; Portland — [email protected] |
Subject and body conditions
| Condition | Example output |
|---|---|
| Subject contains words | Matchedword — Subject: this is Matchedword subject |
Message conditions
| Condition | Example output |
|---|---|
| Message size over | 5242880 — Q1 Financial Report with Attachments |
How matched condition evidence is structured:
- Condition name: The DLP rule condition evaluated (for example, “Sender domain is”).
- Matched value: The specific value that satisfied the condition (for example, “contoso.com”).
- Source: The originating item that produced the match (for example, “[email protected]”).
If multiple values match a condition, all contributing sources are listed. If more than five attachments match, the first five are shown followed by a count of additional matches (for example, “+7 more”).
Action Required / Recommendations:
No action is required. This feature is enabled automatically for all DLP policies scoped to Exchange Online.
- Optionally validate enriched data by triggering a DLP rule match.
- Review the matched event in Activity Explorer under Data Loss Prevention > Activity Explorer.
- Review DLP Alerts for the same enriched matched condition details.
Note: Matched condition details may take up to 60 minutes to appear in Activity Explorer.
Compliance considerations:
| Area | Explanation |
|---|---|
| Audit logging capabilities | Audit records now include additional matched condition metadata for DLP rule evaluations in Exchange Online. |
| Admin monitoring and reporting | Admins gain increased visibility into DLP rule triggers via Activity Explorer, alerts, and audit logs. |
| Processing of existing customer data | Existing email metadata and DLP evaluation results are logged with richer detail; no new data types are introduced. |