New Way to Run DLP Diagnostics Through GUI Instead of PowerShell

The nature of any moderately large Microsoft 365 tenant is that it’s likely to have a collection of different types of policies. Making sure that Entra ID conditional access policies interact well together is essential to control inbound connections and a mistake there can lead to administrators locking themselves out of a tenant. Making mistakes in data lifecycle management (retention) policies can also have grave consequences, such as the famous example from 2020 in the KPMG tenant when an error in a retention policy deleted a bunch of Teams chats. Errors in Data loss prevention (DLP) policies can lead to less obviously bad outcomes, but only because a mistake could end up with sensitive information leaking outside the organization without anyone’s knowledge.

Four DLP Diagnostics

Which brings us to message center notification MC904540 (last updated 9 July 2025, Microsoft 365 roadmap item 418566), announcing that DLP diagnostic options are now available for commercial tenants in the Microsoft Purview compliance portal (Figure 1).

Microsoft originally published the message center notification on 4 October 2024 in anticipation of a preview in December 2024. Alas, problems along the way forced the developers to roll back and rethink the implementation. After additional work, the portal boasts a set of four DLP diagnostics tests that replace the tests previously performed through the ComplianceDiagnostics PowerShell tool.

There’s no word whether additional tests are on the way. However, MC904540 mentions “diagnosing issues encountered while using Microsoft Information Protection (MIP) and Data Loss Prevention (DLP),” so it’s possible that plans are in place to provide diagnostic tests for information protection too.

Testing the DLP Diagnostics

In any case, the DLP diagnostics are intended to help identify the root cause of issues and provide remediation options. I found that some of the tests worked well while others were less impressive. For example, the test to figure out why a DLP policy didn’t signal an alert following a rule match was right on the money when it detected that the DLP rule didn’t include settings to generate an alert (Figure 2). The fix was easy once the fault was identified.

The test to diagnose if a user is covered by a DLP policy was less successful. The output of the test (Figure 3) hid some rule and policy names, and the attention to detail in the output is poor. Like Figure 2, where the reference to “ODB” should be spelt out as OneDrive for Business, the lack of capitalization for “exchange” and the lack of spaces in “OneDriveForBusiness” are easily-fixed bugs.

Perhaps it’s just my tenant where these problems emerged. Perhaps it’s a weird combination of the age of some of the DLP policies and their configurations that cause policy and rule names to disappear. For whatever reason, it was disappointing to see the lack of attention to detail feature in the DLP diagnostics. Although it might seem strange to worry about this kind of thing, experience shows that when attention isn’t paid to the small things in software, big issues might lurk. GitHub Copilot is very good at picking up issues like this and supports multiple languages, so it is really surprising to see Microsoft ship software with so many obvious UX errors.

None of the tests performed by DLP diagnostics are particularly sophisticated and all could be easily done by an experienced administrator who knows the DLP solution. In fairness, the target audience for DLP diagnostics is likely to be tenant administrators who don’t work with DLP very often and need some help to figure out why something might be going wrong.

The Value of Data Loss Prevention

DLP is an important Purview solution that often doesn’t receive enough attention. Microsoft has worked hard to expand DLP capabilities, especially in the area of endpoint devices, and the policies work well for Exchange Online, SharePoint Online, and OneDrive for Business, all of which only require E3 licenses. Including Teams in the mix requires a jump to E5, which has always seemed weird to me. And if you want to use the very valuable DLP policy for Copilot to block AI access to sensitive files, you’ll need Microsoft 365 Copilot licenses.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.