![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 82%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENY%3C/text%3E%3C/svg%3E)
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,373 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 65%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Hi @Ng Yin Fai
Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!
However we discovered from our tests, both incoming and outgoing emails that contains the keywords are being detected and alerts were created.
Yes, the behavior you observed is the default behavior of Microsoft Purview DLP policies for Exchange Online, where both incoming and outgoing emails are scanned for policy matches.
Is it the default behavior where both incoming and outgoing emails being scanned by DLP?
Yes, the default behavior of Purview DLP policies in Exchange Online is to scan both incoming and outgoing emails. This is because DLP is designed to prevent sensitive data from leaving the organization (outgoing) and to detect sensitive data entering the organization (incoming).
If yes, how to exclude incoming emails in Purview DLP on Exchange Online to ensure only outgoing emails are scanned??
How to modify the DLP policy to exclude incoming emails and only scan outgoing ones. The most precise and flexible way to control which emails are scanned is by using rules and conditions within your DLP policy. Here's the general process:
Open the Microsoft Purview compliance portal ---> Navigate to Data loss prevention ---> Select or create a policy ---> Create or edit a rule ---> Add a condition to the rule:
This is the crucial step. You need to add a condition that filters the rule to only apply to outgoing emails. Use the following condition: "The sender is located..." And then select "Inside the organization." This condition effectively filters the rule to only trigger on emails sent by users within your organization, which are outgoing emails.
(Optional) Add other conditions - You can add further conditions to refine the rule if needed (e.g., specific recipients, sensitivity labels, etc.).
Choose actions - Specify the actions to take when the rule is matched (e.g., block the email, notify the sender, generate an alert).
Save the rule and policy - Save the changes to the rule and then save the DLP policy.
Explanation:
The "The sender is located... Inside the organization" condition is the key. It checks the origin of the email. If the sender is an internal user (someone with an email address within your organization's domain), the condition is met, and the rule is applied. Conversely, if the sender is external (someone with an email address outside your organization's domain), the condition is not met, and the rule is skipped. This effectively excludes incoming emails from being scanned by this specific rule.
For more details, please refer the following documentations that might help you:
Create and Deploy data loss prevention policies
Create mail flow rules to encrypt email messages with Microsoft Purview Message Encryption
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Thank you.