Migrate Exchange data loss prevention policies to Microsoft Purview compliance portal
Exchange data loss prevention (DLP) policies are being deprecated. Much richer DLP functionality, including Exchange DLP, is offered in the Microsoft Purview compliance portal. You can use the DLP policy migration wizard to help you bring your Exchange DLP policies over to the compliance portal where you'll manage them.
The migration wizard works by reading the configuration of your DLP policies in Exchange and then creating duplicate policies in the compliance portal. By default the wizard creates the new versions of the policies in Run the policy in simulation mode, so you can see what impact they'd have in your environment without enforcing any of the actions. Once you're ready to fully transition to the compliance portal versions, you must:
- Deactivate or delete the source policy in the Exchange Admin Center (EAC).
- Edit the compliance portal version of the policy and change its status from Run the policy in simulation mode to Turn it on right away mode.
Warning
If you do not delete or deactivate the source policy in the EAC before you set the Compliance center version to Enforce both sets of policies will be attempting to enforce actions and you will receive duplicate events. This is an unsupported configuration.
The migration wizard only migrates Exchange DLP policies and associated mail flow rules. Standalone Exchange mail flow rules aren't migrated.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Migration workflow
There are four phases to migrating DLP policies from Exchange into the Unified DLP management console in the compliance portal.
- Prepare for migration
- Evaluate and compare your Exchange Online (EXO) DLP policies and your compliance portal DLP policies for duplicate functionality.
- Decide which EXO DLP policies you want to bring over exactly as they are, you can use the wizard to migrate these.
- Decide which EXO DLP policies you want to consolidate and consolidate them in the Exchange admin center, then use the migration wizard to bring them over into the compliance portal.
- Perform the migration - use the wizard
- Testing and validation - examine the results
- Activate the migrated policies
Before you begin
SKU/subscriptions and licensing
Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.
For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.
Permissions
The account that you use to run the migration wizard must have access to both the Exchange Admin Console DLP page and to the Unified DLP console in the compliance portal.
Prepare for migration
- If you're unfamiliar with DLP, the compliance portal DLP console, or the Exchange Admin center DLP console, you should familiarize yourself before attempting a policy migration.
- Evaluate your Exchange DLP and compliance portal policies by asking these questions:
Question | Action | Migration procedure |
---|---|---|
Is the policy still needed? | If not, delete or deactivate it | don't migrate |
Does it overlap with any other Exchange or compliance portal DLP policies? | If yes, can you consolidate the overlapping policies? | - If it overlaps with another Exchange policy, manually create the consolidated DLP policy in the Exchange Admin center, then use the migration wizard. - If it overlaps with an existing compliance portal policy, you can modify the existing compliance portal policy to match, don't migrate the Exchange version |
Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions? | If yes, it's a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later | migrate with the wizard |
Migration
After you've evaluated all your Exchange and compliance portal DLP policies for need and compatibility, you can use the migration wizard.
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Sign in to the Microsoft Purview portal.
If there are Exchange DLP policies that can be migrated, a banner will appear at the top of the page letting you know.
Choose Migrate policies in the banner to open the migration wizard. All the Exchange DLP policies are listed. Previously migrated policies can't be selected.
Select the policies you want to migrate. You can migrate them individually, or in groups using a phased approach or all at once. Select Next.
Review the flyout pane for any warnings or messages. Resolve any issues before proceeding.
Select the mode you want the new compliance portal policy created in, Turn it on right away, Run the policy in simulation mode, or Leave it off. The default is Run the policy in simulation mode. Select Next.
You can create more policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any other locations that you select here.
Important
Any Exchange DLP policy conditions and actions that are not supported by other DLP locations, like Devices, SharePoint, OneDrive, On-premises, MCAS or Teams chat and channel messages will be dropped from the additional policy. Also, there is pre-work that must be done for the other locations. See:
- Learn about Endpoint data loss prevention
- Get started with Endpoint data loss prevention
- Using Endpoint data loss prevention
- Learn about the data loss prevention on-premises scanner
- Get started with the data loss prevention on-premises scanner
- Use the Microsoft Purview data loss prevention on-premises scanner
- Use data loss prevention policies for non-Microsoft cloud apps
- Review the migration wizard session settings. Select Next.
- Review the migration report. Pay attention to any failures involving Exchange mail flow rules. You can fix them and remigrate the associated policies.
The migrated policies will now appear in the list of DLP policies in the compliance portal DLP console.
Common errors and mitigation
Error message | Reason | Mitigation/Recommended steps |
---|---|---|
A compliance policy with name <Name of the policy> already exists in scenario(s) Dlp . |
It's likely that this policy migration was done earlier and then reattempted in the same session. | Refresh the session to update the list of policies available for migration. All previously migrated policies should be in the Already migrated state. |
A compliance policy with name <Name of the policy> already exists in scenario(s) Hold . |
A retention policy with the same name exists in the same tenant. | - Rename the DLP policy in EAC to a different name. - Retry the migration for the affected policy. |
DLP-group@contoso.com can't be used as a value for the Shared By condition because it's a distribution group or mail-enabled security group. Use Shared by Member of predicate to detect activities by members of certain groups. |
Transport rules allow groups to be used in the sender is condition but unified DLP doesn't allow it. |
Update the transport rule to remove all group email addresses from the sender is condition and add the group to the sender is a member of condition if necessary. Retry the migration for the affected policy |
Couldn't find recipient DLP-group@contoso.com . If newly created, retry the operation after some time. If deleted or expired, reset it with valid values and try again. |
It's likely that the group address used in sender is a member of or recipient is a member of condition is expired or invalid. |
- Remove/replace all the invalid group email addresses in the transport rule in the Exchange admin center. - Retry the migration for the affected policy. |
The value specified in FromMemberOf predicate must be a mail-enabled security group. |
Transport rules allow individual users to be used in the sender is a member of condition; however, unified DLP doesn't allow it. |
- Update the transport rule to remove all individual user email addresses from the sender is a member of condition and add the users to the sender is condition if necessary. - Retry the migration for the affected policy. |
The value specified in SentToMemberOf predicate must be a mail-enabled security group. |
Transport rules allow individual users to be used under the recipient is a member of condition but unified DLP doesn't allow it. |
- Update the transport rule to remove all individual user email addresses from the recipient is a member of condition and add the users to the recipient is condition if necessary. - Retry the migration for the affected policy. |
Using the <Name of condition> parameter is supported only for Exchange. Either remove this parameter or turn on only Exchange location. |
It's likely that another policy with the same name exists in compliance portal with other locations like SPO/ODB/Teams for which the mentioned condition isn't supported. | Rename the DLP policy in Exchange admin center and retry the migration. |
Testing and validation
Test and review your policies.
- Follow the procedures in Get started with simulation mode and Test a DLP policy procedures.
- Review the events created by the policy in the simulaiton mode dashboard for the policy and in Activity explorer.
Review the policy matches between Exchange Admin Center DLP and Microsoft Purview Unified DLP
To ensure that the migrated policies behave as expected, you can export the reports from both admin centers and do a comparison of the policy matches.
Connect to Exchange Online PowerShell.
Export the EAC DLP report. You can copy this cmdlet and insert the appropriate values:
Get-MailDetailDlpPolicyReport -StartDate <dd/mm/yyyy -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, MessageId, DlpPolicy, TransportRule -Unique | Export-CSV <"C:\path\filename.csv">
Export the Unified DLP report. You can copy this cmdlet and insert the appropriate values:
Get-DlpDetailReport -StartDate <dd/mm/yyyy> -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, Location, DlpCompliancePolicy, DlpComplianceRule -Unique | Export-CSV <"C:\path\filename.csv">
Activate your migrated policies
Once you're satisfied with how your migrated policies are functioning, you can set them to Enforce.
- Open the Exchange Admin Center DLP console.
- Deactivate or delete the source policy.
- Open the Microsoft Purview compliance portal DLP console and select the policy you want to make active to edit it.
- Change the status to Turn on.