Hi,<\/p>\n

Advertisement

Close

I’ve set up a DLP policy where, if a user tries to send any PII or PCI data outside the organization, they must provide a mandatory justification to override the restriction. I’ve also added an exemption: if a document or email is labeled with a specific sensitivity label called “DLP External/DLP-EXCLUSION” (used by management), users can send sensitive data externally without needing to justify or override.<\/p>\n

Advertisement

Close

I’ve deployed the exact same policy for two customers: one using Microsoft 365 E5 licenses, and another using Microsoft 365 Business Premium. In the E5 tenant, everything works as expected—applying the “DLP External/DLP-EXCLUSION” label lets users send the data outside without mandatory justification. However, in the Business Premium tenant, even after applying the excluded label, users are still prevented from sending PII/PCI data externally.<\/p>\n

DLP Policy and Error attachment = DLP.pdf<\/a> (128.2 KB)<\/p>\n

What might be causing this difference? Is it related to the license type?<\/p>\n

Thank you,
\nRugved Vaidya.<\/p>","upvoteCount":6,"answerCount":3,"datePublished":"2025-07-30T10:34:07.369Z","author":{"@type":"Person","name":"rvd-619","url":"https://community.spiceworks.com/u/rvd-619"},"acceptedAnswer":{"@type":"Answer","text":"

The Microsoft 365 Business Premium plan does not support automatic label-based DLP policy exemptions<\/p>\n

E5 includes Microsoft Purview Information Protection and DLP Premium capabilities, which allow for advanced DLP conditions, including sensitivity label-based policy exemptions.
\nBusiness Premium lacks these advanced DLP features, even if you can create and assign sensitivity labels. The enforcement of label-based exemptions in DLP policies is not fully supported.
\nThis means that while the label “DLP External/DLP-EXCLUSION” can be applied in the Business Premium tenant, the DLP engine doesn’t honor it as an exemption trigger.<\/p>","upvoteCount":4,"datePublished":"2025-07-30T14:57:25.377Z","url":"https://community.spiceworks.com/t/aip-labeled-data-exclusion-from-dlp-policy/1228381/3","author":{"@type":"Person","name":"molan","url":"https://community.spiceworks.com/u/molan"}},"suggestedAnswer":[{"@type":"Answer","text":"

Hi,<\/p>\n

I’ve set up a DLP policy where, if a user tries to send any PII or PCI data outside the organization, they must provide a mandatory justification to override the restriction. I’ve also added an exemption: if a document or email is labeled with a specific sensitivity label called “DLP External/DLP-EXCLUSION” (used by management), users can send sensitive data externally without needing to justify or override.<\/p>\n

I’ve deployed the exact same policy for two customers: one using Microsoft 365 E5 licenses, and another using Microsoft 365 Business Premium. In the E5 tenant, everything works as expected—applying the “DLP External/DLP-EXCLUSION” label lets users send the data outside without mandatory justification. However, in the Business Premium tenant, even after applying the excluded label, users are still prevented from sending PII/PCI data externally.<\/p>\n

DLP Policy and Error attachment = DLP.pdf<\/a> (128.2 KB)<\/p>\n

What might be causing this difference? Is it related to the license type?<\/p>\n

Thank you,
\nRugved Vaidya.<\/p>","upvoteCount":6,"datePublished":"2025-07-30T10:34:07.425Z","url":"https://community.spiceworks.com/t/aip-labeled-data-exclusion-from-dlp-policy/1228381/1","author":{"@type":"Person","name":"rvd-619","url":"https://community.spiceworks.com/u/rvd-619"}},{"@type":"Answer","text":"

Sounds like a licensing issue to me…<\/p>","upvoteCount":3,"datePublished":"2025-07-30T14:24:19.856Z","url":"https://community.spiceworks.com/t/aip-labeled-data-exclusion-from-dlp-policy/1228381/2","author":{"@type":"Person","name":"Nonya","url":"https://community.spiceworks.com/u/Nonya"}}]}}