Download files for DLP incidents of type Exchange Online, OneDrive, and SharePoint

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Download files or email that violates the DLP policy on Microsoft Purview. Download this file or email on to your local machine from the DLP IR Incident view. You can download the files for DLP IR incidents of type Scan source Exchange Online, OneDrive, and SharePoint.

    Before you begin

    Role required:
    • sn_dlir.admin, sn_dlir.analyst
    • Any valid approver

    Procedure

    1. Navigate to All > DLP Incident Management > DLP Analyst Workspace.
    2. Open a DLP incident record of type Scan source Exchange Online or OneDrive or SharePoint which is ingested from Microsoft source.
    3. Click Download File.
      The file or email that violated the DLP policy on the Microsoft Purview side will be downloaded to the user’s local machine.
      Note:
      DLP admin can control the access of Download File action by disabling the Should downloading the violating file of the reported incident be allowed setting from the Advanced Settings page. For more information, see Configure advanced settings for Data Loss Prevention Incident Response.

    Download files approval flow

    The below approval flow describes the procedure for the approvers to view the Download File action.

    Before you begin

    Role required: any valid approver

    Procedure

    1. Navigate to All > DLP Incident Management > DLP User Workspace.
    2. Select My Approvals module available under My DLP Incidents module.
    3. Open an approval request record which is raised for Microsoft DLP Incident with application any of OneDrive, SharePoint or Exchange.
    4. Click on info icon (i) available on the DLP Incident field on the form view.
    5. Click Download File.

    Result

    After performing this action, the file that violated the DLP policy on Microsoft will be downloaded to the user’s local machine.

    DLP admin can control the access of Download File action by disabling the Should downloading the violating file of the reported incident be allowed setting from the Advanced Settings page. For more information, see Configure advanced settings for Data Loss Prevention Incident Response for Data Loss Prevention Incident Response.