[Launched] Generally Available: Customer controlled maintenance for Azure Firewall
July 10, 2025JScript9Legacy scripting engine now enabled by default
July 10, 2025
Feature Support and Compatibility
Q: Which Outlook clients support DLP Policy Tips?
A: DLP policy tips are supported across several Outlook clients, but the experience and capabilities vary depending on the end user’s client version and the Microsoft 365 license (E3 vs. E5). For detailed guidance on policy tip support across Microsoft apps, read more here.
Below is a breakdown of policy tip support across Outlook clients:
Glossary:
- Basic Policy Tip Support: Display of simple warnings or notifications based on DLP rules.
- Top 10 Predicates: Most commonly used conditions in DLP rules.
- Content is shared from M365
- Content contains SITs
- Content contains sensitivity label
- Subject or Body contains words or phrases
- Sender is
- Sender is a member of
- Sender domain is
- Recipient is
- Recipient domain is
- Recipient is a member of
- Default Oversharing Dialog: A built-in popup warning users about potential data oversharing.
- Custom Oversharing Dialog: A tailored version of the oversharing warning.
- Wait on Send: A delay mechanism that gives users time to review sensitive content before sending.
- Out-of-box SITs: Out-of-box sensitive information types (SITs), like SSNs or credit card numbers.
- Custom SITs: User-defined sensitive data patterns.
- Exact Data Match: Used for precise detection of structured sensitive data.
Important considerations:
- Client version matters: Even within the same client (e.g., Outlook Win32), the version must be recent enough to support the latest DLP features.
- Older builds may lack support for newer DLP features.
- Policy tip visibility: Policy tips may not appear if the DLP rule uses unsupported predicates or if the client is offline.
- Licensing: E5 licenses unlock advanced features like oversharing dialogs and support for custom sensitive information types (SITs).
Q: Why don’t Policy tips appear for some users or rules?
A: While the underlying DLP rules are always enforced, policy tips may not appear for some users due to several factors:
- Outlook Client Version: Policy yips are only supported in specific versions of Outlook. For example, older builds of Outlook Win32 may not support the latest DLP capabilities. To ensure the Outlook client version you’re using supports the latest capabilities, read more.
- Licensing: Users with E3 licenses may only see basic policy tips, and some features may not be available at all, while E5 licenses unlock advanced DLP capabilities such as the custom oversharing dialog. For more information on licensing, read more.
- Unsupported Conditions or Predicates: If a DLP rule uses unsupported predicates, the policy tip will not be displayed even though the rule is enforced. To ensure compatibility, refer to our documentation for a list of supported conditions by client version.
- Offline Mode: Policy tips rely on real-time evaluation of message content against Data Loss Prevention (DLP) rules by Microsoft 365 services. When a user is offline, their Outlook client cannot communicate with these services, which affects the visibility of policy tips.
- What about offline E5 users?
- Even if a user has an E5 license, which includes advanced DLP features, the client must be online to evaluate and display these advanced policy tips. While the message may still be blocked or logged according to the DLP rule, the user won’t see any tip or warning until they reconnect.
- What about offline E5 users?
Q: Are trainable classifiers supported in policy tips?
A: Yes, but with specific limitations. Trainable classifiers are supported in DLP policy tips, but only under specific conditions related to licensing, client version, and connectivity:
- Licensing: The user must have a Microsoft 365 E5 license. Trainable classifiers are part of Microsoft Purview’s advanced classification capabilities, which are only available with E5 or equivalent add-ons.
- Client Support: Only certain Outlook clients support policy tips triggered by trainable classifiers. These include:
- Outlook Classic (Win32)
- New Outlook for Windows (Monarch)
- Other clients (such as Outlook Web App (OWA), Outlook for Mac, and Outlook Mobile) do not currently support this feature.
- Connectivity: The Outlook client must be online. Trainable classifiers rely on the Microsoft 365 Data Classification Service (DCS), which performs real-time content evaluation in the cloud. If the client is offline, policy tips based on trainable classifiers will not appear, even though the DLP rule may still be enforced when the message is sent.
Q: Is OCR supported in Policy Tips?
A: No, there is currently no support for OCR in policy tips. However, our goal is to support OCR in policy tips in the future.
Setup & Configuration
Q: What are the prerequisites for enabling DLP policy tips?
A: DLP policy tips notify users in real time when their actions may violate data protection policies. To enable and use them effectively, the following prerequisites must be met:
- Licensing Considerations
- Microsoft 365 E5 is required for full feature access, including real-time policy tips, trainable classifiers, and connected experiences.
- Connected Experiences must be enabled in the tenant for real-time tips to appear.
|
License |
Requirement |
|
Microsoft 365 E5 |
Required for full feature support including trainable classifiers, advanced predicates, and connected experiences. |
|
Microsoft 365 E3 |
Limited support, some advanced features may not be available. |
- Client Compatibility: DLP policy tips are supported across several Outlook clients, but the experience and capabilities vary depending on the client version, licensing, and configuration. Refer to the comprehensive compatibility matrix (provided at the beginning of this guide) to learn about policy tip support across Outlook clients.
- Permissions
- To configure and manage DLP policy tips in Microsoft Purview, specific roles and permissions are required. These permissions ensure that only authorized personnel can create, deploy, and monitor DLP policies and their associated tips.
- Required Roles:
|
Role Group |
Capabilities |
|
Compliance Administrator |
Full access to create, configure, and deploy DLP policies and tips. |
|
Compliance Data Administrator |
Manage DLP policies and view alerts. |
|
Information Protection Admin |
Configure sensitivity labels and integrate with DLP. |
|
Security Administrator |
View and investigate DLP alerts and incidents. |
Q: How do I configure a custom policy tip message using JSON?
A: You can configure a custom policy tip dialog in DLP policies using a JSON file. This allows you to tailor the message shown to users when a policy is triggered, such as for oversharing or sensitive content detection.
JSON must follow the schema outlined in Microsoft’s documentation and internal engineering guidance.
Applies to:
- Microsoft 365 online E5 users with connected experience enabled.
- This feature is supported in Outlook Classic (Win32) and Monarch.
- JSON-based dialogs are not supported in Outlook on the Web (OWA), Mac, or Mobile clients.
Q: Can I localize policy tips for different languages?
A: Localization of DLP policy tips allows users to see messages in their preferred language, improving clarity and compliance across global teams. Microsoft Purview supports localization through JSON-based configuration, but support varies by client.
Supported clients:
- Outlook Classic (Win32)
How to configure:
- Use the LocalizationData block in your custom Policy Tip JSON.
- Example:
- Upload this JSON using PowerShell with the NotifyPolicyTipCustomDialog parameter.
Q: What roles and permissions are required to manage DLP policy tips?
A: To manage Data Loss Prevention (DLP) policies and policy tips in Microsoft Purview, you only need to be assigned one of the following roles. Each role provides different levels of access depending on your responsibilities.
|
Role Group |
Capabilities |
|
Compliance Administrator |
Full access to create, configure, and deploy DLP policies and Policy Tips. |
|
Compliance Data Administrator |
Manage DLP policies and access compliance data. |
|
Information Protection Admin |
Configure sensitivity labels and integrate with DLP policies. |
|
Security Administrator |
View and investigate DLP alerts and incidents. |
Note:
- Microsoft recommends assigning the least privileged role necessary to perform the required tasks to enhance security.
- These roles are assigned in the Microsoft Purview portal under Roles and Scopes. Administrative Unit–scoped roles are also supported for organizations that segment access by department or geography.
Troubleshooting & Known Issues
Q: Why are policy tips delayed or not appearing at all?
A: If you’re not seeing policy tips, follow this checklist to find out why:
- Outlook Client Compatibility and Licensing
- Check if your Outlook client supports policy tips. Policy tips are not supported on all Outlook clients. Refer to Q: Which Outlook clients support DLP Policy Tips?
- Confirm your license. Advanced policy tips (e.g., those using trainable classifiers or oversharing dialogs) require a Microsoft 365 E5 license. Refer to Q: What are the prerequisites for enabling DLP Policy Tips?
- Policy Configuration Issues
- Review your DLP policy configuration and check for unsupported conditions. Refer to Q: What predicates are supported across different Outlook clients?
- Watch for message size limits
- Only the first 4 MB of the email body and subject, and 2 MB per attachment, are scanned for real-time tips.
- Use Microsoft’s diagnostic tool
- Run a built-in diagnostic to test your DLP policy setup. Run the diagnostic.
Q: What logs or data should I collect for support escalation?
A: To ensure a smooth and complete escalation to Microsoft support or engineering, collect the following logs and metadata depending on the client type. This helps accelerate triage and resolution.
- Fiddler trace
- Must include:
- Timestamp of issue
- Correlation ID (found as updateGuid in the DLP response)
- Tenant ID
- User ID / SMTP address
- Tenant DLP Policies and Rules
- Expected rule match conditions and Rule IDs
- (Optional): Draft email or data input (sender, recipient, subject, message body)
- Must include:
- ETL logs from %temp%Outlook Logging
- PNR logs (Problem Steps Recorder or screenshots)
- Tenant ID
- Tenant DLP Policies and Rules
- Expected rule match conditions and Rule IDs
Q: Are there known limitations with policy tips?
- Unable to detect sensitivity labels in compressed files.
- Unable to detect CCSI (SITs/Trainable SITs) in encrypted files.
Q: What are the limitations of the custom dialog?
- The title and the body and override justifications options can be customized using the JSON file. Basic text formatting is allowed: bold, underline, italic and line break. Justification options can be up to 3 plus an option for free-text input.
- The text for false positive and acknowledgment is not customizable.
- Below is the required structure of the JSON files that admins will create to customize the dialog for matched rules. The keys are all case-sensitive. Formatting and dynamic tokens for matched conditions can only be used in the Body key.
|
Keys |
Mandatory? |
Rules/Notes |
|
{} |
Y |
Container |
|
LocalizationData |
Y |
Array that contains all the language options. |
|
Language |
Y |
Specify language code: “en”, “es”, “fr”, “de”. |
|
Title |
Y |
Specify the title for the dialog. Limited to 80 characters. |
|
Body |
Y |
Specify the body for the dialog. Limited to 1000 characters. Dynamic tokens for matched conditions can be added in the body. |
|
Options |
N |
Up to three options can be included. One more can be added by setting HasFreeTextOption = true. |
|
HasFreeTextOption |
N |
This can be true or false, true will display a text box below the last option added to the JSON file. |
|
DefaultLanguage |
Y |
Must be one of the languages defined within the LocalizationData key. The user must include at least one. |