Exclude a group of users in a sharepoint DLP policy

Question

Exclude a group of users in a sharepoint DLP policy

adela gonzalez 0

I need to create a DLP policy that monitors PDF extensions for a specific SharePoint site, but I need to exclude a group of users. How do I configure this? Is it possible?

I can't find a way to configure this.

Smaran Thoomu 29,415 Reputation points Microsoft External Staff Moderator

2025-06-26T06:29:30.49+00:00

@adela gonzalez Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

3 answers

Your answer

Smaran Thoomu 29,415 Reputation points Microsoft External Staff Moderator

2025-06-26T06:29:30.49+00:00

@adela gonzalez Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Anonymous

Hi @adela gonzalez
To set up a DLP policy in Microsoft Purview that monitors PDF files on a SharePoint site but excludes a group of users, follow these steps:

Create a DLP Policy
Go to the Microsoft Purview compliance portal:
Policies > Data loss prevention > Create a policy.
Choose a Custom Policy Select Custom policy template to get full control over locations and rules.
Select Locations Choose SharePoint and optionally narrow it down to a specific site collection (you can select specific sites).
Define Policy Rules a) Under Rules, add a new rule and set the condition to detect file type = PDF. b) You can also combine with content detection (e.g., sensitive info types) if needed.
Set the User Scope with Exclusions In the “Choose users or groups” section of the rule: Select All users and groups (or specific ones).
- Then exclude the group you want to exempt using the Exclude users and groups option.
Run in test mode first to validate the exclusions work as expected.

You must use the Exclude users and groups setting inside the location configuration for SharePoint/OneDrive.

I hope this information helps. Please do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

As your feedback is valuable and can assist others in the community facing similar issues.

Thank you.

adela gonzalez 0 Reputation points

2025-06-20T07:33:09.11+00:00

Regarding step 7, I can't find exactly what you're telling me to configure the exception.

Regarding the last sentence, "You must use the Exclude users and groups setting inside the location configuration for SharePoint/OneDrive." Does this mean that to exclude a SharePoint group, I need to add OneDrive as a location and make an exception there?
adela gonzalez 0 Reputation points

2025-06-23T08:31:49.7766667+00:00
I can not find this:

Set the User Scope with Exclusions In the “Choose users or groups” section of the rule: Select All users and groups (or specific ones).

Then exclude the group you want to exempt using the Exclude users and groups option.

Can you help me?
Anonymous

2025-06-23T08:49:45.5233333+00:00

@adela gonzalez

1)Exclusions are configured in the location scope, not in the rule conditions.
When you select the SharePoint location (during policy setup), you must click “Edit” next to it. That’s where you’ll find:
a)Include users/groups

b)Exclude users/groups

2)Only custom DLP policies in Microsoft Purview provide full access to location scoping options, including the ability to exclude specific users or groups. If you created your policy using a built-in template like “Financial data” or “Privacy regulation,” these templates may limit customization and hide the user exclusion settings. To enable exclusions, the recommended approach is to create a new custom policy and choose advanced rules during the configuration process. 3)To access all configuration options in Microsoft Purview, including user and group exclusions in DLP policies, the logged-in user must have appropriate permissions such as the Compliance Administrator, Security Administrator, or Data Loss Prevention Admin role. Without these roles, some settings may be hidden or unavailable in the UI.

I hope this information helps. Please do let us know if you have any further queries.
Anonymous

2025-06-24T06:30:55.63+00:00

@adela gonzalez
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
adela gonzalez 0 Reputation points

2025-06-24T07:25:04.11+00:00

I don't have any resolution, in fact, I have included OneDrive to set the group exception and the alert level is very high. Could you help me configure this exception for SharePoint?
Anonymous

2025-06-25T12:33:23.41+00:00

@adela gonzalez
If you’re trying to exclude a group from a DLP policy for SharePoint and not seeing the option, you’re not alone it’s a bit hidden in the UI.

1Go to the Microsoft Purview compliance portal and open your existing DLP policy (or create a new one using the Custom policy option,this part is important because templates like “Financial data” might not give you the flexibility you need).

2.In the Locations step, make sure SharePoint is selected, then click Edit next to it.

3.Now you should see options to include or exclude users and groups. Use the Exclude users and groups section to add the group you want to exempt. Just search for your Azure AD group and add it.

4.Finish configuring the rule like setting the condition to monitor PDF files—and publish the policy. I’d recommend starting in test mode so you can make sure the group exclusion works as expected before enforcing it fully.

One thing to keep in mind: if you don’t see the exclude option, double-check that you’re editing the SharePoint location (not the rule), that you’re using a custom policy, and that you have the right admin role like Compliance Admin or DLP Admin. I ran into this once because I didn’t have the right role assigned.

Hope that helps. Let me know if you're still stuck, I can walk through it with you.
adela gonzalez 0 Reputation points

2025-06-26T07:05:49.14+00:00

Hi,

I have tried to follow your instructions:

2.In the Locations step, make sure SharePoint is selected, then click Edit next to it.

3.Now you should see options to include or exclude users and groups. Use the Exclude users and groups section to add the group you want to exempt. Just search for your Azure AD group and add it.

I cannot find this opcion , I only can exclude site but not user or groups.

Regarding, if you don’t see the exclude option, double-check that you’re editing the SharePoint location (not the rule), that you’re using a custom policy, and that you have the right admin role like Compliance Admin or DLP Admin. I ran into this once because I didn’t have the right role assigned.

Even though I have the correct permissions and I'm editing the location, not the rule.

Can you help me?
Anonymous

2025-06-30T02:20:34.6+00:00

@adela gonzalez
In the UI shown in your screenshot, you are currently editing the site-level scope (i.e., selecting specific SharePoint sites) not the user/group scoping pane.

The confusion is understandable, because Microsoft places user and group inclusion/exclusion options not in this screen, but in a separate step during the policy creation process, under “Choose users or groups” this option only appears when you create or edit the rule itself and have selected a custom policy with advanced rules.

To configure user or group exclusions in your DLP policy, ensure you’re using a Custom policy, not a built-in template. After completing the Locations step (as shown in your screenshot), continue to the Rules step. There, click Create or Edit Rule, and make sure to choose Advanced settings. This will reveal the “Choose users or groups” section, where you can specify which users or groups to include or exclude. Use this section to exclude your target Azure AD group from the policy.

I hope this information helps. Please do let us know if you have any further queries.
adela gonzalez 0 Reputation points

2025-07-01T07:15:17.7833333+00:00

To configure user or group exclusions in your DLP policy, ensure you’re using a Custom policy, not a built-in template. After completing the Locations step (as shown in your screenshot), continue to the Rules step. There, click Create or Edit Rule, and make sure to choose Advanced settings. This will reveal the “Choose users or groups” section, where you can specify which users or groups to include or exclude. Use this section to exclude your target Azure AD group from the policy.

I'm trying to follow the steps you're giving me, but in the Create Rule section, I can't find where the "Choose users or groups" section is. This only appears if I choose Exchange as the location, but I only need the SharePoint location. Can you tell me how to access the "Choose users or groups" section?

I have both the policy and the rule in custom mode

Can you help me??

Answer 2

adela gonzalez 0

You tell me that:

Exclusions are configured in the location scope, not in the rule conditions. When you select the SharePoint location (during policy setup), you must click “Edit” next to it. That’s where you’ll find: a)Include users/groups

b)Exclude users/groups

When I access Sharepoint location these options do not appear, I can only include or exclude Sharepoint sites.

Can you help me with this setup?

Thanks in advance

Answer 3

Hello adela gonzalez,

For SharePoint DLP, scoping is possible only at the site level. Refer to: https://learn.microsoft.com/en-us/purview/dlp-policy-reference#locations

Hope this helps! Need further assistance or to raise a feature request, contact support: https://support.microsoft.com/en-us

If you found the information above helpful, please Accept the answer. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

Share via

Exclude a group of users in a sharepoint DLP policy

3 answers

Your answer