Purview not blocking SSN

Dear John Litster,

Thank you for reaching out and sharing the details of your experience with configuring Data Loss Prevention (DLP) policies in Microsoft Purview to block Social Security Numbers (SSNs) in emails. 

I understand that although your policy successfully blocks credit card numbers, SSNs in the formats xxx-xx-xxxx and xxxxxxxxx are still passing through both inbound and outbound emails despite waiting for the policy to take effect. I appreciate your patience on this matter. 

Based on the symptoms you described, here are some common factors and recommended steps that should help resolve the issue: 

1. Confidence Level and Keyword Requirements By default, Microsoft Purview’s sensitive information type (SIT) detection for SSNs requires a certain confidence level before triggering a policy. Generally, SSNs are often detected at a Medium or High confidence setting, which includes requirements such as the presence of specific keywords like “SSN” or “Social Security” near the number to increase accuracy and reduce false positives.  If your SSNs appear as just digits (e.g., 123-45-6789) without these keywords, the policy might not detect them. You can consider adjusting the confidence level for SSN detection to a Low setting in your DLP rule, which will make the policy more sensitive to number patterns alone. 
2. Validation of Sensitive Information Type Configuration Ensure you are using the built-in Social Security Number (U.S.) sensitive information type provided by Microsoft Purview, which is pre-configured with rules to detect common SSN formats and patterns. If you have customized this SIT or created a new one, review those definitions to confirm that number patterns and associated conditions (like keywords) align with your environment’s data. 
3. Policy Scope and Application Double-check the scope and conditions of your DLP policy to ensure it targets the correct users, groups, and locations (such as Exchange mailboxes for inbound and outbound emails). Improper scope configuration can cause the policy to not apply as expected. 
4. Testing with Realistic SSN Values Microsoft excludes certain test numbers and commonly used placeholder SSNs from detection to avoid false positives. Please test the policy using real or representative SSN numbers rather than sample or publicly known test numbers. 
5. Policy Enforcement Status and Propagation Time Confirm that your DLP policy is set to Enforce mode rather than Monitor or Test mode. While you mentioned waiting for the policy to take effect, please allow up to 24 hours for full propagation in large or complex environments. 

For detailed guidance on Social Security Number detection and DLP configuration, please refer to the official Microsoft documentation here:  Microsoft Purview Information Protection sensitive information types: Social Security Number (U.S.) 

You can also review best practices for testing and fine-tuning DLP policies in the Microsoft Purview compliance portal:  Microsoft Purview DLP overview and best practices 

If after trying these steps the issue persists, please share additional details such as screenshots of your DLP policy settings or any alerts/logs you can access. I am here to assist you further in ensuring your sensitive data is adequately protected. 

Thank you again for your engagement with Microsoft Purview and for allowing us to assist you.

 If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.