DLP Endpoint Policy “Block with override” not enforcing restriction or prompting for justification on cloud uploads (Microsoft Purview)

Question

DLP Endpoint Policy “Block with override” not enforcing restriction or prompting for justification on cloud uploads (Microsoft Purview)

Nitin Jain 0

Hi everyone,

We’ve configured a DLP policy for Endpoint in Microsoft Purview with the following setup:

Rule location: Endpoint Condition: Labeled documents Activity (under “Service domain and browser activities”): Upload to restricted cloud service domains Action configured: Block with override Additional setting: “Require business justification” is enabled

Issue: When users attempt to upload a labeled document to an external/restricted cloud service, the upload is successfully completed without any restriction.

There is:

No block enforced No prompt for business justification No option to override

Environment details:

Browsers tested: Microsoft Edge and Google Chrome Microsoft Purview Extension is installed and enabled Behavior is consistent across both browsers

Expected behavior: The upload should either:

Be blocked with an option to override, or Prompt the user to provide business justification before allowing the upload

Actual behavior: The upload proceeds without any DLP enforcement or user prompt.

Ask: Has anyone experienced this behavior or knows if additional configuration is required (e.g., endpoint settings, supported domains, or extension policies) to ensure enforcement and justification prompts work correctly?

Any insights would be greatly appreciated.

Thanks

0 comments

1 answer

Your answer

Answer 1

Smaran Thoomu 35,045 Microsoft External Staff Moderator

Hi @Nitin Jain
Thanks for sharing the details - from what you’ve described, this usually comes down to how Endpoint DLP handles browser-based uploads.

A couple of things to double-check:

Activity coverage: The “upload to restricted cloud service domains” condition only works for supported/sanctioned domains. If the target site isn’t recognized/supported, the policy won’t trigger even if it’s configured.
Device onboarding: Make sure the machines are properly onboarded to Defender and showing as healthy. If the device isn’t fully onboarded, Endpoint DLP won’t enforce.
Policy scope: Confirm the policy is applied to the correct user/device group and that it’s actually synced to the endpoint (sometimes worth forcing a sync or waiting a bit).
Label detection: Ensure the file is actually being detected as labeled at the endpoint level (you can validate via Activity Explorer).

Also worth noting - for browser scenarios, enforcement can vary depending on how the upload happens (some web apps or upload methods aren’t fully covered yet).

If everything above checks out and it’s still not triggering, it would help to know:

Which exact cloud service/domain you’re testing with
Whether you see any events in Activity Explorer at all

That will help narrow down whether it’s a coverage gap vs. a config issue.

Nitin Jain 0 Reputation points

2026-04-10T09:50:36.36+00:00
Hi @Smaran Thoomu I’d like to summarize the current Endpoint DLP configuration and the testing performed for your review.

Configuration Details:

Unallowed Browsers:

Safari (Executable: Safari.app)

Firefox (Executable: firefox.exe)

Service Domains (Action: Block):

notepad.link

mail.google.com

dropbox.com

Sensitive Service Domain Groups:

chatgpt.com

*.chatgpt.com

notepad.link

Policies Applied:
Two Endpoint DLP policies are currently configured, and my account is included in both:

Nitin Test (Priority: 12)

DLP Policy for GI (Priority: 13)
Attached the screenshots for better understading of the rule configuration in both the policies. Name of the attached files are gives in respect to policies name.

Testing Performed: Testing was conducted using the following browsers with the Purview Browser Extension installed:

Microsoft Edge

Google Chrome (extension installed)

Mozilla Firefox (extension installed)

Please review the above and let me know if any further details or clarification are required.

Thanks,
Nitin
Smaran Thoomu 35,045 Reputation points Microsoft External Staff Moderator

2026-04-13T15:53:25.5466667+00:00
Nitin Jain Thanks for sharing the configs and screenshots - that clarifies things.

The main issue here is that the rule you’re using (“upload to restricted cloud service domains”) only triggers for domains added under the restricted domains list, not the sensitive service domain group.

Right now, I can see ChatGPT is added under the sensitive group, but not under the actual restricted domains. Because of that, the condition never matches - so no block, no override, no justification prompt.

That’s why uploads are going through.

If you want enforcement for ChatGPT, add:

chatgpt.com

*.chatgpt.com

to the restricted domains list in Endpoint DLP settings.

Give it a sync and test again - you should then see the block/override behavior.

Also, quick note - Edge tends to be the most consistent for this. Chrome usually works with the extension, but behavior can vary slightly depending on the site.

Let me know what you see after updating.
Nitin Jain 0 Reputation points

2026-04-30T07:04:34.4866667+00:00

Thank a ton @Smaran Thoomu MS suggested the same thing and it resolved the issue.
Smaran Thoomu 35,045 Reputation points Microsoft External Staff Moderator

2026-05-01T03:23:39.3433333+00:00

Nitin Jain Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

DLP Endpoint Policy “Block with override” not enforcing restriction or prompting for justification on cloud uploads (Microsoft Purview)

1 answer

Your answer