close

Unable to Turn Off User Overrides in Office 365 DLP Policies


Unable to Turn Off User Overrides in Office 365 DLP Policies

During some recent testing of Office 365 DLP policies I encountered what I suspect is a bug in the Security & Compliance Center.

After creating a new DLP policy from a template, I could not disable the User overrides settings in the “High volume of content detected” rule.

Even after turning off user overrides, saving the policy changes, and waiting for the policy change to deploy successfully, the override continued to be available for end users. Re-editing the rule in the Security & Compliance Center would show that the setting had reverted to its original setting.

After multiple attempts I finally decided to use PowerShell to make the change. If you need to do this, connect to the Security & Compliance Centerand use the following commands.

To view a list of DLP policy rules, run Get-DlpComplianceRule. If you want to see rules for a specific policy, use the -Policy parameter.

To see the user override setting for a rule, look at the NotifyAllowOverride property.

TechNet lists the possible values as:

  • FalsePositive
  • WithoutJustification
  • WithJustification

But you can also null the value to turn off user overrides. Use Set-DlpComplianceRule to make the change.

I’ve tested two separate DLP policy templates and both of them exhibited the same behaviour, which makes me suspect it is a general Security & Compliance Center bug and not specific to any template.