Microsoft 365 Message Center item MC1387682

MC1387682 - Microsoft Purview Data Loss Prevention default protection controls for Exchange Online when classification fails

Microsoft Purview DLP for Exchange Online will introduce an opt-in feature to detect classification failures like timeouts, throttling, and scan errors, enhancing visibility and compliance. It expands existing conditions, adds a new DocumentScanFailures condition, and may increase alerts after enabling. Rollout starts mid-2026.

Message Center ID
MC1387682
Category
stay Informed
Severity
normal
Services
Microsoft Purview
Tags
New feature, User impact, Admin impact
Roadmap ID
561916
Platforms
Web
Published
2026-06-11
Last updated
2026-06-11
Expires
2026-10-01

[What and Why]Microsoft Purview Data Loss Prevention (DLP) is introducing new capabilities to detect and act on classification failures such as timeout, throttling, and scan errors. This update helps administrators surface previously undetected failures and apply appropriate protection, improving visibility and strengthening compliance outcomes across Exchange Online.This message is associated with Microsoft 365 Roadmap ID 561916.[Rollout Schedule]Public Preview: Rollout begins in mid-June 2026 and is expected to complete by early July 2026.General Availability (Worldwide): Rollout begins in mid-August 2026 and is expected to complete by late August 2026.[Impact on Your Organization]Who is affectedAdmins managing Microsoft Purview DLP policies in Exchange OnlinePlatforms/Services:Exchange OnlineMicrosoft Purview Data Loss PreventionWhat will happenThe feature is turned off by default and requires explicit tenant-level opt-in.There is no change to existing behavior or user experience unless you enable the feature.Existing DLP conditions will expand to detect additional classification failure scenarios after opt-in is enabled.New classification failure categories include: timeoutthrottlingother scan errors.A new condition called DocumentScanFailures allows targeting specific failure types and must be used with existing scan conditions.You may see an increase in DLP alerts and rule matches after enabling the feature. This reflects previously undetected classification failures and does not indicate new issues.Updated condition behaviorDocument couldn't be scanned will detect:Text extraction failuresClassification failures such as timeout, throttling, and other scan errors after opt-inDocument didn't complete scanning will detect:Partial text extractionPartial classification failures where some classifiers succeed and others failNew conditionDocumentScanFailures enables detection of specific failure types including timeout, throttled, and other errors.Must be used with either Document couldn't be scanned or Document didn't complete scanning.Cannot be used as a standalone condition.[Action Required and Recommendations]To prepare for this update:Review existing DLP policies that use these conditions:Document couldn't be scannedDocument didn't complete scanningPlan when to enable the tenant-level opt-in based on your readiness.Enable the feature using PowerShell:Connect using Connect-IPPSSession.Run the following commands:$json = '{"Classification":{"State":1}}'Set-PolicyConfig -DlpErrorHandlingConfig $jsonAllow up to one hour for the configuration to take effect.Configure rule priority to ensure proper evaluation:Place content-based rules above scan failure rules.Scan failure conditions only evaluate classifiers that have already run.Example rule order:Detect credit card numbersCondition: Content contains credit card numberAction: BlockDetect account numbersCondition: Content contains account numberAction: BlockDetect exact data matchCondition: Content contains EDM sensitive information typeAction: BlockCatch full scan timeout failuresCondition: Document couldn't be scanned and DocumentScanFailures set to timeoutAction: AuditCatch partial scan throttlingCondition: Document didn't complete scanning and DocumentScanFailures set to throttledAction: AuditCatch other scan errorsCondition: Document couldn't be scanned and DocumentScanFailures set to otherAction: AuditMonitor results using Activity Explorer and DLP alerts to understand classification failure patterns.Communicate this change to security and compliance teams.You can disable the opt-in setting to return to previous behavior if needed.[Compliance considerations]QuestionAnswerDoes the change alter how existing customer data is processed, stored, or accessed?Yes. Classification failures are now surfaced and evaluated as part of DLP processing, which changes how content scanning outcomes are interpreted.Does the change modify DLP policies or enforcement?Yes. Existing DLP conditions are expanded and a new condition is introduced, impacting rule evaluation behavior.Does the change alter how admins can monitor, report on, or demonstrate compliance activities?Yes. Admins gain enhanced visibility into classification failure scenarios through DLP alerts and Activity Explorer.Does the change include an admin control?Yes. The feature requires explicit tenant-level opt-in through PowerShell and can be disabled.