Microsoft Purview DLP Gains File Quarantine for SharePoint and OneDrive

New capability moves non-compliant content to a secure review location while preserving investigation context.

Microsoft SharePoint

Key Takeaways:

  • Files that violate DLP policies can now be automatically moved to a secure quarantine location.
  • Users see a placeholder file explaining why the content was quarantined.
  • Administrators can investigate, monitor, and manually restore quarantined files when needed.

Microsoft has introduced a new File Quarantine action for Microsoft Purview Data Loss Prevention (DLP) policies in SharePoint Online and OneDrive for Business. The feature automatically isolates files that violate DLP policies, which helps organizations prevent sensitive data from being exposed or shared.

Microsoft mentioned that sensitive files stored in SharePoint and OneDrive can remain accessible or continue to be shared even after a Data Loss Prevention (DLP) policy detects a violation. This creates a risk of unintended data exposure and makes it harder for organizations to contain sensitive information quickly.

How does the new File Quarantine feature work?

To address this issue, Microsoft is adding a quarantine capability that automatically moves non-compliant files to a secure administrator-controlled location. A placeholder (“tombstone”) file remains in the original location to maintain workflow continuity and inform users about what happened. This placeholder can display a customized message defined by administrators. It lets users know that the file has been quarantined and preserves the collaborative context around the document.

“When a DLP policy is triggered, the File Quarantine action automatically moves the file to a restricted, admin‑controlled & defined quarantine location—instantly removing access for all users while preserving the file for review and investigation. This capability helps organizations contain data‑exposure risks, prevents further sharing or misuse, and delivers a powerful new layer of enforcement,” Microsoft explained.

Administrators will have visibility into quarantined files through existing monitoring and investigation tools, including audit logs, DLP alerts, and Activity Explorer. It allows them to track policy violations and review related activities. If a quarantined file needs to be reinstated, an administrator must manually restore it. Moreover, any sharing permissions that existed before the file was quarantined are not automatically reapplied after restoration.

How organizations should prepare for File Quarantine?

To prepare for this capability, organizations should establish a dedicated SharePoint location to store quarantined files and configure the required settings, including the destination folder and user notification message. It is also important to review and limit access to the quarantine site so that only authorized personnel can manage the content.

Organizations are encouraged to test this feature using DLP policy simulation before enforcement to ensure it works as expected. It’s also important to update operational procedures and to notify support, security, and compliance teams of the new workflow and their respective responsibilities.