Reviewing DLP false positives and overrides- Microsoft SC-400 Certification
By Isabella Morgan / February 10, 2022 / No Comments / IBM and Microsoft Exams
With this particular report, all the false positives and overrides you see come from your organization’s users. It is important to train users to ensure they understand how to report false positives correctly, which ensures the information in this report is accurate.
Imagine a scenario in which you create a new financial data policy that is currently in test mode. A few days ago, you enabled policy tips and allowed overrides of the policy. If you utilize the reports to tune a new policy to match only when it is meant to match, you need to select a start date that is shortly before the time you enabled the policy tips settings and reduce the scope to show false positives.
The following steps will explain how to do this:
- Click on Filter (in the right corner).
- Choose a start date.
- Underneath Services, ensure all services are chosen.
- Choose the financial data policy you would like to analyze and click on Apply.
- Uncheck DLP policy override from the legend of the chart.
In this view, you can see all of the reports with false positives for your financial data policy and utilize this to detect the sensitive information that it is falsely matching with.
Overrides are able to assist with detecting business processes that are contradicting your policy. A high volume of overrides on a policy means you should take a closer look at those business processes. In this case, you need to decide whether you can make a modification to the policy without having an adverse effect on its protective functions. You can do this by completing the following steps:
- From within the legend of the chart, select DLP overrides and untick DLP false positives.
- Choose an item from the table and look at the Justification section of the popup.
Overrides are able to help with auditing as the user is responsible and accountable for the override and it enables you to investigate whether valid reasons require the DLP policy override. Overrides are not negative.
You have now completed the reviewing and analyzing DLP reports section of this chapter and have completed multiple labs as part of it. The next section will focus on managing permissions for DLP reports.
Managing permissions for DLP reports
As with all services in Microsoft 365, you need specific permissions to be able to review DLP reports in the compliance center. The following table outlines the required permissions and their purpose:

Table 9.1 – Required permissions
Users within your IT admin team, or members of the compliance team who review DLP reports, require the correct permissions to the compliance center. The default permissions for your admin tenant are that they will have access to this area, therefore they are able to give the relevant team members access to the Microsoft 365 compliance center without granting access to the entire tenant. Follow the next steps to do this:
- In Azure AD, create a group and add the members of your team that are compliance officers to it.
- On the Permissions & roles page, create a role group under Compliance center:

Figure 9.8 – Compliance center permissions and roles
3. During the role group creation process, you can use the Choose roles options to add the relevant role to the role group. In our example, we will add the View-Only DLP Compliance Management role:

Figure 9.9 – Adding the View-Only DLP Compliance Management role
4. You can then add the AD group that was created in the earlier step in the Choose members section.
You are also able to assign an existing role group in the compliance center under Permissions. Assign the Security Reader role to any users you want to have read-only access to the existing reports page.
You should now understand how to manage permissions for DLP reports. In the next section, we will discuss how to manage DLP violations in Microsoft Defender for Cloud Apps.