Migrate Exchange Online data loss prevention policies to Compliance center
Exchange Online data loss prevention (DLP) policies are being deprecated. Much richer DLP functionality, including Exchange Online DLP, is offered in the Microsoft 365 Compliance center. You can use the DLP policy migration wizard to help you bring your Exchange Online DLP policies over to the Compliance center where you'll manage them.
The migration wizard works by reading the configuration of your DLP policies in Exchange and then creating duplicate policies in the Compliance center. By default the wizard creates the new versions of the policies in Test mode, so you can see what impact they'd have in your environment without enforcing any of the actions. Once you're ready to fully transition to the Compliance center versions, you must:
- Deactivate or delete the source policy in the Exchange Admin Center (EAC).
- Edit the Compliance center version of the policy and change its status from Test to Enforce.
If you do not delete or deactivate the source policy in the EAC before you set the Compliance center version to Enforce both sets of policies will be attempting to enforce actions and you will receive duplicate events. This is an unsupported configuration.
The migration wizard only migrates EXO policies and associated mail flow rules. Standalone Exchange mail flow rules aren't migrated.
There are four phases to migrating DLP policies from Exchange into the Unified DLP management console in the Compliance center.
- Prepare for migration
- Evaluate and compare your Exchange Online (EXO) DLP policies and your Compliance Center DLP policies for duplicate functionality.
- Decide which EXO DLP policies you want to bring over exactly as they are, you can use the wizard to migrate these.
- Decide which EXO DLP policies you want to consolidate and consolidate them in the Exchange admin center, then use the migration wizard to bring them over into the Compliance center.
- Perform the migration - use the wizard
- Testing and validation - examine the results
- Activate the migrated policies
Before you begin
Licensing and versions
Before you get started with migrating DLP policies, you should confirm your Microsoft 365 subscription and any add-ons.
To access and use the policy migration wizard, you must have one of these subscriptions or add-ons
- Microsoft 365 E3
- Microsoft 365 E5
- Microsoft 365 A5 (EDU)
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
- Microsoft 365 A5 information protection and governance
For a detailed list of DLP licensing requirements, see Microsoft 365 Licensing guidance for security & compliance, data loss prevention
The account that you use to run the migration wizard must have access to both the Exchange Admin Console DLP page and to the Unified DLP console in the Compliance center.
Prepare for migration
- If you are unfamiliar with DLP, the Compliance center DLP console, or the Exchange Admin center DLP console, you should familiarize yourself before attempting a policy migration.
- Evaluate your Exchange DLP and Compliance center policies by asking these questions:
|Is the policy still needed?||If not, delete or deactivate it||don't migrate|
|Does it overlap with any other Exchange or Compliance center DLP policies?||If yes, can you consolidate the overlapping policies?||- If it overlaps with another Exchange policy, manually create the consolidated DLP policy in the Exchange Admin center, then use the migration wizard.
- If it overlaps with an existing Compliance Center policy, you can modify the existing Compliance center policy to match, don't migrate the Exchange version
|Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions?||If yes, this is a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later||migrate with the wizard|
After you have evaluated all your Exchange and Compliance center DLP policies for need and compatibility, you can use the migration wizard.
- Open the Microsoft 365 Compliance center DLP console.
- If there are Exchange DLP policies that can be migrated, a banner will appear at the top of the page letting you know.
- Choose Migrate policies in the banner to open the migration wizard. All the Exchange DLP policies are listed. Previously migrated policies cannot be selected.
- Select the policies you want to migrate. You can migrate them individually, or in groups using a phased approach or all at once . Select Next.
- Review the flyout pane for any warnings or messages. Resolve any issues before proceeding.
- Select the mode you want the new Compliance center policy created in, Active, Test, or Disabled. The default is Test. Select Next.
- If desired, you can create additional policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any additional locations that you pick here.
Any Exchange DLP policy conditions and actions that are not supported by other DLP locations, like Devices, SharePoint, OneDrive, On-premises, MCAS or Teams chat and channel messages will be dropped from the additional policy. Also, there is pre-work that must be done for the other locations. See:
- Learn about Microsoft 365 Endpoint data loss prevention
- Get started with Endpoint data loss prevention
- Using Endpoint data loss prevention
- Learn about the Microsoft 365 data loss prevention on-premises scanner
- Get started with the data loss prevention on-premises scanner
- Use the Microsoft 365 data loss prevention on-premises scanner
- Use data loss prevention policies for non-Microsoft cloud apps
- Review the migration wizard session settings. Select Next.
- Review the migration report. Pay attention to any failures involving Exchange mailflow rules. You can fix them and re-migrate the associated policies.
The migrated policies will now appear in the list of DLP policies in the Compliance center DLP console.
Testing and validation
Test and review your policies.
- Follow the Test a DLP policy procedures.
- Review the events created by the policy in Activity explorer.
Review the policy matches between Exchange Admin Center DLP and Microsoft 365 Unified DLP
To ensure that the migrated policies behave as expected, you can export the reports from both admin centers and do a comparison of the policy matches.
- Connect to Exchange Online PowerShell.
- Export the EAC DLP report. You can copy this cmdlet and insert the appropriate values:
Get-MailDetailDlpPolicyReport -StartDate <dd/mm/yyyy -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, MessageId, DlpPolicy, TransportRule -Unique | Export-CSV <"C:\path\filename.csv">
- Export the Unified DLP report. You can copy this cmdlet and insert the appropriate values:
Get-DlpDetailReport -StartDate <dd/mm/yyyy> -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, Location, DlpCompliancePolicy, DlpComplianceRule -Unique | Export-CSV <"C:\path\filename.csv">
Activate your migrated policies
Once you are satisfied with how your migrated policies are functioning, you can set them to Enforce.
- Open the Exchange Admin Center DLP console.
- Deactivate or delete the source policy.
- Open the Microsoft 365 Compliance center DLP console and select the policy you want to make active to edit it.
- Change the status to Turn on.