Get started with the data loss prevention simulation mode
You can use Microsoft Purview Data Loss Prevention (DLP) simulation mode to see:
- The impact of a policy on your production environment without enforcement.
- All the items that would be matched by a policy if it were enforced.
This article walks you through simulation mode prerequistes, configuration options and how to view simulation results.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
Licensing
Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.
For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.
Permissions
The account you use to interact with simulation mode must be in the Information Protection admin role. For more information on the roles and role groups necessary to use simulation mode, see Permissions. For more information on roles and role groups in Microsoft Purview compliance, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance
System configuration
To see matched items from endpoint devices in their native application on the Items for review, you must configure evidence collection for file activities on devices.
Manage DLP simulation mode
You can set a policy to be in simulation mode when you create it or after it's been created. You can also turn off simulation mode for a policy that's already in simulation mode.
- Use the steps in Create and Deploy data loss prevention policies to create a new policy or edit an existing policy.
- The last step in the policy configuration workflow is Simulate or turn on the policy. Select Run the policy in simulation mode to enable simulation mode. Select either Turn it on right away or Keep it off to disable simulation mode. You can further select:
- Show policy tips with in simulation mode to help educate your users when they take actions that might trigger policy actions.
- Turn the policy on if it's not edited within fifteen days of the simulation to turn the policy on without further interaction.
- Select Next and Submit.
After disabling, it can take up to 24 hours for the insights to stop appearing on the Overview page.
Viewing DLP policies in simulation mode
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Sign in to the Microsoft Purview portal > Data Loss Prevention > Policies.
Select a policy with a status of In simulation or In simulation with notifications to open the fly-out pane.
Select View simulation to see the Simulation overview, Items for review, and Alerts tabs.
Note
- Existing policies are running in test mode will automatically show up as running in simulation mode, and you can view the last 30 day data. You can restart the simulation as needed.
- Simulation results only presents the first 100 matched items for review for SharePoint and OneDrive for Business sites. This may differ from the total number of matched items.
- Simulation events will show up in activity explorer. You can filter on mode, which has TestWithNotifyUser, TestWithoutNotifyUser and enforce values.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for