German post was automatically translated by DeepL API
Microsoft announced Simulation Mode for Purview Data Loss Prevention (DLP) in January. This mode replaces the previous test options in DLP rules and policies.
A compliance administrator creates a new DLP policy, configures the desired options, and finds the new Simulation Mode option at the end. Previously, there were two options for immediate and future activation.
The documentation does not yet clarify whether Microsoft expects an E5 / E5 license add-on for Simulation Mode or whether a license with Data Loss Prevention is sufficient.
Simulation Mode can be used in combination with Test-DLPPolicies. The PowerShell command is valid for data in SharePoint and OneDrive. Simulation Mode supports the analysis of data in SharePoint, OneDrive, Exchange, Teams, and Devices.
Administrators may know the simulation mode from Conditional Access Policies with Report-only.
In simulation mode, the policy analyzes the configurations’ impact on end users without restricting them from their daily work. This allows administrators to optimize the configurations before global activation.
A DLP policy in simulation mode saves the analysis for 30 days.
- For SharePoint and OneDrive, Simulation Mode analyzes existing and new data. However, the summary only includes the first 100 pieces of data.
- For Exchange, Teams, and Devices, Simulation Mode analyzes new data from policy activation.
Simulation Mode starts analyzing immediately. The evaluation of initial results can take 24 hours.
Each DLP policy in Simulation Mode includes a Simulation Mode analysis with three sections:
- The overview of the analysis shows general evaluations and statistics for the simulation.
- Review of objects, including all objects found.
- Alerts are listed in this section if configured in the DLP policy.
Simulation mode results are also included in the Activity Explorer. The view in the Activity Explorer is similar to the Review section in the Simulation Mode analysis.
