How to Configure DLP Manager Approval in Microsoft 365
You’ve set up a Data Loss Prevention (DLP) policy in Microsoft 365 to secure your organization’s sensitive information. But when you look at the available actions, you’re frustrated to find only basic options like “restrict access” or “encrypt” – with no sign of the manager approval workflow your executive team is demanding.
You start questioning if this is even possible in Microsoft 365. Did you miss something in the documentation? Is there some obscure setting hidden somewhere? Or will you need to cobble together a complex workaround using mail flow rules and transport rules?
If this sounds familiar, you’re not alone. Many IT administrators face this exact challenge when implementing DLP policies in Microsoft 365.
The Hidden Secret: It’s All About Policy Scoping
There’s a simple but non-obvious solution to this problem: correctly scoping your DLP policy. The reason you don’t see the manager approval option is likely because your policy is configured to protect content across multiple locations (SharePoint, OneDrive, Teams, and Exchange).
When a DLP policy spans multiple workloads, Microsoft limits the available actions to those that can work universally across all selected locations. This means you lose access to Exchange-specific actions – including the valuable “Forward for approval to sender’s manager” option.
The good news? By creating a dedicated Exchange-only DLP policy, you can unlock this powerful workflow and satisfy your management’s requirements for a formal approval process.
Prerequisites: What You Need Before Starting
Before diving into the configuration, ensure you have these prerequisites in place:
- Appropriate admin permissions: You must have either Security Administrator or Compliance Administrator role to create and manage DLP policies in the Microsoft Purview portal.
- Manager attribute in Azure AD/Entra ID: This is critical and often overlooked. The sender’s Manager attribute must be correctly populated in Azure Active Directory. If this isn’t defined, the approval rule will fail silently, and messages will be delivered without moderation.
- Microsoft 365 E3/E5 or equivalent license: DLP features require appropriate licensing for your organization.
Step-by-Step: Configuring DLP Manager Approval
Now let’s walk through the exact process of setting up a DLP policy with manager approval:
Step 1: Access the Microsoft Purview Portal
- Navigate to the Microsoft Purview portal
- Sign in with your admin credentials
- In the left navigation pane, select Data loss prevention
- Click on Policies
Step 2: Create a New DLP Policy
- Click the + Create policy button
- Choose a template based on the type of sensitive information you want to protect (Financial, Medical, Privacy), or select Custom policy for a fully customized experience
- Give your policy a descriptive name and add an optional description
- Click Next
Step 3: Define Policy Scope (Critical Step)
This is where most admins make the mistake that prevents manager approval from appearing:
- In the Choose locations to apply the policy section:
- Deselect ALL locations except for Exchange email
- This is the crucial step that unlocks Exchange-specific actions
- You can further refine the scope to specific users or groups if needed
- Click Next
Step 4: Configure Policy Rules
- Click Create or customize advanced DLP rules
- Click + Create rule
- Give your rule a name
- Under Conditions, set up what will trigger the rule:
- Content contains sensitive info types: Select from predefined types like credit card numbers, social security numbers, etc.
- You can also create conditions based on document properties, message headers, or other attributes
Step 5: Configure the Manager Approval Action
Now that you’ve properly scoped the policy to Exchange only, you’ll see expanded action options:
- In the Actions section, click + Add an action
- Select Restrict access or encrypt the content in Microsoft 365 locations
- You’ll now see the option to Forward the message for approval to sender’s manager – check this box
- Optionally customize notification text that the manager will receive
- Click Save
Step 6: Configure User Notifications
- Configure policy tips to inform users before they send an email containing sensitive information
- Set up email notifications to alert users when their message is pending approval
- Customize these messages to explain your organization’s data handling policies
Step 7: Finalize and Test the Policy
- Configure incident reports and alert settings if desired
- Choose the policy mode:
- Start with Test it out first (simulation mode) to avoid disrupting business operations
- This allows you to see what would happen without actually blocking or moderating messages
- Review your settings and click Submit
Best Practices for Deployment
Rushing into full enforcement of a DLP manager approval policy can lead to workflow disruptions and frustrated users. Instead, follow this phased approach:
Phase 1: Simulation Mode
Start by running your policy in “Test it out first” mode. This allows you to:
- See what would trigger the policy without actually moderating messages
- Identify false positives and refine your conditions
- Understand the potential volume of approval requests
Use the DLP reports in Microsoft Purview to analyze what’s being detected during this phase.
Phase 2: Simulation with Policy Tips
After refining your conditions:
- Edit the policy and enable Show policy tips to users while in test mode
- Roll this out to a pilot group of users
- Gather feedback on the frequency and accuracy of the tips
- Further adjust your conditions based on this feedback
This educates users on the upcoming changes and provides valuable real-world validation.
Phase 3: Full Enforcement
Once you’re confident the policy is working as intended:
- Edit the policy and select Turn it on right away
- Monitor DLP alerts and user feedback closely after deployment
- Be prepared to make adjustments as needed
Handling Real-World Challenges
What Happens When a Manager Doesn’t Respond?
By default, if a manager doesn’t respond to an approval request within 2 days, the sender receives an expiration message. However, the backend process that checks for this runs every 7 days, so a message can take between 2 and 9 days to officially expire.
This can be problematic if the manager is on vacation or otherwise unavailable.
Creating a Fallback Approver Chain
To address manager unavailability, you can create a multi-level approval chain:
- In the Exchange admin center, go to Mail flow > Rules
- Create a secondary mail flow rule that:
- Triggers on the same conditions as your DLP rule
- Includes a condition like “A message header includes…”
- Checks if the first approval was already processed
- Forwards to a backup approver (e.g., compliance officer or security team)
This creates a safety net for when managers are unavailable. For detailed guidance, see Common message approval scenarios.
Reducing Manager Approval Fatigue
To prevent overwhelming managers with approval requests:
- Refine conditions: Make your rules more specific with higher thresholds for sensitive data detection
- Use exceptions: Add exceptions for trusted domains or internal workflows
- Communicate: Proactively inform managers about the volume of requests they can expect
- Train users: Educate employees on handling sensitive data to reduce policy violations
Conclusion
Configuring DLP manager approval in Microsoft 365 is straightforward once you understand the critical role of policy scoping. By creating an Exchange-only policy, you unlock the powerful manager approval workflow that would otherwise remain hidden.
Remember these key takeaways:
- Scope your DLP policy to Exchange only to access the manager approval action
- Ensure the Manager attribute is populated in Azure AD for all users
- Use a phased rollout approach to minimize business disruption
- Consider creating a fallback approver chain for manager unavailability
- Continuously refine your conditions to reduce false positives and manager fatigue
With these steps, you’ll successfully implement a robust DLP manager approval workflow that balances security with productivity – and finally deliver the approval process your executive team has been demanding.
Frequently Asked Questions
Why can’t I see the “forward for approval to sender’s manager” option in my DLP policy?
The “forward for approval” option is missing because your DLP policy is likely scoped to multiple locations like SharePoint, OneDrive, and Teams in addition to Exchange. This action is specific to Exchange email. To make it visible, you must create a DLP policy that applies only to the Exchange location. When a policy spans multiple services, Microsoft only shows actions that are universally available across all of them.
What happens if a user without a manager defined in Azure AD sends an email that triggers the approval policy?
If a sender’s Manager attribute is not populated in Azure Active Directory (Azure AD), the approval rule will fail silently, and the email will be delivered without any moderation. The system has no one to route the approval request to, so it bypasses the block. This makes it critical to ensure the Manager field is correctly maintained for all users covered by the policy.
How long does a manager have to approve or reject a message?
By default, a manager has two days to respond to an approval request before it expires. After this period, the original sender receives a message stating the request has expired. However, the background process that checks for expired messages only runs once every seven days, which means a message can take between two and nine days to officially expire and notify the sender.
Can I set a specific person or group as the approver instead of the sender’s manager?
Yes, but not directly within the DLP policy action itself. To route approvals to a specific person or group (like a compliance team), you must configure a mail flow rule (transport rule) in the Exchange admin center. You can create a rule with the same conditions as your DLP policy and set the action to “Forward the message for approval to” a specific mailbox or group instead.
What are the licensing requirements for using DLP with manager approval?
To use Microsoft Purview Data Loss Prevention, including the manager approval workflow, your organization needs a Microsoft 365 E3/A3/G3 or E5/A5/G5 license. This feature is part of the advanced compliance capabilities offered in these enterprise-level plans, and the users subject to the policy must be properly licensed.
How can I reduce the number of approval requests sent to managers?
You can reduce approval requests by making your DLP policy conditions more specific, using exceptions, and educating users. Start by refining your rules to look for higher instance counts of sensitive data (e.g., more than five credit card numbers instead of just one). You can also add exceptions for trusted business workflows or communications with specific domains. Finally, use policy tips to train users on proper data handling, which helps prevent accidental violations.
Have you implemented DLP manager approval in your organization? What challenges did you face? Share your experiences in the comments below.
Related Articles
Tuning DLP to Reduce False Positives
Learn effective DLP tuning strategies to reduce false positives, implement proper data classification, and transform your Data Loss Prevention from blocking everything to intelligent protection.
How to Automate Email Whitelisting and Escape Ticket Hell
Step-by-step tutorial for implementing automated email allowlisting processes. Discover how to balance security requirements with operational efficiency using modern tools.
7 Types of Policy Management Systems Compared (For Different Security Needs)
Compare 7 types of policy management systems for security and compliance needs. Evaluate GRC platforms, cloud solutions, and framework-specific tools to find your ideal match.