MS Purview DLP and Google workspace

Question

MS Purview DLP and Google workspace

Karol 0

Hello community,

I'm trying to audit my Google Workspace (Gdrive files specifically). I've connected Google Workspace as Cloud App in my Defender portal. On Purview portal I've created policy that should match some of my files and I choose Google instance in Locations.

Yet I don't see any alerts after couple of days, I'm clueless what to troubleshoot as I can see Google instance in Purview, help :(

Smaran Thoomu 28,310 Reputation points Microsoft External Staff Moderator

2025-08-08T20:13:08.0666667+00:00

Karol Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Smaran Thoomu 28,310 Reputation points Microsoft External Staff Moderator

2025-08-08T20:13:08.0666667+00:00

Karol Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Smaran Thoomu 28,310 Microsoft External Staff Moderator

Hi Karol

Thanks for sharing your scenario. You're on the right track by connecting Google Workspace as a Cloud App in Microsoft Defender and targeting it in your Microsoft Purview DLP policy.

Here are some key things to check to help troubleshoot why your Purview DLP policy isn’t triggering for Google Drive:

Confirm Google Workspace Integration Health

In Microsoft Defender for Cloud Apps, go to Settings > Cloud Discovery > Connected apps and ensure Google Workspace is showing a green/healthy connection.
Check under Cloud Apps > Connected Apps > Google Workspace for ingestion status and account coverage.

Verify File Activity and DLP Signal Flow

DLP on third-party apps like Google Drive triggers only on file activity (e.g., sharing, editing, or downloading a file with sensitive info).
Simply storing sensitive content without user interaction may not trigger a DLP match.

Try this for testing:

Upload a test file containing known sensitive info (e.g., passport number).
Share the file externally or edit the file.
Wait 15–30 mins and check Purview alerts.

Review DLP Policy Configuration in Purview

Ensure the policy includes Google Workspace in the "locations" setting.
Confirm that:
- The right sensitive info types are selected.
- Audit or block actions are enabled in the policy.
- Policy is in "On" state (not just testing mode).

Confirm Licensing and Permissions

Microsoft Purview DLP for third-party apps requires:

Microsoft 365 E5 Compliance or equivalent
Proper connector permissions granted during onboarding (OAuth for Google)

Suggested next step:

Simulate an activity (e.g., share a file with credit card number externally).
Monitor Activity Explorer in Defender for Cloud Apps or DLP Alerts in Purview.
If still no activity shows up, try re-authenticating the Google connector in Defender.

Let us know how it goes - happy to help troubleshoot further if needed.

I hope this information helps. Please do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Karol Krysztofinski 0 Reputation points

2025-08-06T08:57:40.7233333+00:00

Hello!
Google Workspace is green in Defender portal (Connected with last health check an hour ago, number of protected accounts, last activity log etc)

I've uploaded a new file, edited it adding some random password (Purview policies are configured for "General Password") and shared it publicly, waited a day but still no alerts.

Policies are configured for "Instances" with Google Workspace selected (the same name I've configured in Defender) and "Devices".

I have Microsoft 365 E5 Security with Partner Success Core Benefits
Smaran Thoomu 28,310 Reputation points Microsoft External Staff Moderator

2025-08-06T20:56:47.72+00:00
Karol Krysztofinski Thanks for the update.

Based on your confirmation that:

Google Workspace is connected and healthy in Defender for Cloud Apps

Test activity (editing and public sharing) was performed on a file with matching content

DLP policy includes the correct instance and is enabled

You are using Microsoft 365 E5 Security (Partner Success Core Benefits)

Here are a few possible reasons why alerts may still not be appearing:

Licensing Scope (Security vs. Compliance)

While Microsoft 365 E5 Security provides advanced security features, Microsoft Purview DLP (especially for connected cloud apps like Google Drive) typically requires Microsoft 365 E5 Compliance or equivalent (like Microsoft 365 E5 or Microsoft 365 E5 Compliance add-on).

The "Security" SKU alone may not enable full DLP scanning for third-party apps in Purview.

You can verify this by checking if the Data Loss Prevention tab under Purview > Data Lifecycle Management has the full policy management capabilities and if Alerts > DLP shows policy hits across any workload (like Exchange or Teams).

Policy Scoping vs. Instance Naming

Ensure that the Google Workspace instance name in the Purview policy matches exactly what’s configured in Defender for Cloud Apps, including case sensitivity.

You can test by temporarily adjusting the policy to include “All instances” of connected apps and see if alerts are triggered. If yes, it confirms a scoping mismatch.

Policy Mode & Action

Double-check that the policy is set to “Enforce” (not Test Mode) and has audit or restrict actions defined. Sometimes, if no action is selected, the policy won’t trigger visible alerts.

DLP Scan Delay

File-based policies may take 24–48 hours to process on third-party cloud apps depending on activity volume and backend throttling. If still no alerts appear, try this test:

Upload a fresh file with a standard sensitive info type (like a 9-digit U.S. SSN or 16-digit credit card).

Share it externally.

Check Purview alerts after a few hours.

Suggested Next Step

If you're still not seeing alerts and you're on E5 Security only, it’s worth validating whether E5 Compliance is required for full DLP support in third-party apps like Google Workspace.

Here’s the relevant Microsoft doc you can share with your team:
Microsoft Purview DLP licensing requirements

You can also reach out to your Microsoft Partner Success contact or Support to verify entitlement.

I hope this information helps. Please do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

MS Purview DLP and Google workspace

1 answer

Your answer