DLP File Quarantine: SharePoint & OneDrive Setup Guide

How the Purview quarantine action works, the setup order that trips people up, and why restores are manual only.

  • Quarantine moves a matching file to an admin-defined SharePoint site and leaves a tombstone file behind.
  • You must configure the quarantine site and DLP settings before the quarantine action is even selectable.
  • The quarantine destination must be a SharePoint site — a OneDrive account cannot be the target.
  • Simulation mode is supported for quarantine, so you can test impact before enforcing it live.
  • Restore is manual only; there is no restore button in the Purview portal.
  • Original sharing permissions and links are not retained through the quarantine and restore cycle.

Microsoft Purview Data Loss Prevention has added a new action for SharePoint and OneDrive locations: Block everyone and move file to quarantine location. It sounds like a simple upgrade to the existing "restrict access" actions, but the setup sequence and the restore limitations are strict enough that skipping ahead in the wizard just won't let you proceed — and getting the restore process wrong can mean a business-critical file sitting inert with its sharing links broken.

This guide walks through exactly what the quarantine action does, the order you have to configure things in, how to build and test the policy safely, and the operational gaps — like manual-only restore — that you need a plan for before you turn this on for real content.

Flow diagram of what happens when a DLP policy quarantines a file in SharePoint or OneDrive, from upload to tombstone file to manual restore
What happens end to end when a file matches a DLP policy configured with the quarantine action.

One-minute summary in plain English

When a file uploaded or edited in a monitored SharePoint site or OneDrive account matches your DLP rule conditions — sensitive info types, sensitivity labels, or both — the quarantine action removes the file from its original location, moves it to a SharePoint site you designate as the quarantine destination, and drops a plain-text tombstone file in its place carrying your configured message and the file's original relative path. A DLP alert fires with the file owner, original path, and quarantine location so your compliance team can triage immediately.

Key clarification: quarantine is not the same as "block access" or "restrict to owner." The file physically leaves its original location. Recovery is a deliberate admin action, not a policy toggle.

Setup order: what has to happen before you can even pick the action

The Purview policy wizard will not let you select the quarantine action until two prerequisites are in place. Trying to skip ahead just prompts you back to finish them first.

Three-step setup sequence for DLP file quarantine: create the quarantine site, configure DLP settings, then build the policy
The quarantine action stays greyed out in the policy wizard until the site and DLP settings steps are both saved.

Step 1: create a dedicated quarantine site

  • The destination must be a SharePoint site — any template works, but a OneDrive account cannot be the target.
  • Restrict access to the administrators who manage quarantine operations only; do not share it with information workers.
  • Do not reuse a site with active business content — create one dedicated purely to quarantine.
  • If your organization runs on-demand classification scans, exclude the quarantine site from them to avoid unnecessary reprocessing.

Step 2: configure quarantine settings in Purview

1 Microsoft Purview portal > Data Loss Prevention > Settings > File quarantine
  1. Under Quarantine folder path, select the SharePoint site you created from the list. The list is auto-populated from your tenant's sites — you cannot manually type a path.
  2. Under Replacement file message, write the tombstone text that will appear in place of every quarantined file, for example: "This file was moved to a secure quarantine location because it matched a data loss prevention policy. Contact [email protected] for assistance."
  3. Save the settings.

Common trap: if you just created the quarantine site, it can take time before it appears in the site picker. Don't assume the feature is broken — wait and check back.

Building the DLP policy

Once the site and settings are in place, the quarantine action becomes available inside a custom advanced DLP rule.

2 Purview portal > Data loss prevention > Policies > Create policy
  1. Choose Enterprise applications & devices > Custom category > Custom policy.
  2. Accept the Full directory default under admin units unless you need a narrower scope.
  3. Choose locations: select only SharePoint sites and OneDrive accounts.
  4. On policy settings, choose Create or customize advanced DLP rules.
  5. Create a rule, name it, and add conditions: Content contains > Sensitive info types (for example, credit card number, bank account number).
  6. Optionally add a grouped condition with the Boolean set to AND: Content contains > Sensitivity labels, and select your relevant label (for example, Highly Confidential).
  7. Under actions, choose Restrict access or encrypt the content in Microsoft 365 locations > Block everyone and move file to quarantine location.
  8. Turn on user notifications (policy tips) if you want end users informed at the point of match.
  9. Under incident reports, set severity to High and turn on Send an alert to admins when a rule match occurs, with alerts firing every time.
  10. Save the rule, review it, and continue.

Test before you enforce: on the final step, choose Run the policy in simulation mode. Simulation mode is fully supported for the quarantine action — review matches in Activity Explorer and the DLP alerts dashboard before switching the policy to enforce and actually move files.

Two behaviors that catch admins off guard

Quarantine is deliberately the most restrictive DLP action available for SharePoint and OneDrive — it removes access from everyone, including the file owner, not just external or unauthorized users. Two side effects of that design are easy to miss when you're planning a rollout.

  • Existing files are not retroactively evaluated. The quarantine action only applies to files created or modified after the policy is turned on. A backlog of already-existing sensitive files sitting in scope will not suddenly get quarantined the moment you enable the policy — this is intentional, so a broadly scoped policy can't instantly sweep up a large volume of files that would then need a difficult, manual restore.
  • File name collisions during quarantine. If a file is quarantined and a new file with the same name is later uploaded to the same original location, the new file is quarantined too — and if a file with that name already exists at the quarantine destination, it overwrites the previously quarantined copy. Treat repeated uploads under the same file name as a scenario worth testing before go-live.

Validating the policy after go-live

ScenarioExpected result
A matching file is uploaded to a SharePoint site in scope File is moved to the quarantine site; a tombstone file appears at the original location; a DLP alert is generated
Check the tombstone file at the original location Displays your configured message and the relative path of the quarantined file
Review the DLP alert Shows file owner, original file path, and quarantine file location
Review Activity Explorer A DLP rule match event appears with quarantine file location details

The part everyone underestimates: restoring a quarantined file

There is no restore action inside the Microsoft Purview portal. Restore is entirely manual, and Microsoft documents it as four concrete steps an administrator has to perform:

  1. Locate the quarantined file in the quarantine site.
  2. Identify the original file path by using audit logs.
  3. Move the file from the quarantine site back to the original location — the quarantine site admin must have access to that original location.
  4. Delete the tombstone file from the original location.

Critical limitations: original sharing permissions and links are not retained through the restore, so recipients typically need to be re-shared. Only the latest file version is restored — earlier version history is not preserved through the cycle. And by design, the same DLP rule will not re-quarantine that restored file again, even if it's modified or the rule changes later, which prevents a restore-then-requarantine loop (other DLP rules still apply normally).

Build a restore runbook before you go live

  • Define who is authorized to approve and perform a restore (do not leave this to whoever happens to see the alert first).
  • Document how to pull the original file path from audit logs and the DLP alert, since the tombstone file only shows the relative path, not the full quarantine location.
  • Set an expectation for file owners: "your file is safe, but re-sharing takes a manual step and only the latest version comes back" — this avoids repeat tickets.
  • Track restore requests somewhere auditable; quarantine events are exactly the kind of activity compliance teams get asked about later.

Licensing and scope

DLP file quarantine for SharePoint and OneDrive requires an E5-level Microsoft 365 or Purview compliance license. Confirm licensing coverage across the users and sites you intend to scope before building policies, since a policy that targets locations outside your licensed population will not enforce as expected.

Troubleshooting playbook

SymptomLikely causeQuick remediation
Quarantine action is greyed out in the policy wizard Quarantine folder path or replacement message not yet configured Go to DLP Settings > File quarantine and complete both fields, then return to the wizard
New quarantine site doesn't appear in the folder path picker Site was just created and hasn't propagated to the picker yet Wait and check back; avoid recreating the site as a workaround
File owner says the file just "disappeared" Quarantine action executed as designed — tombstone file may have been overlooked Check the original location for the tombstone text file, which lists the relative path and admin message
Restored file's sharing links no longer work Sharing permissions and links are not retained through quarantine/restore Re-share the file to the intended recipients after restoring; this is expected behavior, not a bug
Policy matched far more files than expected on go-live Policy was enforced live without a simulation-mode test pass first Pull the policy back to simulation mode, review Activity Explorer matches, then tune conditions before re-enforcing
Existing sensitive files weren't quarantined after enabling the policy Quarantine only evaluates files created or modified after the policy was turned on Expected behavior, not a bug — plan a separate remediation pass for pre-existing files if needed
A newly uploaded file with the same name also got quarantined Known file-name-collision limitation — a same-named file overwrites the previously quarantined copy Treat repeated uploads under one file name as a scenario to test; rename before re-upload if the earlier copy still matters

Direct answers to common admin questions

1) Can I point quarantine at an existing, active SharePoint site?

Technically the picker may allow it, but Microsoft's guidance is explicit: use a dedicated site, not one with active business content. Mixing quarantine with live collaboration content increases the chance a restricted-access site becomes a support and audit headache.

2) Does quarantine work the same way for OneDrive as for SharePoint?

The trigger and workflow are the same — a file in either location can be moved into quarantine — but the destination is always a SharePoint site. You cannot designate a OneDrive account as the quarantine target.

3) Is this feature fully GA or still rolling out?

Microsoft's official walkthrough documentation for creating a quarantine policy is currently marked as a preview scenario, while the underlying action itself has been reported broadly available in tenants since early July 2026. Treat it as newly available: verify it appears in your own tenant's policy wizard before promising it to stakeholders on a specific date.

Simple explanation for business stakeholders

"We can now configure automatic removal of files that clearly violate our data protection rules — for example, files containing sensitive financial data shared somewhere they shouldn't be. Instead of just blocking access, the file itself is moved to a secure, admin-only location, and the person who owned it sees a note explaining what happened and who to contact. Getting the file back is a manual step our compliance team controls."

Mistakes to avoid

  • Skipping simulation mode: quarantine physically moves files — test the blast radius before enforcing live.
  • Using an active collaboration site as the quarantine destination: creates a second access-control problem on top of the first.
  • Assuming restore is automatic: it is not; build the manual runbook before you need it under pressure.
  • Forgetting sharing links break on restore: tell file owners this upfront so it's not a surprise.
  • Typing a path instead of selecting from the site list: the field only accepts sites already discovered by the picker.
  • Expecting a backlog of old files to get swept up automatically: quarantine only evaluates files created or modified after the policy is enabled.

Final checklist before you enforce quarantine live

  1. Create a dedicated, access-restricted SharePoint site for quarantine.
  2. Configure the quarantine folder path and tombstone message in DLP Settings.
  3. Build the policy with sensitive info type and/or sensitivity label conditions.
  4. Run the policy in simulation mode and review Activity Explorer and alerts.
  5. Document a manual restore runbook, including the sharing-link caveat.
  6. Confirm E5 licensing covers the users and sites in scope, then switch the policy to enforce.

Complete these six steps and quarantine becomes a controlled, auditable safety net instead of a surprise disappearing act for end users.

Reference links

Need help designing DLP policies that won't disrupt the business?

OceanCloud can build and pilot your quarantine policy in simulation mode, set up a restore runbook, and validate scope against your E5 licensing before anything goes live.

Book a Free Discovery Call →

Frequently Asked Questions

When a file in SharePoint or OneDrive matches a DLP policy rule with the quarantine action, the file is removed from its original location, moved to an admin-defined quarantine site.

The original location is replaced with a tombstone text file containing an admin-configured message and the file's relative path.

No. The quarantine destination must be a SharePoint site within your tenant.

You can use any SharePoint site template, but it should be a dedicated site restricted to the administrators who manage quarantine operations, not a site with active business content.

The quarantine action only becomes selectable after you configure quarantine settings first: in the Microsoft Purview portal, go to Data Loss Prevention, then Settings, then File quarantine, and set the quarantine folder path and replacement file message.

Until that configuration is saved, the policy wizard will prompt you to complete it.

Restore is manual only; there is no restore action inside the Microsoft Purview portal.

An administrator locates the file in the quarantine site, identifies the original path from audit logs, moves the file back, and deletes the tombstone file. Original sharing permissions and links are not retained, only the latest file version comes back, and the same DLP rule won't re-quarantine that restored file.

Test it first. Simulation mode is supported for the quarantine action, so you can run the policy without actually moving files.

Review matches in Activity Explorer and the DLP alerts dashboard before switching the policy to enforce and quarantine live content.

💬

Ready to transform your SharePoint and Microsoft 365 environment?

OceanCloud specialises in SharePoint consulting, M365 migration, Power Platform solutions, and enterprise governance. Let's discuss how we can help.

Book a Free 60-Minute Consultation ➜
📥

Get This Free Resource

DLP quarantine rollout checklist and restore runbook template.

Download Checklist →