Table of Contents
DLP Move to Quarantine Action Blocks Access to SharePoint and OneDrive Files
Now available in preview and due to go to general availability in early June 2026, Purview Data Loss Prevention (DLP) policy rules can use the move to quarantine action (Figure 1) to respond to policy violations. The change is announced in message center update MC1288527 (22 April 2026, Microsoft 365 roadmap item 551790). This update is also referred to as the DLP file quarantine action.
Block and Educate
The idea is that instead of simply blocking a file that matches a DLP policy, the file is moved to a secure SharePoint Online site (the quarantine location) where it can be examined to determine whether the action taken by the user who violated the policy is justifiable. The move to the SharePoint site is referred to as automatic isolation. After the file is moved to the quarantine location, it is no longer accessible in its original location.
To ensure that everyone with access to the file knows (including external users whom the file has been shared with) what happens, DLP replaces the file in the original location with a “tombstone file.”
The tombstone file is a simple text-only file of up to 10,000 characters that should explain to users why the original file is no longer available and what they should do if they think that quarantining the file is an error. The text for the tombstone file and the site selected for the quarantine location are both defined in DLP settings in the Purview portal (Figure 2).
When a file is quarantined, DLP creates a tombstone file from the text in DLP settings. The name of the file is constructed from the original file name plus “-Quarantined.txt.” Figure 3 shows how a tombstone file created for a quarantined file appears to a user.
The Quarantine Location
The target location for the DLP move to quarantine action can be any SharePoint Online site. Once chosen, Purview automatically excludes the quarantine location from DLP processing to avoid the possibility that policies could detect and act against files stored there. Ideally, the quarantine location should be a site reserved for the purpose with access limited to compliance personnel who are qualified to review files moved into quarantine.
Inside the default document library in the quarantine site, you’ll find a “Sites” folder. Each site where a quarantine violation is detected has its own sub-folder, and inside that folder you’ll find folders representing the structure where the original files were located plus the moved files. For example, a quarantined file called “Critical,.xlsx” from the default document library in the the “Important Documents” site end up in:
Sites -> Important Documents -> Shared Documents -> Critical.xlsx
Only files created or modified after a DLP policy with the quarantine action goes live are examined. There is no retrospective processing, unless you use the on-demand classification service to scan cold files. In this scenario, it’s possible that DLP will detect violations and move some of the cold files into quarantine.
Quarantine Processing is Not Automatic
It is important to understand is that the processing of files placed in the quarantine location because of DLP rule matches is not automatic. Apart from investigators accessing the quarantine location after they learn of a violation through a DLP alert or an audit log record, the only workflow is whatever actions the investigators take to open quarantined files, examine their content, and decide what to do next. An investigation could conclude that the violation is a false positive perhaps due to an incorrect sensitivity label, or it could be a real violation where someone is attempting to share confidential information in an unauthorized manner.
If investigators decide that a quarantined file should be restored to its original location, they’ll discover that this action is manual and that the file must be moved back by an administrator with access to the original location. The tombstone file must also be deleted manually.
As explained in the documentation, restoring a file has some side effects. Because a SharePoint move operation moves the file from the quarantine location back to its original place, it’s like creating a new file. This means that sharing permissions are not restored and that file versions are removed and can no longer be restored. On the plus side, the DLP rule that originally detected the problem won’t attempt to quarantine the restored file.
Use the Move to Quarantine Action with Care
The new move to quarantine action certainly gives DLP teams a new weapon in the fight against data leakage. However, there’s a bunch of overhead baked into the solution that the organization needs to be prepared for before deploying the move to quarantine action in DLP policies becomes a viable and realistic option. The main issues are center around quarantine checking: how do the checkers discover that they need to review some files and how precisely do they perform a file review. Every organization differs, so there’s no off-the-shelf answers for these questions.
Support the work of the Microsoft 365 for IT Pros team by subscribing to the Microsoft 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!

