The question asks about creating a Microsoft Defender for Cloud Apps (MCAS / MDA) policy that will detect Data Loss Prevention (DLP) violations.
Understanding the policy types in Defender for Cloud Apps:
File Policy
Used for monitoring and controlling files stored in cloud apps (e.g., SharePoint, OneDrive, Box, Google Drive).
Can detect sensitive information types (like credit cards, SSNs, SWIFT codes) and flag DLP violations.
Can apply governance actions (e.g., quarantine, remove sharing, notify user).
Correct for DLP violation detection.
Activity Policy
Monitors user activities (e.g., login attempts, mass downloads, suspicious behavior).
Not for file content DLP.
Session Policy
Applied through Conditional Access App Control for real-time monitoring/control during a user session.
Used for controlling actions (download, cut/paste) but not for broad DLP scanning of stored files.
Access Policy
Controls access to apps based on conditions (e.g., unmanaged device access).
Not designed for DLP content inspection.
Why File Policy is correct
Since the requirement is:
"detect DLP violations"
That means scanning file content for sensitive information. This is only possible with a File Policy in Microsoft Defender for Cloud Apps.
