Microsoft has announced an important security and compliance change that partners should start addressing with customers now: Data Loss Prevention file policy capabilities in Microsoft Defender for Cloud Apps are scheduled for deprecation on January 6, 2027. After that date, file policies configured in Defender for Cloud Apps will no longer be supported or enforced. Microsoft is directing customers toward Microsoft Purview as the unified location for data security, labeling, and DLP.
For CSP partners, systems integrators, advisory partners, and Microsoft AI Cloud Partner Program members, this is more than a product housekeeping item. It creates a customer migration motion, a governance conversation, and a chance to rationalize data protection strategy across Microsoft 365 and connected SaaS environments.
What is changing
The affected capability is DLP file policies inside Microsoft Defender for Cloud Apps. These policies can apply to files in SharePoint, OneDrive, and connected third-party SaaS applications such as Box, Dropbox, Google Workspace, Salesforce, and other supported services.
Microsoft’s direction is to centralize these data protection functions in Microsoft Purview. Purview is becoming the strategic home for information protection, labeling, compliance workflows, and DLP across Microsoft and non-Microsoft data sources. Defender for Cloud Apps remains important, but its focus continues to be SaaS security posture, app governance, and threat protection rather than long-term DLP policy management.
The deadline matters: January 6, 2027. Once the deprecation takes effect, existing Defender for Cloud Apps DLP file policies will not be supported or enforced. Partners should assume customers need an active migration plan well before that date, especially where DLP policies protect regulated, sensitive, or business-critical data.
Why this matters for customers
DLP policies often sit close to compliance obligations and risk controls. If a customer uses Defender for Cloud Apps file policies to detect or restrict sensitive data movement, a missed migration could create a real enforcement gap. That gap may not be obvious to business stakeholders until an incident, audit, or compliance review exposes it.
The move to Purview can be positive. A single policy and governance center can reduce duplicated rules, conflicting controls, and operational confusion. Customers that already use Purview for Microsoft 365 workloads may benefit from bringing SaaS-related DLP into the same policy framework.
But consolidation still requires work. Policies do not automatically become effective simply because Purview is the destination. Partners need to help customers discover what exists today, determine which rules remain relevant, recreate or redesign them in Purview where needed, test enforcement, and communicate changes to data owners and administrators.
Default behavior and impact
The key operational impact is that Defender for Cloud Apps DLP file policies should not be treated as a permanent control. Customers can continue planning and operating before the deprecation date, but the end state is clear: enforcement must move away from those policies.
Microsoft has indicated that more information about an automated migration tool will be provided later. Partners should watch for that guidance, but they should not wait passively. Automated tooling may accelerate migration, yet most customers will still need policy review, prioritization, ownership decisions, exception handling, and validation.
It is also important to separate affected and unaffected capabilities. Non-DLP Defender for Cloud Apps capabilities, including SaaS security posture, app governance, and threat protection, are not part of this deprecation. Partners should avoid creating the impression that Defender for Cloud Apps as a whole is going away. The change is specifically about DLP file policy capabilities.
Partner opportunities and recommended actions
The first step is customer identification. Partners should build a list of customers using Defender for Cloud Apps and determine whether they have DLP file policies configured. Prioritize customers with regulated data, broad SaaS integrations, complex sharing patterns, or audit requirements.
Next, run a policy inventory. Capture the intent of each policy, the repositories or SaaS applications it covers, the sensitive information types involved, the actions taken, and any exception logic. This is the moment to distinguish policies that are still valuable from policies that were created years ago and no longer match the customer’s risk model.
Then map the target Purview design. Some customers may only need equivalent DLP controls recreated. Others may benefit from a broader modernization effort involving sensitivity labels, endpoint DLP, insider risk workflows, records management, or improved alert triage. Partners should frame the migration as a practical path to stronger information governance, not just a deadline-driven replacement task.
CSP partners should also review licensing and transaction options. Microsoft called out the discounted Microsoft Purview E5 Information Protection and Governance SKU through Modern Commerce. That may be relevant for customers that need additional Purview capabilities to support the migration and future-state operating model.
Finally, create a timeline. A good partner-led plan should include discovery, design, pilot, policy recreation, testing, production rollout, administrator training, and post-migration monitoring. For larger customers, January 2027 is close enough that planning should begin now.
Customer conversation guide
Partners can lead with three simple questions. First, do you currently rely on Defender for Cloud Apps DLP file policies for SharePoint, OneDrive, or third-party SaaS applications? Second, which of those policies protect critical compliance or business data? Third, do you already have a Purview strategy that can absorb those controls?
Those questions quickly separate customers who only need awareness from customers who need a formal migration engagement. They also help position Purview as a broader governance platform rather than a one-for-one technical replacement.
Bottom line
The Defender for Cloud Apps DLP deprecation gives partners a clear action item: identify affected customers and move DLP file policy planning into Microsoft Purview before January 6, 2027. The risk of doing nothing is a future enforcement gap. The upside of acting early is a cleaner, more unified data protection architecture and a strong advisory opportunity for partners who can guide customers through the transition.