[DLP] Sublabel limitation (cloudflare#26474)

maxvp · web-flow · commit 3f87b120a5f7 · 2025-11-13T09:48:01.000-06:00
diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 4
 ---
 
+import { Render } from "~/components";
+
 :::note
 
 Integration profiles require [Cloudflare CASB](/cloudflare-one/integrations/cloud-and-saas/).
@@ -18,6 +20,8 @@ Detection entries in integration profiles are managed by the third-party platfor
 
 Microsoft provides [Purview Information Protection sensitivity labels](https://learn.microsoft.com/en-us/purview/sensitivity-labels) to classify and protect sensitive data.
 
+<Render file="dlp/mip-nested-labels-limitation" product="cloudflare-one" />
+
 ### Setup
 
 To add MIP sensitivity labels to a DLP Profile, simply integrate your Microsoft account with [Cloudflare CASB](/cloudflare-one/integrations/cloud-and-saas/microsoft-365/). A new integration profile will appear under **Data loss prevention** > **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration.
@@ -26,4 +30,4 @@ MIP sensitivity labels can also be added to a [custom DLP profile](/cloudflare-o
 
 ### Syncing
 
-Allow 24 hours for label additions and edits in your Microsoft account to propagate to Cloudflare DLP. At this time, deletions in your Microsoft account will not delete entries in your Cloudflare DLP Profile.
+Allow 24 hours for label additions and edits in your Microsoft account to propagate to Cloudflare DLP. Deletions in your Microsoft account will not delete entries in your Cloudflare DLP Profile.
diff --git a/src/content/docs/cloudflare-one/integrations/cloud-and-saas/microsoft-365/index.mdx b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/microsoft-365/index.mdx
@@ -111,9 +111,9 @@ To learn more about each permission, refer to the [Microsoft Graph permissions d
 ## Microsoft Information Protection (MIP) sensitivity labels
 
 :::note
-
-Requires [Cloudflare DLP](/cloudflare-one/data-loss-prevention/).
-
+Requires [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/).
 :::
 
 Microsoft provides [MIP sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) to classify and protect sensitive data. When you add the CASB Microsoft 365 integration, Cloudflare will automatically retrieve the labels from your Microsoft account and populate them in a [DLP Profile](/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/).
+
+<Render file="dlp/mip-nested-labels-limitation" product="cloudflare-one" />
diff --git a/src/content/partials/cloudflare-one/dlp/mip-nested-labels-limitation.mdx b/src/content/partials/cloudflare-one/dlp/mip-nested-labels-limitation.mdx
@@ -0,0 +1,9 @@
+---
+{}
+---
+
+:::caution
+DLP does not filter or log [MIP sublabels](https://learn.microsoft.com/purview/sensitivity-labels#sublabels-that-use-parent-labels-or-label-groups). Only top-level sensitivity labels will be detected, filtered, and logged.
+
+To ensure DLP will detect and filter all sensitive data, use only [MIP top-level labels](https://learn.microsoft.com/purview/sensitivity-labels#top-level-labels).
+:::
