Microsoft has put a firm retirement date on a quiet but important Microsoft 365 security workflow: file policies in Microsoft Defender for Cloud Apps will retire on January 6, 2027, and organizations that still use them for data loss prevention need to recreate those controls in Microsoft Purview before then.
The change was posted in Microsoft’s July Partner Center announcements and is now reflected in the company’s Defender for Cloud Apps migration guidance. After the cutoff, Microsoft says Defender for Cloud Apps file policies will no longer be supported or enforced. The affected policies include DLP controls for SharePoint, OneDrive, and connected third-party SaaS apps such as Box, Dropbox, Google Workspace, and Salesforce.
That makes the deadline more than ordinary product cleanup. For companies that use Defender for Cloud Apps to find sensitive files, remove risky sharing, quarantine documents, apply labels, or alert compliance teams, this is a policy-migration project with real enforcement risk. Defender for Cloud Apps is not going away; Microsoft says it will continue to handle SaaS app discovery, posture management, app governance, and threat detection. File-based data protection is the part moving to Purview.
What changes for admins
Microsoft’s migration guidance starts with inventory. Admins are told to review existing Defender for Cloud Apps file policies under Cloud Apps > Policies > Policy management, filter by file policy type, and document each policy’s name, target apps, inspection method, sensitive information types or labels, sharing filters, user groups, and governance actions.
The most important split is between two kinds of policies. Detection-and-response policies should become Microsoft Purview DLP policies. Policies that apply sensitivity labels based on file content should become Purview auto-labeling policies. A single Defender policy may need to become more than one Purview policy if it both detects risky content and applies labels.
Microsoft’s own comparison shows why this is not a one-click translation. Defender for Cloud Apps file policies use one set of filters and actions. Purview DLP policies can contain multiple rules, each with its own conditions and actions. Purview also adds simulation mode, which gives admins a safer way to compare policy matches before turning enforcement on.
Some controls have straightforward equivalents. External sharing checks, internal sharing checks, file extensions, file names, user-group conditions, sensitivity labels, sensitive information types, alerts, owner notifications, and several restrict-access actions can map directly or closely into Purview. Regular-expression inspection needs to be rebuilt as custom sensitive information types in Purview.
The gaps matter
The migration gets trickier where Defender for Cloud Apps had governance actions that Purview does not mirror exactly. Microsoft lists user quarantine, trash or delete file, remove a specific collaborator, expire a shared link, and transfer file ownership as actions with no direct Purview DLP equivalent. In those cases, Microsoft points admins toward restrict-access actions, SharePoint sharing policies, manual processes, or Power Automate workflows.
Folder scoping is another practical gap. Defender file policies can use a parent-folder filter, while Microsoft says Purview offers site-level scoping as the closest SharePoint equivalent. File ID conditions also do not migrate directly. Organizations that built narrow policies around specific folder paths or file identifiers will need to redesign those controls rather than simply recreate them.
Microsoft also warns that equivalent policies should not run in both products at the same time because duplicate enforcement can create conflicts. The safer sequence is to build Purview policies, run them in simulation, compare results with existing Defender file policies, pilot enforcement, and only then disable the old Defender policies. Microsoft recommends keeping exported settings or screenshots before deletion so teams can preserve a migration record.
What to check first
The first review should be licensing and permissions. Microsoft’s migration page lists Purview role requirements such as Compliance Administrator or Compliance Data Administrator, Defender for Cloud Apps access through Cloud App Security Administrator, and a Microsoft 365 E5, Microsoft 365 E5 Compliance, or equivalent standalone Purview DLP license.
Admins should then identify which file policies are actually protecting high-risk data. Policies covering public links, external sharing, regulated identifiers, source code, financial reports, legal files, HR documents, customer exports, and sensitive labels deserve early testing. Stale policies can be retired, but active ones need a mapped Purview replacement before January 2027.
For third-party SaaS apps, Purview still depends on Defender for Cloud Apps connections. Microsoft’s Purview documentation says DLP policies scoped to non-Microsoft cloud apps require those apps to be connected through Defender for Cloud Apps first. Supported examples include Box, Dropbox, Google Workspace, Salesforce, and Cisco Webex. That means Defender remains part of the control plane even as DLP policy authoring shifts into Purview.
Why Microsoft is doing this
The direction fits Microsoft’s broader security-platform consolidation. Purview is becoming the center for information protection, labeling, DLP, activity review, and compliance workflows, while Defender for Cloud Apps is being kept closer to SaaS security posture, app governance, and threat detection.
For customers, the upside is a more unified data-security model across Microsoft 365, endpoints, and third-party cloud apps. The cost is migration work, especially for organizations that treated Defender for Cloud Apps file policies as a mature, already-solved layer of SaaS data protection.
The deadline is still months away, but the work can sprawl quickly. A good migration starts with a policy inventory, then separates DLP detection from auto-labeling, recreates sensitive information types and labels in Purview, tests in simulation, pilots enforcement, and documents every old policy before it is disabled. Waiting until late 2026 risks turning a manageable compliance cleanup into a rushed security gap.
Sources: Microsoft Partner Center July 2026 announcements, Microsoft migration guidance for Defender for Cloud Apps file policies, and Microsoft Purview DLP guidance for non-Microsoft cloud apps.