When a user performs a cut\paste of sensitive data into OneDrive, DLP blocks the data transfer as expected. However when user checks the source location, the actual file is missing. This behavior is not seen when doing a cut\paste to a network share.

DLP 16.0 and later

Working as designed.

1. While we cut and paste it to sync location and then detection starts hence file is removed from the source location, this is applicable to all sync locations. Drag-drop or cut-paste have the same behavior.
2. So, file is moved from source location to Onedrive location and once we detect it and block as part of the response rule, we move it to quarantine and it is moved to recovery location.
3. Since the file is quarantined at local drive(recovery location) and same is communicated to user through block popup, there is no data loss in total.
4. We can still access the source file in recovery location on the endpoint machine at: C:\Users\<Username>\My Recovered Files\Microsoft OneDrive, It will contain a folder named filename_date_timestamp and inside it you will get the actual original source file.
5. So the file is not getting deleted but is actually getting quarantined and this is an expected behavior.