Using Microsoft 365 Sensitivity Labels is becoming a popular method to mark important content and to protect that content with encryption (using the Azure Information Protection service). It’s likely that sensitivity labels will become even more popular after Microsoft releases their long-promised and much-awaited native support for the Office online apps and SharePoint Online (now in preview). OWA already has native support for sensitivity labels. Native support means that apps include the necessary code to protect content based on the labels published to the Office 365 tenant. Soon you’ll be able to assign labels to Office 365 Groups, Teams, and SharePoint Online sites, not to protect the content inside these containers but to control settings for the containers. Overall, there’s a lot happening with sensitivity labels.
Exchange Transport Rule Makes it Easy to Block Protected Messages
Assuming users assign sensitivity labels to important content, it might be a good idea to stop that content leaving the organization by email. Exchange Online passes all outbound messages through the transport service. As messages pass through the transport pipeline, the transport service checks each message to decide if it needs to process the transport (or mail flow) rules defined in the tenant. It’s possible to create a transport rule to look for protected messages and stop them being sent if they are of a certain sensitivity.
X-Headers and Sensitivity Label GUIDs
As messages pass through the Exchange Online transport pipeline, Exchange adds x-headers to record details of their processing. One of the x-headers added to outbound messages is called msip_labels. It records sensitivity label information such as the name and GUID of the label applied to a message.
The name of a sensitivity label is probably not unique, but its GUID is unique to the organization. This is an important point because we might want to block outbound messages stamped with the “Ultra Confidential” label belonging to our tenant while being perfectly happy to allow messages stamped “Ultra Confidential” by another Office 365 tenant to be sent. In this scenario, both labels have the same name but different GUIDs.
To block outbound messages stamped with a certain sensitivity label, the rule criteria are:
Apply
to outbound messages.
Check
the msip_labels x-header and if the GUID for the label is found, block
the message with the action “Reject the message with the explanation.” The text
for the explanation is up to you, but might be something like “You can’t send
sensitive messages outside the organization.”
For example, let’s assume that you have a label with a GUID of ed4411cc-bec4-444a-b279-c404aaad79d6. The text that the transport rule should look for in the x-header is:
If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message. Figure 1 shows the rule criteria as entered in the Exchange Admin Center:
Figure 1: Building a transport rule to block messages stamped with a certain Office 365 Sensitivity Label
A single rule can block multiple sensitivity labels, each identified by their GUID. Remember that it can take between ten and thirty minutes before a change made to a transport rule becomes effective across Exchange Online. This delay is due to rule caching for performance and the need to distribute the rule update across multiple servers.
Finding the GUID for an Office 365 Sensitivity Label
Office 365 Sensitivity Labels are managed through the Security and Compliance Center. The information exposed for a label doesn’t include the GUID (Figure 2).
Figure 2: Details of an Office 365 Sensitivity Label exposed in the Security and Compliance Center
# Retrieve GUID for the Intellectual Property Sensitivity Label.
(Get-Label -Identity "intellectual property").Guid
Guid
----
ed4411cc-bec4-444a-b279-c404aaad79d6
Need more information about transport rules or Office 365 Sensitivity Labels? The Office 365 for IT Pros eBook covers transport rules in the Mail Flow chapter (17) while Sensitivity Labels and the associated Azure Information Protection technology is covered in Chapter 24.
Thank you for this! I was able to use this same approach to overcome shortcomings with O365 DLP. Ideally we wanted to set a default “internal only” sensitivity label for all documents (but not for emails), then block any “internal only” content from leaving the organization. Unfortunately there is only 1 default label setting which applies to both documents AND emails. This means that if we apply a DLP policy to email/exchange then users would have to downgrade (and justify) their email sensitivity level every time they tried to send an email outside of the company (which would be far too painful for our users). There is an “OutlookDefaultLabel” setting that can be configured via powershell, but it only works if you have the unified labeling client installed and doesn’t work for web or mobile outlook clients.
The next best thing would be to apply DLP to email attachments only, but once again, the option isn’t available in O365 DLP.
Based on the information in this post, I was able to configure an exchange rule to achieve the desired effect. While emails are by default rated as “internal only” they can still be sent outside the company unless they also contain an attachment that is rated as “internal only”.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Amazing write-up! very nice… I really like your blog. Very useful information. Thx
Thank you for this! I was able to use this same approach to overcome shortcomings with O365 DLP. Ideally we wanted to set a default “internal only” sensitivity label for all documents (but not for emails), then block any “internal only” content from leaving the organization. Unfortunately there is only 1 default label setting which applies to both documents AND emails. This means that if we apply a DLP policy to email/exchange then users would have to downgrade (and justify) their email sensitivity level every time they tried to send an email outside of the company (which would be far too painful for our users). There is an “OutlookDefaultLabel” setting that can be configured via powershell, but it only works if you have the unified labeling client installed and doesn’t work for web or mobile outlook clients.
The next best thing would be to apply DLP to email attachments only, but once again, the option isn’t available in O365 DLP.
Based on the information in this post, I was able to configure an exchange rule to achieve the desired effect. While emails are by default rated as “internal only” they can still be sent outside the company unless they also contain an attachment that is rated as “internal only”.
Thanks!
– James