Blocking Outbound Messages Stamped with Microsoft 365 Sensitivity Labels

Growing Reach of Sensitivity Labels

Using Microsoft 365 Sensitivity Labels is becoming a popular method to mark important content and to protect that content with encryption (using the Azure Information Protection service). It’s likely that sensitivity labels will become even more popular after Microsoft releases their long-promised and much-awaited native support for the Office online apps and SharePoint Online (now in preview). OWA already has native support for sensitivity labels. Native support means that apps include the necessary code to protect content based on the labels published to the Office 365 tenant. Soon you’ll be able to assign labels to Office 365 Groups, Teams, and SharePoint Online sites, not to protect the content inside these containers but to control settings for the containers. Overall, there’s a lot happening with sensitivity labels.

Exchange Transport Rule Makes it Easy to Block Protected Messages

Assuming users assign sensitivity labels to important content, it might be a good idea to stop that content leaving the organization by email. Exchange Online passes all outbound messages through the transport service. As messages pass through the transport pipeline, the transport service checks each message to decide if it needs to process the transport (or mail flow) rules defined in the tenant. It’s possible to create a transport rule to look for protected messages and stop them being sent if they are of a certain sensitivity.

X-Headers and Sensitivity Label GUIDs

As messages pass through the Exchange Online transport pipeline, Exchange adds x-headers to record details of their processing. One of the x-headers added to outbound messages is called msip_labels. It records sensitivity label information such as the name and GUID of the label applied to a message.

The name of a sensitivity label is probably not unique, but its GUID is unique to the organization. This is an important point because we might want to block outbound messages stamped with the “Ultra Confidential” label belonging to our tenant while being perfectly happy to allow messages stamped “Ultra Confidential” by another Office 365 tenant to be sent. In this scenario, both labels have the same name but different GUIDs.

To block outbound messages stamped with a certain sensitivity label, the rule criteria are:

  • Apply to outbound messages.
  • Check the msip_labels x-header and if the GUID for the label is found, block the message with the action “Reject the message with the explanation.” The text for the explanation is up to you, but might be something like “You can’t send sensitive messages outside the organization.”

For example, let’s assume that you have a label with a GUID of ed4411cc-bec4-444a-b279-c404aaad79d6. The text that the transport rule should look for in the x-header is:

MSIP_Label_ ed4411cc-bec4-444a-b279-c404aaad79d6_Enabled=true

If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message. Figure 1 shows the rule criteria as entered in the Exchange Admin Center:

Building a transport rule to block messages stamped with a Sensitivity Label
Figure 1: Building a transport rule to block messages stamped with a certain Office 365 Sensitivity Label

A single rule can block multiple sensitivity labels, each identified by their GUID. Remember that it can take between ten and thirty minutes before a change made to a transport rule becomes effective across Exchange Online. This delay is due to rule caching for performance and the need to distribute the rule update across multiple servers.

Finding the GUID for an Office 365 Sensitivity Label

Office 365 Sensitivity Labels are managed through the Security and Compliance Center. The information exposed for a label doesn’t include the GUID (Figure 2).

Details of an Office 365 Sensitivity Label exposed in the Security and Compliance Center
Figure 2: Details of an Office 365 Sensitivity Label exposed in the Security and Compliance Center

But we can find the necessary information with PowerShell. To do this, we need to connect to the Security and Compliance Center endpoint and run the Get-Label cmdlet.

# Retrieve GUID for the Intellectual Property Sensitivity Label.
(Get-Label -Identity "intellectual property").Guid


Need more information about transport rules or Office 365 Sensitivity Labels? The Office 365 for IT Pros eBook covers transport rules in the Mail Flow chapter (17) while Sensitivity Labels and the associated Azure Information Protection technology is covered in Chapter 24.

2 Replies to “Blocking Outbound Messages Stamped with Microsoft 365 Sensitivity Labels”

  1. Thank you for this! I was able to use this same approach to overcome shortcomings with O365 DLP. Ideally we wanted to set a default “internal only” sensitivity label for all documents (but not for emails), then block any “internal only” content from leaving the organization. Unfortunately there is only 1 default label setting which applies to both documents AND emails. This means that if we apply a DLP policy to email/exchange then users would have to downgrade (and justify) their email sensitivity level every time they tried to send an email outside of the company (which would be far too painful for our users). There is an “OutlookDefaultLabel” setting that can be configured via powershell, but it only works if you have the unified labeling client installed and doesn’t work for web or mobile outlook clients.

    The next best thing would be to apply DLP to email attachments only, but once again, the option isn’t available in O365 DLP.
    Based on the information in this post, I was able to configure an exchange rule to achieve the desired effect. While emails are by default rated as “internal only” they can still be sent outside the company unless they also contain an attachment that is rated as “internal only”.

    – James

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.