Growing Reach of Sensitivity Labels
Using Office 365 Sensitivity Labels is becoming a popular method to mark important content and to protect that content with encryption (using the Azure Information Protection service). It’s likely that sensitivity labels will become even more popular after Microsoft releases their long-promised and much-awaited native support for the Office online apps and SharePoint Online (now in preview). OWA already has native support for sensitivity labels. Native support means that apps include the necessary code to protect content based on the labels published to the Office 365 tenant. Soon you’ll be able to assign labels to Office 365 Groups, Teams, and SharePoint Online sites, not to protect the content inside these containers but to control settings for the containers. Overall, there’s a lot happening with sensitivity labels.
Exchange Transport Rule Makes it Easy to Block Protected Messages
Assuming users assign sensitivity labels to important content, it might be a good idea to stop that content leaving the organization by email. Exchange Online passes all outbound messages through the transport service. As messages pass through the transport pipeline, the transport service checks each message to decide if it needs to process the transport (or mail flow) rules defined in the tenant. It’s possible to create a transport rule to look for protected messages and stop them being sent if they are of a certain sensitivity.
X-Headers and Sensitivity Label GUIDs
As messages pass through the Exchange Online transport pipeline, Exchange adds x-headers to record details of their processing. One of the x-headers added to outbound messages is called msip_labels. It records sensitivity label information such as the name and GUID of the label applied to a message.
The name of a sensitivity label is probably not unique, but its GUID is unique to the organization. This is an important point because we might want to block outbound messages stamped with the “Ultra Confidential” label belonging to our tenant while being perfectly happy to allow messages stamped “Ultra Confidential” by another Office 365 tenant to be sent. In this scenario, both labels have the same name but different GUIDs.
To block outbound messages stamped with a certain sensitivity label, the rule criteria are:
- Apply to outbound messages.
- Check the msip_labels x-header and if the GUID for the label is found, block the message with the action “Reject the message with the explanation.” The text for the explanation is up to you, but might be something like “You can’t send sensitive messages outside the organization.”
For example, let’s assume that you have a label with a GUID of ed4411cc-bec4-444a-b279-c404aaad79d6. The text that the transport rule should look for in the x-header is:
If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message. Figure 1 shows the rule criteria as entered in the Exchange Admin Center:
A single rule can block multiple sensitivity labels, each identified by their GUID. Remember that it can take between ten and thirty minutes before a change made to a transport rule becomes effective across Exchange Online. This delay is due to rule caching for performance and the need to distribute the rule update across multiple servers.
Finding the GUID for an Office 365 Sensitivity Label
Office 365 Sensitivity Labels are managed through the Security and Compliance Center. The information exposed for a label doesn’t include the GUID (Figure 2).
# Retrieve GUID for the Intellectual Property Sensitivity Label.
(Get-Label -Identity "intellectual property").Guid
Need more information about transport rules or Office 365 Sensitivity Labels? The Office 365 for IT Pros eBook covers transport rules in the Mail Flow chapter (17) while Sensitivity Labels and the associated Azure Information Protection technology is covered in Chapter 24.