How to Enable and Use Exchange Online’s External Email Tagging Feature

Available for Activation Now

After a delay to allow for the deployment of the required cmdlets, tenants can now activate Exchange Online’s tagging feature to mark external email (MC243047 – Microsoft 365 roadmap item 70595). The tags appear in OWA, Outlook Mobile, Outlook for Mac, and is due to show up in Outlook desktop in May 2021. It seems to be part of Microsoft’s strategy to make email secure by default along with other features like blocking automatic mail forwarding.

Update March 30: Outlook Mobile 4.2113.0 (ios) and 4.2110.0 (Android) display the external tags.

Update May 5: External tagging is available in the Outlook for Windows Insider Fast build (version 2105 build 14026.20000)

Tagging means that messages received from any domain except those registered for the tenant are marked by Exchange as “external” when they pass through the transport service on their way to user mailboxes. Figure 1 shows External tags displayed for a set of messages in my Inbox with details obscured to protect the guilty. In addition to the tag, when a message is read, the user is offered the chance to block the sender. The external tag is not displayed for messages received from external senders and forwarded by a tenant user. Protected (encrypted) messages are not affected as the tag doesn’t affect message content.

OWA tags external messages
Figure 1: OWA tags external messages

Flagging external senders with a form of mail tip and offering to block them seems a tad robust. After all, email is all about communication and even if spammers are active, I expect a minimum of spam to get past Exchange Online Protection and Microsoft 365 Defender for Office 365 (aka Advanced Threat Protection). The implementation appears to make blocking senders the norm rather than the exception, which I don’t like.

Adding Well-known Functionality

Tagging adds a feature to Exchange Online that organizations have been building for years with transport (mail flow) rules (here’s an example). Obviously, Microsoft believes that highlighting external email is something which should be available out-of-the-box. I agree. It’s just curious that it’s taken the developers 25 years to get around to implementing the features. Then again, important stuff like enabling reactions to email (MC239090 – delayed on March 2 to “evaluate feedback” like “this is a waste of time”) has got in the way.

Activating External Email Tagging

External tagging is disabled by default. This is an unusual situation for a new feature as Microsoft invariably assumes that people want to use whatever new wheeze they have dreamed up and therefore enables new features. In this instance, you’ll have to run the Set-ExternalInOutlook cmdlet to get things moving.

Leaving aside the not-very-good cmdlet name (Set-ExternalEmailTagging would have been more obvious), the process is very simple:

  • Connect to the Exchange Online Management endpoint (or use remote PowerShell if you must).
  • Run Set-ExternalInOutlook to enable external tagging. You can decide if certain domains or individual email addresses are excluded from tagging. I’m not sure when I would use individual addresses, unless you wanted to be sure that email received from someone’s (like an executive’s) personal email address was not considered external. The more I think about that idea, the less I like it.

For my tenant, I ran:

Set-ExternalInOutlook -AllowList "quest.com", "microsoft.com" -Enabled $True

This command means that tagging is applied to any external email except the two domains defined in the allowed list. After a moment, I decided to add another domain. Doing it this way avoids overwriting the domains already excluded:

Set-ExternalInOutlook -AllowList  @{Add="Practical365.com"}

Note: Some tenants are reporting that they see failures when running Set-ExternalInOutlook to add just one domain to the allow list. While Microsoft debugs the problem, the quick workaround is to always add at least two domains to the list.

The Get-ExternalInOutlook cmdlet reports the tagging configuration:

Get-ExternalInOutlook

Identity   : s662313f-14fc-43a2-9a7a-d2e27f4f3478
Enabled    : True
AllowList  : {quest.com, microsoft.com, Practical365.com}

The identity reported is the GUID for the tenant. It’s the same as reported by Get-AzureADTenantDetail, which is my normal go-to cmdlet to find this information.

After that, it’s a matter of waiting for Exchange Online to acknowledge the configuration update and enable tagging. Microsoft says that activation should happen within 24-48 hours. The exact waiting period depends on many factors, including service load, but in my case, Exchange Online started to tag messages within a few hours.

If you enable external tagging and want to see the tags show up, make sure that your account is enabled in the Microsoft 365 admin center for targeted release. Users on targeted release see new updates for several weeks before other users do.

Tagging Threads

Interestingly, OWA highlights a thread as external if any message in the thread comes from an external domain that’s not on the excluded list. For example, I have a bunch of messages from microsoft.com addresses which are excluded from tagging. But once someone from an external address (like dell.com, for instance), joins the conference, OWA applies the external tag.

Although tagging is supposed to show up in Outlook mobile, I haven’t seen it yet despite updating to the latest TestFlight build (4.2110.0). No doubt external tags will appear in time. I just have to be patient.

Update April 22: Glen Scales explains how to use the Microsoft Graph API and EWS to work with external tags in this blog post.


To learn lots more about Exchange Online and Office 365 in general, subscribe to the Office 365 for IT Pros eBook! We probe and test new features so you don’t have to do as much work to understand and deploy them in production.

20 Replies to “How to Enable and Use Exchange Online’s External Email Tagging Feature”

      1. Yes, we have 5 or so domains in our O365/EXO tenant and our internal smtp relay sends as some of these. How does MS know to treat the messages from my own smtp server as “internal” but to mark external mail servers spoofing the same domain as “external”? Thx

  1. Hello Tony,

    We have a need to test this out on certain email addresses (in IT Dept.) before we enable for the entire domain. Microsoft told me they are still developing this feature, and the Office 365 Roadmap site (https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595) says it is still in development. Also, our Office 365 environment is hybrid, and we are concerned it could cause internal emails to be incorrectly tagged. We just want to see it in action before we push it out to the entire organization.

    How is the Set-ExternalInOutlook command used to only enable certain email addresses, and not the entire domain? I am guessing it is:

    Set-ExternalInOutlook email address; email address; email address; -Enabled $true

    Please verify. I also looked at Microsoft’s site here, but examples are lacking:

    https://docs.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps

    Thanks!
    David

  2. I’ve turned this on as it’s a great new feature to help protect data.
    Some observations – after turning on and waiting 24 hours I can see it in Outlook on The Web and also on Mobile app (latest version) . My Outlook desktop client does not display ithe external tag though despite being on Insider/preview update channel – running version Outlook 365 Pro plus 2105 14026.20202 – perhaps being in hybrid mode may be impacting this or we are not allowing traffic from client to a required endpoint due to firewall config. How does the Outlook client know to start using this tagging? I’m wondering if it sits in the autodiscover response?

    1. I’m not seeing the external tags in Outlook desktop (Version 2105, build 14026.20202) either. Might have been delayed. Who knows in the cloud!

      1. I reinstalled O365 at the beginning of the month to forces a refresh on my build (preview channel specified in the setup xml) – the process upgraded me to Office v365 v2107 and I started seeing external mail tags. Pleased to see this feature – hopefully it will help users and improve general system/information security.

      2. This feature (ID# 70595) is still “in development” according to the Microsoft Office 365 Roadmap site here:

        https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595

        Make sure to click on the description text (“Exchange Online – Tag for external email messages received”) to see the details of the update, including the last time Microsoft modified the page (for this feature). I have been checking this page every few weeks to see when it shows as “launched.”

        I am surprised it’s still being developed, considering Microsoft added this feature to its roadmap on January 28, 2021. They still haven’t completed development after 6 months??!! This doesn’t make sense.

        I don’t think it’s ready for Outlook desktop yet. Back in early May, I opened a ticket with Microsoft to ask them about this feature and if it is ready for our hybrid environment. The tech said no and to wait. My boss doesn’t want me to turn on this feature until Microsoft says it is launched (and no longer in development).

        Does anybody here have any insider intel on this?

  3. Another observation, in hybrid mode our on-prem Exchange server users were displaying without the ‘external’ tag correctly. However, we had some servers that relay some email notifications through the on-prem Exchange servers – these emails had the sender address set to our on-prem email domain, when received by O365 migrated users the message was tagged as external – I believe the reason for this is that our on-prem send/receive connector used to relay the emails was not configured to be recognised as internal.

  4. It seems that the feature does not recognise tenant related communication (eg. sharepointonline.com). Does anyone know if it’s planned for it to have it? Simply adding relevant Microsoft domains would otherwise open an opportunity (miss the external label) for anyone running O365 account sending malicious content. Also, adding “microsoft.com” to the allow list sort of defeats the purpose of “internal” vs “external” imho. Thoughts?

    1. SharePointOnline.com is not a domain registered to the tenant so it’s always going to be an external domain unless Microsoft excludes it. I will pass on the suggestion, thanks!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.