How to Enable and Use Exchange Online’s External Email Tagging Feature

Available for Activation Now

After a delay to allow for the deployment of the required cmdlets, tenants can now activate Exchange Online’s tagging feature to mark external email (MC243047 – Microsoft 365 roadmap item 70595). The tags appear in OWA, Outlook Mobile, Outlook for Mac, but not yet for Outlook desktop (Microsoft 365 apps for enterprise or perpetual). It seems to be part of Microsoft’s strategy to make email secure by default along with other features like blocking automatic mail forwarding.

Tagging means that messages received from any domain except those registered for the tenant are marked by Exchange as “external” when they pass through the transport service on their way to user mailboxes. Figure 1 shows External tags displayed for a set of messages in my Inbox with details obscured to protect the guilty. In addition to the tag, when a message is read, the user is offered the chance to block the sender. The external tag is not displayed for messages received from external senders and forwarded by a tenant user. Protected (encrypted) messages are not affected as the tag doesn’t affect message content.

OWA tags external messages
Figure 1: OWA tags external messages

Flagging external senders with a form of mail tip and offering to block them seems a tad robust. After all, email is all about communication and even if spammers are active, I expect a minimum of spam to get past Exchange Online Protection and Microsoft 365 Defender for Office 365 (aka Advanced Threat Protection). The implementation appears to make blocking senders the norm rather than the exception, which I don’t like.

Adding Well-known Functionality

Tagging adds a feature to Exchange Online that organizations have been building for years with transport (mail flow) rules (here’s an example). Obviously, Microsoft believes that highlighting external email is something which should be available out-of-the-box. I agree. It’s just curious that it’s taken the developers 25 years to get around to implementing the features. Then again, important stuff like enabling reactions to email (MC239090 – delayed on March 2 to “evaluate feedback” like “this is a waste of time”) has got in the way.

Activating External Email Tagging

External tagging is disabled by default. This is an unusual situation for a new feature as Microsoft invariably assumes that people want to use whatever new wheeze they have dreamed up and therefore enables new features. In this instance, you’ll have to run the Set-ExternalInOutlook cmdlet to get things moving.

Leaving aside the not-very-good cmdlet name (Set-ExternalEmailTagging would have been more obvious), the process is very simple:

  • Connect to the Exchange Online Management endpoint (or use remote PowerShell if you must).
  • Run Set-ExternalInOutlook to enable external tagging. You can decide if certain domains or individual email addresses are excluded from tagging. I’m not sure when I would use individual addresses, unless you wanted to be sure that email received from someone’s (like an executive’s) personal email address was not considered external. The more I think about that idea, the less I like it.

For my tenant, I ran:

Set-ExternalInOutlook -AllowList "quest.com", "microsoft.com" -Enabled $True

This command means that tagging is applied to any external email except the two domains defined in the allowed list. After a moment, I decided to add another domain. Doing it this way avoids overwriting the domains already excluded:

Set-ExternalInOutlook -AllowList  @{Add="Practical365.com"}

Note: Some tenants are reporting that they see failures when running Set-ExternalInOutlook to add just one domain to the allow list. While Microsoft debugs the problem, the quick workaround is to always add at least two domains to the list.

The Get-ExternalInOutlook cmdlet reports the tagging configuration:

Get-ExternalInOutlook

Identity   : s662313f-14fc-43a2-9a7a-d2e27f4f3478
Enabled    : True
AllowList  : {quest.com, microsoft.com, Practical365.com}

The identity reported is the GUID for the tenant. It’s the same as reported by Get-AzureADTenantDetail, which is my normal go-to cmdlet to find this information.

After that, it’s a matter of waiting for Exchange Online to acknowledge the configuration update and enable tagging. Microsoft says that activation should happen within 24-48 hours. The exact waiting period depends on many factors, including service load, but in my case, Exchange Online started to tag messages within a few hours.

If you enable external tagging and want to see the tags show up, make sure that your account is enabled in the Microsoft 365 admin center for targeted release. Users on targeted release see new updates for several weeks before other users do.

Tagging Threads

Interestingly, OWA highlights a thread as external if any message in the thread comes from an external domain that’s not on the excluded list. For example, I have a bunch of messages from microsoft.com addresses which are excluded from tagging. But once someone from an external address (like dell.com, for instance), joins the conference, OWA applies the external tag.

Although tagging is supposed to show up in Outlook mobile, I haven’t seen it yet despite updating to the latest TestFlight build (4.2110.0). No doubt external tags will appear in time. I just have to be patient.

Update March 30: Outlook Mobile 4.2113.0 (ios) and 4.2110.0 (Android) display the external tags.


To learn lots more about Exchange Online and Office 365 in general, subscribe to the Office 365 for IT Pros eBook! We probe and test new features so you don’t have to do as much work to understand and deploy them in production.

2 Replies to “How to Enable and Use Exchange Online’s External Email Tagging Feature”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.