How to Create Mailbox Exclusions for Microsoft 365 Sensitivity Label Policies

Posted on by Tony Redmond

PowerShell is the Only Way to Create Policy Exclusions

In most cases, organizations want to publish sensitivity labels to all users. This makes sense because it means that everyone has access to the same set of sensitivity labels to protect content. The Microsoft Purview compliance portal makes the task easier by supporting the special All destination as a target for a sensitivity label policy, meaning that the policy includes all mailboxes. Alternatively, you can choose to publish labels to selected groups or individual users (Figure 1).

Configuring the target locations for a sensitivity label policy
Figure 1: Configuring the target locations for a sensitivity label policy

No GUI for Policy Exclusions

You might notice that the GUI for sensitivity label policy publication doesn’t support the exclusion of specific users (mailboxes) when a policy uses the special All destination. In other words, stop a few mailboxes from seeing the labels in applications like OWA and OneDrive for Business. For instance, you might want to publish organization-wide sensitivity labels to all mailboxes except those belonging to a certain department, possibly because no business reason exists for the personnel in that department to apply sensitivity labels to documents or messages.

It’s worth noting at this point that publication allows people to apply sensitivity labels to items. A user doesn’t need to be a target location in a label publishing policy to access content protected by sensitivity labels published by the policy. Any Microsoft 365 account can read content if the label protecting the content grants them the right to do so.

It’s curious that Purview doesn’t include the GUI to allow administrators to apply exclusions to sensitivity label policy. The equivalent GUI for retention label publishing policies includes exclusions, and although retention labels and sensitivity labels serve different purposes, managing their deployment is broadly similar.

PowerShell to the Rescue

What’s also curious is that the PowerShell Set-LabelPolicy cmdlet can set exclusions for sensitivity label policies. For example, after connecting to the compliance endpoint, this command excludes the mailboxes of Terry Hegarty and Kim Akers from receiving the labels published in the specified policy:

Set-LabelPolicy -Identity "General Sensitivity Policy" -AddExchangeLocationException "Terry.Hegarty@Office365itpros.com", "Kim.Akers@office365itpros.com"

Get-LabelPolicy -Identity "General Sensitivity Policy" | Select ExchangeLocationException

ExchangeLocationException
-------------------------
{Kim Akers, Terry Hegarty}

Adding a mailbox to a label publishing policy in this manner does not overwrite the set of excluded mailboxes. The exclusion of a mailbox from a label publishing policy doesn’t take effect immediately. Outlook clients must refresh their cache of information from the Information Protection service. When that happens, users won’t be able to apply the labels to new emails.

To remove an excluded mailbox, run Set-LabelPolicy and pass the mailbox name in the RemoveExchangeLocationException parameter.

Set-LabelPolicy -Identity "General Sensitivity Policy" -RemoveExchangeLocationException Kim.Akers

Processing Multiple Exclusions

Running the Set-LabelPolicy cmdlet to add more than a few excluded mailboxes can become tiresome. In these circumstances, it’s better to find the set of mailboxes using Get-ExoMailbox or another method (like reading the members of a distribution list) and pipe the set of mailboxes to Set-LabelPolicy.

For example, let’s assume that you want to exclude all the members of a department and that they’re all part of a distribution list. Finding the members of a distribution list is a well-trodden path and the Get-DistributionGroupMember cmdlet is what we need to use in this case. Adding all members of a distribution list is simple. First, extract the primary SMTP addresses for the members and store them in an array. Then, pass the array to Set-LabelPolicy. For example, this code extracts the user mailboxes from the membership of a distribution list and uses the array to create exclusions.

[array]$Members = Get-DistributionGroupMember -Identity "Planning Department" | ? {$_.RecipientTypeDetails -eq "UserMailbox"} | Select -ExpandProperty PrimarySmtpAddress
Set-LabelPolicy -Identity "General Sensitivity Policy" -AddExchangeLocationException $Members

Microsoft 365 Groups only support user mailboxes in their memberships, so you don’t have to filter the members from those groups.

Some formatting is necessary to make a long list of excluded mailboxes easy to read. Here’s what I normally do:

[array]$Exclusions = Get-LabelPolicy -Identity "General Sensitivity Policy" | Select -ExpandProperty ExchangeLocationException
$Exclusions.Name
Andy.Ruth@office365itpros.com
Kim.Akers@office365itpros.com
Brian.Weakliam@office365itpros.com
James.A.Abrahams@office365itpros.com
Marc.Vigneau@office365itpros.com
Terry.Hegarty@office365itpros.com
Jane.Sixsmith@office365itpros.com
Lotte.Vettler@office365itpros.com

It’s possible that Microsoft might update the compliance portal GUI to support the addition of exclusions for sensitivity label policies. In the interim, you can do it with PowerShell.

Learn about protecting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.