Table of Contents
Oversharing Popups for Outlook Help Users Avoid DLP Problems
Originally due for deployment in March 2023, Microsoft is rolling out the ability for Outlook clients to detect and highlight messages using “oversharing popups” if the messages have specific sensitivity labels. The change is covered by message center MC523046 (last updated 9 June 2023) and Microsoft 365 roadmap item 100157. It’s also associated with Microsoft 365 roadmap item 100255, which covers the general effort to provide customers with replacement technology for the features available in the Azure Information Protection unified labeling client (due to retire in April 2024).
Azure Information Protection (AIP) labels were the predecessor of Microsoft 365 sensitivity labels. Users had to install a separate add-in to use labels (now the unified labeling client). As part of the process to retire the unified labeling client, Microsoft has incorporated information protection technology in the Microsoft 365 apps. The UI exposed by the AIP is gradually being replaced in native Microsoft 365 features. The arrival of the sensitivity bar in Microsoft 365 apps is an example of the process in action.
Implementing Oversharing Popups in Microsoft 365 DLP Policies
In this case, instead of relying on the unified labeling client to detect potential “oversharing” problems when users compose email, it’s now possible to include checks in Data Loss Prevention (DLP) policies. The effect is to cause Outlook to use a policy tip to highlight that a message contains sensitive content that shouldn’t be shared outside the organization as users work with message content. DLP detects the oversharing condition in either the message or an attachment and the user is forced to take action before they can send the message.
DLP policies have always been able to detect and block oversharing of email. What’s different here is that DLP checks happen during message composition instead of the user sending the message and receiving a non-delivery notification because a DLP policy detects a violation and blocks the message. Of course, oversharing of email protected by a sensitivity label might not matter all that much if the rights granted in the sensitivity label don’t allow the external recipient to read the content. The value of the policy tip is that by proactively highlighting the issue, the user can take action to avoid problems detected by DLP. For instance, they could choose a different label for the message (and justify the downgrade).
Microsoft documents an example DLP policy to explain how the oversharing policy tip work. They document the steps for creating a policy with both the Microsoft Purview compliance portal and PowerShell. Despite my affiliation for PowerShell, I wouldn’t do anything with DLP rules through PowerShell because of the relative complexity of rule construction.
Testing DLP Oversharing Popups
After creating a DLP policy with a rule to check for the presence of sensitivity labels on email addressed to non-internal domains (Figure 1), wait about an hour to allow the policy information to replicate.
You’ll know that the rule works if you see a policy tip when composing a message to an external recipient and the message or any attachment has one of the sensitivity labels specified in the rule. Figure 2 shows a message assigned the Public sensitivity label, which isn’t covered by the rule. However, the attachment has the Confidential sensitivity label (you can’t see this, so you’ll have to trust me), so DLP detects a violation and displays the policy tip to say that the recipient isn’t authorized to receive this information.
Attempts to send the message fail and Outlook displays a pop-up to tell the user why (Figure 3). OWA displays a similar prompt. In both cases, the user must take action before they can send the message.
It’s possible that a user will send a message with one of the sensitivity labels defined in the policy from Outlook mobile. It’s also possible that a user will send a message before the DLP code in Outlook or OWA detects a problem. In these instances, the Exchange transport service imposes the general block on sharing messages with the specified sensitivity labels and rejects the message.
The Power of Policy Tips
Allowing users to correct potential errors when they compose email is a good idea. Apart from anything else, it helps reinforce the idea that email can contain confidential and sensitive information that shouldn’t go outside the organization. I’s much more powerful when users see policy tips that help amend behavior than simply having their email rejected for some inexplainable (to them) reason.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.