Table of Contents
Oversharing Popups for Outlook Help Users Avoid DLP Problems
Originally due for deployment in March 2023, Microsoft is rolling out the ability for Outlook clients to detect and highlight messages using “oversharing popups” if the messages have specific sensitivity labels. The change is covered by message center MC523046 (last updated 9 June 2023) and Microsoft 365 roadmap item 100157. It’s also associated with Microsoft 365 roadmap item 100255, which covers the general effort to provide customers with replacement technology for the features available in the Azure Information Protection unified labeling client (due to retire in April 2024).
Azure Information Protection (AIP) labels were the predecessor of Microsoft 365 sensitivity labels. Users had to install a separate add-in to use labels (now the unified labeling client). As part of the process to retire the unified labeling client, Microsoft has incorporated information protection technology in the Microsoft 365 apps. The UI exposed by the AIP is gradually being replaced in native Microsoft 365 features. The arrival of the sensitivity bar in Microsoft 365 apps is an example of the process in action.
Implementing Oversharing Popups in Microsoft 365 DLP Policies
In this case, instead of relying on the unified labeling client to detect potential “oversharing” problems when users compose email, it’s now possible to include checks in Data Loss Prevention (DLP) policies. The effect is to cause Outlook to use a policy tip to highlight that a message contains sensitive content that shouldn’t be shared outside the organization as users work with message content. DLP detects the oversharing condition in either the message or an attachment and the user is forced to take action before they can send the message.
DLP policies have always been able to detect and block oversharing of email. What’s different here is that DLP checks happen during message composition instead of the user sending the message and receiving a non-delivery notification because a DLP policy detects a violation and blocks the message. Of course, oversharing of email protected by a sensitivity label might not matter all that much if the rights granted in the sensitivity label don’t allow the external recipient to read the content. The value of the policy tip is that by proactively highlighting the issue, the user can take action to avoid problems detected by DLP. For instance, they could choose a different label for the message (and justify the downgrade).
Microsoft documents an example DLP policy to explain how the oversharing policy tip work. They document the steps for creating a policy with both the Microsoft Purview compliance portal and PowerShell. Despite my affiliation for PowerShell, I wouldn’t do anything with DLP rules through PowerShell because of the relative complexity of rule construction.
Testing DLP Oversharing Popups
After creating a DLP policy with a rule to check for the presence of sensitivity labels on email addressed to non-internal domains (Figure 1), wait about an hour to allow the policy information to replicate.
You’ll know that the rule works if you see a policy tip when composing a message to an external recipient and the message or any attachment has one of the sensitivity labels specified in the rule. Figure 2 shows a message assigned the Public sensitivity label, which isn’t covered by the rule. However, the attachment has the Confidential sensitivity label (you can’t see this, so you’ll have to trust me), so DLP detects a violation and displays the policy tip to say that the recipient isn’t authorized to receive this information.
Attempts to send the message fail and Outlook displays a pop-up to tell the user why (Figure 3). OWA displays a similar prompt. In both cases, the user must take action before they can send the message.
It’s possible that a user will send a message with one of the sensitivity labels defined in the policy from Outlook mobile. It’s also possible that a user will send a message before the DLP code in Outlook or OWA detects a problem. In these instances, the Exchange transport service imposes the general block on sharing messages with the specified sensitivity labels and rejects the message.
The Power of Policy Tips
Allowing users to correct potential errors when they compose email is a good idea. Apart from anything else, it helps reinforce the idea that email can contain confidential and sensitive information that shouldn’t go outside the organization. I’s much more powerful when users see policy tips that help amend behavior than simply having their email rejected for some inexplainable (to them) reason.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Great feature, but it feels like Microsoft only had this oversharing use case in mind when implementing the Outlook tooltip. We have a policy that shows a tooltip when confidential words are detected (via SIT) and the user has chosen the wrong label (public or internal). Out custom tooltip suggests verifying the applied label, but the second tooltip (which you can’t disable at all) says “recipients are not authorized” and it suggests to remove them.. completely irritating to the end user
There’s no doubt that some rough edges exist. I hope you’ve documented the problem to Microsoft. That’s the only way to force change.
I have configured the policy exactly the same way for the oversharing popup, however i do not get the popup window. I m only getting the policy tip. I think i could be missing something inside the rule.
Business case : I would like to have a popup notification for my users to confirm whenever they are sending an email to external recipient.
I do not need to block it, or block with override. I simply need them to check the recipient list once again whenever there is a external recipient.
I could get this accomlished using unified AIP client custom configuration. Now that it will be retired, i m looking for alternative.
I really appreciate if i can get a snippet of the rule within to understand how to get the popup like in figure 3.
Thanks!
MC523046 says that full deployment won’t be complete until mid-July. You probably don’t have the necessary code update yet.
Thanks Tony. Yes, that could be the case. Could you please share the snippet of the compliance rule configured to get the popup?
It’s shown in the figure.
Thank you Tony!
Are there any reports of recipients not saving? I tried 2 different tenants, I added a group selected, NOT my condition was the same as yours and it is not saving. I also tried adding Recipient is, same results.
I don’t know. I can’t see your code and don’t know the state of your tenant, so it’s impossible for me to say. Submit a support request to Microsoft and ask them to debug the problem. They can see your tenant conditions…
Great article! How did you get this to display the sensitivity label being applied? When I test this mine won’t input the label name that was applied to the file e.g. Confidential, Internal, etc..
I did exactly what I said in the article. I don’t recall doing anything different. Maybe you just need to wait a tad longer?