Blog Post

Exchange Team Blog
1 MIN READ

Exchange Online Mail Flow Rules to stop supporting DLP-related rules, conditions, and actions

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Oct 19, 2023
In July 2023 we announced the discontinuation of support for all DLP-related functionality within Exchange Online Mail Flow Rules, and encouraged admins to finish migrating any remaining DLP-related ...
Updated Nov 02, 2023
Version 2.0
announcements
exchange online
office 365
transport
David25111004's avatar
David25111004
Copper Contributor
Nov 22, 2023

Hi,

We were using a transport rule to block email containing credit card numbers. We did this with logic:
Is received from 'Outside the organization' and The message contains any of these sensitive information types: 'Credit Card Number'.

Trying to get this to work with Compliance/Purview DLP policy with the following logic:
Location: Exchange Email (All Groups)
Rule: Content is received from 'People outside my organization' AND Content contains Sensitive information types 'Credit Card Number'.

Looking at the documentation, specifically the Exchange Email Location scoping (https://learn.microsoft.com/en-us/purview/dlp-policy-reference#exchange-location-scoping), it states:

 

If you choose to include specific distribution groups in Exchange, the DLP policy is scoped only to the emails sent by members of that group. Similarly, excluding a distribution group excludes all the emails sent by the members of that distribution group from policy evaluation.

What about if you choose 'All Groups'? Does 'All Groups' really mean All Groups? or does it mean all senders and receivers? The reason I ask is because I cannot get this inbound DLP policy to function. If All Groups does mean All Groups then anyone external would not be in a group and thus wouldn't apply, which is what I am experiencing in my testing.

We have similar outbound (Content is shared from Microsoft 365 with people outside my organization) DLP policy for blocking sharing of credit cards and as soon as I hit reply on the test email containing CC information sent to trigger the inbound policy I mention above, the outbound policy kicks in and shows the policy tip - so I know the keywords and cc number in the email is enough to trigger the policy. And I suspect that because when I hit reply, the internal user I am hitting reply from is in a group used in the outbound exchange email location scoping and is the sender in this case.

Any help would be greatly appreciated.

Regards