Pinned Posts
Forum Widgets
Latest Discussions
Encryption disappears in Outlook - Sensitivity Label not working
Hello everyone, we implemented Sensitivity Labels at our client and have iconsistent and unexpected behavior, we cannot explain. Maybe some of you can help or have ideas on whats going on: Scenario / Use Case A customer is using Sensitivity Labels to encrypt emails in Exchange Online. Label configuration: The sensitivity label applies encryption The label is scoped (published) to a Microsoft 365 group User A and User B are members of this Microsoft 365 group and therefore can apply the label User are licensed with M365 Business Premium The label is published and available to User A and User B (member of above M365 group) User C is an external recipient and not included in the label’s publishing scope Observed Behaviors Scenario 1 – Encryption Lost When Forwarded Externally User A (internal) sends an email to User B (internal) using a sensitivity label that applies encryption. User B receives the email correctly: The lock icon in Outlook is displayed, the message is encrypted as expected User B forwards the email to User C (external) User C receives the forwarded email unencrypted: No lock icon is shown, User C can read the entire conversation history, including content that was previously encrypted Scenario 2 – Encryption Disappears Within an Internal Email Conversation In addition to the external forwarding scenario, we are also observing the following behavior within an internal email thread: User A sends an encrypted email to User B using the sensitivity label. User B replies to User A: The reply remains encrypted User A replies again within the same conversation Suddenly, the encryption disappears: The lock icon is no longer shown The message and the full conversation history is no longer protected This happens without any user action to remove or change the sensitivity label. Key Observation Both scenarios occur intermittently: Sometimes encryption behaves as expected Sometimes encryption disappears “out of nowhere” The behavior is not reliably reproducible, which makes troubleshooting very difficult. Any help is appreciated!
How do you work around the client restrictions for opening encrypted documents?
We are wanting to roll out Purview sensitivity labels. Specifically, encrypted labels so we can implement controls such as preventing printing, copy/paste, etc. The issue we have ran into is that once an Office doc is encrypted, there appears to only be two ways to open the document: In a licensed Office desktop client Sharing a link to the document in SharePoint so it can be opened in a web browser. We share documents with a large variety of 3rd parties that do not use Office. Many are small businesses who seem to prefer Google Workspace, so no Office clients. The SharePoint web browser option also does not work for us as we require users to have an Entra ID account to access our SharePoint, and it would not be feasible to onboard the number of external users we share documents with (nor to purchase O365 licenses for all of them). We considered using both encrypted and non-encrypted labels and using encrypted only when the recipient uses office. However there is no way for our internal users to know if the person they are sending a document to is using Office. So now we are left not really knowing what to do. I would love to hear some suggestions for how other organizations handled this.
Objects in a Retention Policy populated by Adaptive Scopes
I need a way to get all users in a retention policy that is populated by an adaptive scope. I can get all the members of the scope, and I can show that the policy uses that adaptive scope. But I know my audience. They will want to see that the users are actually in the policy. They will probably even want to see that it matches the users in the adaptive scope. In the GUI, I can click on an adaptive retention policy and click on "policy details". This will show all the users that the policy applies to and the date/time they were added, if they were removed from the policy, etc. And I can even export that. How can I get this same information via PowerShell? It's going to be important because, as you can see, there's a big difference in the date/time added. they were all in the adaptive scope BEFORE this policy was created, but it still took nearly 24 hours for all users to be added. Which is fine, and typical, but if a user gets added to the adaptive scope and does not have the policy applied to them within 24 hours, we need to know this. The goal is as much automation as possible, with checks and balances in place. Checks and balances require gathering information. That's going to require getting this information via PowerShell.DLP for SaaS Apps - Endpoint DLP/MDE + Purview Browser Extension
I need help verifying my understanding of how Purview tools control file upload/download and clipboard copy/paste actions. Here's the situation: Goal: Block file upload/download, copy/paste of sensitive data to/from SaaS apps. Deployment: Rolling out MDE (in Passive mode) or Endpoint DLP (Onboarding device to Purview) and the Purview browser extension for Chrome/Firefox. My Understanding: Copy Control: Handled by Endpoint DLP/MDE on the endpoint. Upload/Download/Paste Control: Requires the Purview browser extension (or native browser support Edge/Safari). Specific Question: The browser extension isn't available for macOS. I've read that MDE on macOS can handle everything (file upload/download and clipboard control). Could someone confirm if the table I've created correctly reflects this? Summary of Clipboard (Copy/Paste) Enforcement Operation Windows (Onboarded) macOS (Onboarded) Note Copy to Clipboard Endpoint Endpoint DLP Sensor Endpoint DLP Sensor Prevents data from reaching the clipboard Paste into SaaS Apps (Chrome/Firefox) Browser Extension Endpoint DLP Sensor Blocks paste into SaaS apps. Paste into SaaS Apps (MS Edge/Safari) Native on Edge Native on Edge/Safari Built-in integration; no extension needed.DLP Policy exclusion if any of the recipients are internal
I am trying to add an exclusion to my DLP policies when one of the recipients of an email is from a trusted domain. To do this I Added a group to my rule and used the AND NOT Recipient domain is with a list of approved domains. the rule works for email to a single recipient but not when there are multiple recipientsCan´t Sign confidential documents
Hello, I have a problem. I want to send confidential contracts to customers for signing with Adobe DocuSign. This contracts have a label "confidential" from purview and are encrypted. But now the customer cant sign the contract with DocuSign because of the encryption. Is there a way that they can sign the document? We must encrypt the documents because compliance reasons and ISMS. Thank you.
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!Information Scanner - SQL connection fails
Hello everyone, we are currently deploying the information scanner. The issue appeared after the scanner was already installed successfully SQL Server is running on a custom TCP port (49999), encrypted connection, and the scanner database is existing with the correct owner (service account). We also acquired the Entra token Error Failed to access scanner database. Verify the database is up and running and can be accessed by scanner service account and by the currently logged in user that executes the command. Troubleshooting steps taken: Diag show: Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-ScannerDatabase. Make sure all nodes run the same MIP client version. SQL error: Message Could not obtain information about Windows NT group/user 'Domain\scanaccount', error code 0x5. Update-ScannerDatabase executed - same error Login to SQL Servers are successful SQL CMD: sqlcmd -S SQL.company.de,4321 -E -N -Q "SELECT @@VERSION" ## Worked Other configs: Tried to reregister database multiple times / service account is sysadmin at SQL server (shared) SQL DB Alias used instead of Port / SQL Browser did not work Allowed everything through firewall on SQL server - still fail 4h of troubleshooting gone by - and i am stuck - what can i do next? BR Stephan
