Forum Discussion
Getting sensitivity label working for specific domain
Good morning all
I am trying to setup a sensitivity label to work so anyone with '@mail.com' will have access to a document that has this label. I have attempted to apply this in the control access settings with the label under 'Add specific email addresses or domains'
However for the life of me, I cannot get this to work, I have tried "*@mail.com. mail.com, mail.com", nothing seems to work. I have run through the MS material on this and can't see anything specific to setting this up. Has anyone been successful in setting this up? Is there a trick I am missing?
Grateful for anyone who can help on this!
2 Replies
The domain-based access control in sensitivity labels works differently than most people expect, and the documentation doesn't spell it out clearly.
When you configure "specific email addresses or domains" under label encryption (Rights Management), Microsoft expects the domain in a bare format without wildcards. So instead of *@mail.com, just enter mail.com. That's it. No asterisk, no at-sign prefix.
Here's the exact format that works:
- ✅ mail.com
- ❌ *@mail.com
- ❌ mail.com
A few other things that trip people up:
- You're using the right label type, right? Domain-based access only works on labels configured with Microsoft Purview encryption (not just classification labels with no encryption). If your label is classification-only, there's no access control to configure.
- Label scope matters. If you set this up at the tenant level in the Purview compliance portal, confirm the label is published to the users who will be applying it. Unpublished labels won't behave predictably.
- Propagation lag is real. After you save changes to a label's encryption settings, give it 24 hours before testing again. I've seen people troubleshoot for hours on what was just a sync delay.
- Test with a labeled file, not just policy review. Apply the label to a test document, share it with someone at mail.com, and have them try to open it from a browser (not a cached Office client). The browser path gives you cleaner error output to troubleshoot against.
If you're still hitting issues after trying bare domain format, check whether the label was previously configured with different permissions. Old encryption settings can conflict with new ones until you strip and reapply.
Please mark this solution as the answer if you found it helpful! Cheers
Prathista IlangoMicrosoft
Hello Joanna696,
Trying to understand if you are having trouble adding mail.com to the assign permissions settings in label or if the end user experience is not working as expected.
If you are not able to enable, check your RBAC and make sure you have the right permissions to do so.
If you are not seeing expected results, please check the following,
- If the right label is applied on the document
- Check Activity explorer when trying to access the file and if there is a relevant entry
Labeling actions reported in Activity explorer | Microsoft Learn
Hope this helps!
Regards,
PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.- If the right label is applied on the document
