Forum Discussion
Solved
Block sending emails containing attached sensitive documents
Hi, Is it possible to create an EXO mail flow rule to block sending to externals, emails that contain attached labeled documents? Documents are labeled via sensitivity labels (i.e. strictly conf...
gencv Hello, you can configure it for attachments as well.
"If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message."
Look at this example for guidance https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules#example-2-rule-that-applies-the-encrypt-only-option-to-emails-when-they-have-attachments-that-are-labeled-confidential--partners-and-these-emails-are-sent-outside-the-organization
You can use powershell to get blocked with a pop up notificiation when sensitive label is Highly Confidential for example :
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
(Get-LabelPolicy -Identity "Highly Confidential").settings
# you can get the GUID of your Label
Get-Label | Format-Table -Property DisplayName,Name, Guid -AutoSize
# add your domain here or any other trusted domain that you went to allow
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockTrustedDomains="onmicrosoft.com"}
#use the guid of you label in this command
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="GUID of Your Label"}
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
(Get-LabelPolicy -Identity "Highly Confidential").settings
# you can get the GUID of your Label
Get-Label | Format-Table -Property DisplayName,Name, Guid -AutoSize
# add your domain here or any other trusted domain that you went to allow
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockTrustedDomains="onmicrosoft.com"}
#use the guid of you label in this command
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="GUID of Your Label"}