Classified and Apply DLP on PDF files

Hi All, I have a requirement of applying classification and DLP on pdf file. We have label name "Internal" without protection enabled. I can do classification as Internal on pdf files using AIP ...

information protection and governance

microsoft 365

microsoft 365 compliance center

microsoft information governance

microsoft information protection

QJappie22
Dec 23, 2021
Hi dilanmic,

We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".

This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).

When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:

Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{AttachmentAction="Automatic"}
With this command, the email will automatically inherit the label that is applied to the attachment when that attachment is added to the email.
Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="ab12345c-d678-9012-34ef-56789g01h234,i5j6k78l-90mn-1o23-45pq-r678901234s5"}
With this command, the email will be blocked from being sent to external domains when the attachment or email is labeled with one of the labels provided in the commands. When using more labels, these has to be comma-seperated.
Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockTrustedDomains="<trusted domain>"}
With this command, you can whitelist certain external domains which can then receive emails other external domains cannot receive. It can be added as '@contoso.com' and these also need to be comma-seperated when using more domains.
Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.

Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!

More information about these PowerShell commands can be found here:
https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations

Wishing you all the best and a merry Christmas.

QJappie22

Copper Contributor

Dec 23, 2021

Hi dilanmic,

We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".

This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).

When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:

Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{AttachmentAction="Automatic"}
- With this command, the email will automatically inherit the label that is applied to the attachment when that attachment is added to the email.
Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="ab12345c-d678-9012-34ef-56789g01h234,i5j6k78l-90mn-1o23-45pq-r678901234s5"}
- With this command, the email will be blocked from being sent to external domains when the attachment or email is labeled with one of the labels provided in the commands. When using more labels, these has to be comma-seperated.
Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockTrustedDomains="<trusted domain>"}
- With this command, you can whitelist certain external domains which can then receive emails other external domains cannot receive. It can be added as '@contoso.com' and these also need to be comma-seperated when using more domains.

Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.

Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!

More information about these PowerShell commands can be found here:

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations

Wishing you all the best and a merry Christmas.

dilanmic

Iron Contributor

Dec 24, 2021

thank you very much for the reply.

This would really help me.

Forum Discussion

Classified and Apply DLP on PDF files

Resources