Forum Discussion

Zoom2024's avatar
Zoom2024
Copper Contributor
Jun 19, 2023

Restrict "Internal / Restricted" labeled documents from being sent via email that has diff. labeling

I am implementing DLP using Microsoft 365. I crated 5 DLP labels "Internal" "Restricted" "Personal" "Public" "Confidential". I want documents and emails with labels "Internal" and/or "Restricted" to ...
data loss prevention
miller34mike's avatar
miller34mike
Iron Contributor
Jun 21, 2023

Hi, Zoom2024

 

Thank you for posting your question here!

 

Honestly, you're quite close to achieving this already. In fact, if you take a file and label it restricted, then attach it to an email that is labeled public and see if you can send the message. You shouldn't be able to as Exchange will also scan the contents of the attachment and see if it matches the policy conditions in any way, which it does based on the label applied to it.

 

For example, consider my configuration below on my Exchange Online ONLY DLP policy:

 

In the below rule (1 of 2), I have setup the conditions to identify any email that is being sent outside my organization AND contains any of the sensitive info types and sensitivity labels you see listed in the images below. If these conditions are met, the email should be blocked from being sent unless the user overrides the rule.

 

 

 

Now, looking at rule 2, we've removed the ability override the block, meaning it cannot be sent at all to anyone outside the organization, if it contains higher levels of the same sensitive info types or any of the labels I configured that are meant for internal eyes only.

 

 

 

Now, in my testing scenario, I have the below file that I will be attaching to the email message. Notice that it has the "General\All Employees" label applied, which according to the policy above, cannot be sent outside the company no matter what.

 

 

If I attach that file to the email, I cannot send the email even though the email has the "General\Anyone" label applied because Exchange also scanned the attachment and detected content that cannot be sent outside the organization.

 

 

 

The other aspect to consider is to configure a SharePoint Online and OneDrive for Business DLP policy that also blocks these files from being shared through SharePoint and OneDrive, similar to the configurations below.

 

Rule 1

 

Rule 2

 

Always remember that priority MATTERS. The highest priority, most restrictive rule and policy will always be what is enforced. "0" is the highest priority.

 

If you want to read more about DLP, you can check out my DLP series blogs below:

 

Part 1 - Intro to DLP and SharePoint/OneDrive

Part 4 - Exchange Online

 

 

Resources