Home

AIP Label - Exchange DLP - PDF documents

%3CLINGO-SUB%20id%3D%22lingo-sub-559060%22%20slang%3D%22en-US%22%3EAIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-559060%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20regularly%20configure%20Exchange%20DLP%20rules%20(transport%20rules)%20for%20customers%2C%20to%20block%20e-mails%20or%20attachments%20based%20on%20the%20AIP%20label.%20To%20block%20the%20attachment%2C%20we%20are%20looking%20for%20the%20Attachment%20Properties%20and%20looking%20for%20%22MSIP_Label_%3CLABEL_ID%3E_Enabled%20is%20True%22.%3C%2FLABEL_ID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20works%20perfectly%20for%20MS%20Office%20documents%2C%20but%20I%20have%20just%20been%20notified%20by%20a%20customer%20it%20doesn't%20work%20for%20PDF%20documents.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20some%20tests%20and%20took%202%20different%20PDF%20documents%3A%201%20with%20AIP%20label%20without%20protection%3B%201%20with%20AIP%20label%20with%20protection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20both%20cases%2C%20my%20documents%20are%20delivered%20to%20the%20external%20e-mail%20address%20without%20any%20warning.%20When%20I%20do%20the%20exact%20same%20test%20with%20a%20Word%20document%2C%20it's%20blocked%20and%20I%20receive%20an%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20customer%20called%20MS%20Support%20who%20only%20answered%20it's%20not%20supported...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anybody%20have%20any%20idea%20why%20it's%20not%20supported%2Fworking%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20AIP%20label%20is%20supposed%20to%20be%20just%20a%20metadata%20attached%20to%20the%20file.%20Any%20tool%20should%20be%20able%20to%20read%20it.%20What%20is%20the%20main%20difference%20on%20a%20label%20(without%20protection)%20between%20a%20Word%20and%20a%20PDF%20document%3F%3C%2FP%3E%3CP%3EOr%20maybe%20it%20is%20a%20limitation%20on%20Exchange%2C%20which%20cannot%20read%20properties%20on%20a%20PDF%20document.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20policy%20I%20have%20on%20Exchange%20(working%20for%20Word%20but%20not%20PDF)%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20736px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112975iE8CD44BB8E492F62%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Clipboard01.jpg%22%20title%3D%22Clipboard01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-559060%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-565011%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-565011%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216127%22%20target%3D%22_blank%22%3E%40Nicolas%20Buache%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90352%22%20target%3D%22_blank%22%3E%40Enrique%20Saggese%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-800561%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-800561%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20get%20an%20answer%20to%20this%20question%20or%20solve%20it%20another%20way%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-800574%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-800574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391060%22%20target%3D%22_blank%22%3E%40flyfisher604%3C%2FA%3E%26nbsp%3BI%20never%20got%20any%20official%20answer%2C%20but%20I%20found%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fsecurity-and-compliance%2Fmail-flow-rules%2Finspect-message-attachments%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fsecurity-and-compliance%2Fmail-flow-rules%2Finspect-message-attachments%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20then%20presume%20this%20is%20not%20supported%20by%20Exchange%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-801569%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-801569%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216127%22%20target%3D%22_blank%22%3E%40Nicolas%20Buache%3C%2FA%3E%26nbsp%3BHi.%20I%20can't%20say%20why%20this%20is%20not%20currently%20working%2C%20but%20since%20we%20are%20currently%20previewing%20protection%20of%20PDF%20documents%20in%20OME%20I'll%20try%20to%20confirm%20if%20we%20can%20address%20this%20as%20part%20of%20this%20work.%20Will%20post%20back%20here.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802553%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90352%22%20target%3D%22_blank%22%3E%40Enrique%20Saggese%3C%2FA%3E%26nbsp%3BThank%20you%2C%20much%20appreciated.%3C%2FP%3E%3CP%3EI%20know%20that%20Exchange%20DLP%20(transport%20rules)%20should%20be%20configured%20in%20O365%20DLP%20in%20the%20future%2C%20but%20we%20currently%20have%20less%20flexibility%20and%20by%20experience%20DLP%20is%20working%20better%20using%20transport%20rules%20rather%20than%20O365%20DLP%20(O365%20DLP%20also%20doesn't%20work%20for%20this%20use%20case).%3C%2FP%3E%3CP%3EThank%20you%2C%20Nicolas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807369%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807369%22%20slang%3D%22en-US%22%3EFYI%2C%20we%20are%20working%20with%20Exchange%20on%20improving%20Exchange's%20ability%20to%20parse%20label%20metadata%20in%20PDF%20documents.%20We%20are%20currently%20using%20some%20libraries%20that%20have%20limitations%20in%20that%20area%2C%20so%20we%20are%20investigating%20updates%20to%20address%20the%20current%20limitations.%20I'll%20post%20back%20here%20once%20we%20reach%20a%20conclusion.%20%3CBR%20%2F%3EApologies%20for%20the%20inconvenience.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1195352%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Label%20-%20Exchange%20DLP%20-%20PDF%20documents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195352%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90352%22%20target%3D%22_blank%22%3E%40Enrique%20Saggese%3C%2FA%3EAny%20update%20on%20this%3F%20We%20are%20seeing%20the%20same%20behavior%20testing.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We are regularly configure Exchange DLP rules (transport rules) for customers, to block e-mails or attachments based on the AIP label. To block the attachment, we are looking for the Attachment Properties and looking for "MSIP_Label_<label_ID>_Enabled is True".

 

This works perfectly for MS Office documents, but I have just been notified by a customer it doesn't work for PDF documents. 

 

I did some tests and took 2 different PDF documents: 1 with AIP label without protection; 1 with AIP label with protection.

 

In both cases, my documents are delivered to the external e-mail address without any warning. When I do the exact same test with a Word document, it's blocked and I receive an alert.

 

The customer called MS Support who only answered it's not supported...

 

Does anybody have any idea why it's not supported/working?

 

An AIP label is supposed to be just a metadata attached to the file. Any tool should be able to read it. What is the main difference on a label (without protection) between a Word and a PDF document?

Or maybe it is a limitation on Exchange, which cannot read properties on a PDF document.

 

Thank you,

 

This is the policy I have on Exchange (working for Word but not PDF):

Clipboard01.jpg

 

7 Replies
Highlighted

@Nicolas Buache 

 

@Enrique Saggese: Is this something you can speak to? 

Highlighted
Did you ever get an answer to this question or solve it another way?
Highlighted

@flyfisher604 I never got any official answer, but I found this article: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/inspect-message-at...

I then presume this is not supported by Exchange,

Highlighted

@Nicolas Buache Hi. I can't say why this is not currently working, but since we are currently previewing protection of PDF documents in OME I'll try to confirm if we can address this as part of this work. Will post back here. 

Highlighted

@Enrique Saggese Thank you, much appreciated.

I know that Exchange DLP (transport rules) should be configured in O365 DLP in the future, but we currently have less flexibility and by experience DLP is working better using transport rules rather than O365 DLP (O365 DLP also doesn't work for this use case).

Thank you, Nicolas

Highlighted
FYI, we are working with Exchange on improving Exchange's ability to parse label metadata in PDF documents. We are currently using some libraries that have limitations in that area, so we are investigating updates to address the current limitations. I'll post back here once we reach a conclusion.
Apologies for the inconvenience.
Highlighted

@Enrique SaggeseAny update on this? We are seeing the same behavior testing.