Admins can create and configure Microsoft Purview Data Loss Prevention (DLP)_policies and Outlook for Microsoft 365 to show pop-up messages that can warn users that the email that they are attempting to send contains sensitive information before the email is sent. Admins can ask them users to provide justification why they are sending an email, or prevent them from sending an email. The scenarios and specifics of using this via Microsoft Purview information protection can be read here.
Below is a sample of how the oversharing configuration can be used to capture the justification from the user before allowing them to send the message.
An image demonstrating how admins can configure for capturing justification in case of policy violation.
Oversharing Popups Configuration
Configuring this feature requires two steps, one on the Purview Portal and one on the Outlook for Microsoft 365 client.
1. Purview Portal Configuration
These Oversharing Popups settings are available in Purview portal.
When an admin defines a DLP policy in the Microsoft Purview compliance portal, Outlook checks messages as they are composed against the DLP policies that are deployed. If admins want to ensure that all non-compliant messages show a policy violation pop-up, they must access the Group policy setting ( Or similar mechanism explained below) and define the behavior.
An image showing DLP policy checkbox for Oversharing.
- Outlook for Windows Client Configuration
An admin can configure the Outlook experience via below ways:
- The “Specify wait time to evaluate sensitive content” policy available under Software\Policies\Microsoft\office\16.0\Outlook\options\Mail\Compose message in the Group Policy Settings page.
- The DLPWaitOnSendTimeout Regkey (Value in dword) under Software\Policies\Microsoft\office\16.0\Outlook\options\Mail
- Other mechanisms which can configure above regkey
For more information on how to access and use GPO settings please see Create and manage group policy in Azure AD Domain Services | Microsoft Learn.
If you're using Group Policy, make sure you've downloaded the most recent version of Group Policy Administrative Template files for Microsoft 365 Apps for enterprise and navigate to this setting from User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings. If you're using the Cloud Policy service for Microsoft 365, search for the setting by name to configure it.
GPO options:
- No "check before send" experience: The Outlook client will not wait for the policy to complete the evaluation and mail is sent right away when the user hits Send. The DLP service will continue evaluating the mail in the background and take appropriate action based on the evaluation , such as blocking delivery.
- Check before send and allow sending after waiting for a pre-defined time: Message is checked when the user hits send, but the user is allowed to send the mail by clicking on “Send anyway” button in the dialog window.
- Check before send and do not allow sending until policy evaluation is completed: Message is checked when the user hits send, but the message will not be sent until all policies are evaluated.
Possible Configuration Values
Not configured/ Disabled : This is the default. When this policy is not configured or disabled, the message is not checked when the user hits "send". Service continues the evaluation, based on result mail will be delivered/NDR.
An image showing the default configuration of no “Check before send” in Group policy setting
Enabled - The message is checked when the user hits send. The administrator needs to configure the time interval after which the user is allowed to send the mail even when evaluation is not completed.
An image showing how admins can use Group policy settings to enable “Check before send” with allowing sending after wait time of 30 seconds.
T = send anyway visible after t secs
The "T" value needs to be in the range between 0 and 9999. If T> 9999, the "Send Anyway" button will not be displayed, and the email can't be sent until the evaluation of sensitive content is complete.
Note: Any value entered above 9999 will get replaced by 10000, in which case the user will not be allowed to send the mail until full evaluation of all the policies is completed. This setting helps ensure 100% compliance to admin policies and that no mail is sent without complete evaluation.
What’s Next
We are continuing to refine the Oversharing Popups experience in several areas, including simplifying configuration and improvement to the customer experience. We will provide an update to these areas in the upcoming months – please follow the Minimum versions for sensitivity labels in Microsoft 365 Apps - Microsoft Purview (compliance) | Microsoft Learn page for change notifications.
Microsoft
