Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Cannot block emails with specific label using MailFlow rules (OWA only)

Brass Contributor

Hi,

 

We have configured a mailflow rules in Exchange Online that will block any email that is labeled with a specific sensitivity label and that is sent outside the organization from being delivered. The mailflow rule actually look in the email "msip_labels" header and looks for the specific label information (ex: MSIP_Label_f777f457-ef2d-434d-81b5-0f4123455469_Enabled=true;). When found in the header, the email is blocked and a notification is sent to the sender.

 

This work perfectly for emails sent from Outlook.

 

Now that we can apply labels with Outlook on the Web (OWA), I was expecting the mailflow rule to work as well as with the Outlook client. It does not. I cannot understand why this is not working. We are applying the same label to the email in OWA as we do in Outlook. We can see in the message header that the "msip_labels" is there with the same MSIP_Label_f777f457-ef2d-434d-81b5-0f4123455469_Enabled=True; information. The only difference is that the word "True" has a capital "T" when sent from OWA (lowercase "t" when sent from Outlook) but the mailflow rule are not case sensitive anyway. Still, we did change the transport rule to also have a capital "T" but it doesn't change the result. When looking in the Message Trace of Exchange Online, the outgoing message from OWA is never analysed by the mailflow rule.

 

I know that this feature (sensitivity labels in Office on the web) is still in preview but I was wondering if any of you had that issue or would have an idea of what could cause the issue.

 

Thank you for your help!



.

4 Replies

Actually, some rules/values are case sensitive, which might explain the issue. Here's an example of this being mentioned in the documentation: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/use-rules-to-bypas...

 

And yeah, I can easily find other articles mentioning they are not case sensitive, so the truth is relative it seems :) I'll try pinging few folks...

Or it actually might be a known issue for OWA, as detailed in the comment section here: https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules

@Vasil Michev Thank you so much Vasil. That seems really promising as I know that the ";" is actually configured in the mailflow rule. I'll try that as soon as I can.

Chuck99 

best response confirmed by Chuck99 (Brass Contributor)
Solution

@Vasil Michev  Yes, the semicolon was confirmed as being a problem for Outlook on the web, and is now removed from the documentation. This correction is included in the November blog post for doc updates: Azure Information Protection Documentation Update for November 2019 

1 best response

Accepted Solutions
best response confirmed by Chuck99 (Brass Contributor)
Solution

@Vasil Michev  Yes, the semicolon was confirmed as being a problem for Outlook on the web, and is now removed from the documentation. This correction is included in the November blog post for doc updates: Azure Information Protection Documentation Update for November 2019 

View solution in original post