Apply attachment's sensitivity label to Outlook message

Copper Contributor

We're using Sensitivity Labels to classify content in our organization. We'd like to have Exchange automatically block the sharing of content with certain labels, except if the recipient's domain is in a list of approved domains.


We've set up a mail flow rule that addresses this properly when the label is applied directly to the email itself (i.e., a message header includes ... msip_labels ... MSIP_Label_xxx_Enabled=true). However, this rule is not triggered when only an attachment has the sensitivity label applied to it.


As I see it, we can either (a) set up parallel mail flow rules, one for email headers and one for attachments, or (b) ensure that an attachment's label gets applied to the email itself. Since (a) carries the additional burden of maintaining two parallel lists of authorized domains (one per rule), it seems that it would be preferable to have Outlook (or the AIP Client?) automatically apply an email attachment's label to the email itself. (Note that it could very well just be a default / suggested label with user override -- this is intended only to minimize the odds of careless disclosures, not stop a determined malicious insider.)


Our label policy has the "default email label" set to "same as document", but that's not resulting in emails being automatically classified with the attachment's label. The only documentation I could find on this topic referred to "auto-labeling policies", which don't work in our case since they don't support a condition like "an attachment has a sensitivity label of X" (they would work for something like "the email contains credit card numbers" or "an attachment cannot be scanned").


Is this type of automatic classification possible? If so, could anyone point me to instructions for setting it up? Thank you in advance.

5 Replies

Did you get to the bottom of this in the end or work out why it was not setting? If so please share your findings



Unfortunately, I never did figure out if it was supposed to work or why it wasn't working. I might take another shot at it early next year.

A bit late to the party =)

I think a better solution would be to complete this within Microsoft Purview's DLP solutions. I've setup something similar before where you can set an Exchange DLP policy to look for a certain Senstivity Label and then block, whilst adding an exclusion for your requirement.

There is a update on the Roadmap. That will help with your question I think

This might be what I am looking for. Emails are upgraded in transit and blocked, but from the user perspective when they press send it has the lower label and don't know it's going to be stopped until they get a bounce back!