Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Block sending emails containing attached sensitive documents

Occasional Contributor



Is it possible to create an EXO mail flow rule to block sending to externals, emails that contain attached labeled documents?

Documents are labeled via sensitivity labels (i.e. strictly confidential). 




5 Replies

@ChristianBergstrom thank you for the feedback. Actually the link describes the way how to block a labeled email, but not a labeled attachment.
I need a mail flow rule that can be created based on the attachment label.

Use case: I label an email as General and attach on it a document labeled as Secret.


I'm trying via mail flow rule:

1. Apply this rule if: the recipient is outside the organization


2. Any attachment: has these properties, including any of these words

Property: Confidentiality --> Value: Secret

3. Reject the message with the explanation: Secret document cannot be sent outside the company

...but so far it doesn't work.


best response confirmed by gencv (Occasional Contributor)

@gencv Hello, you can configure it for attachments as well.


"If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message."


Look at this example for guidance

@ChristianBergstrom thank you!

The way of defining the attachment property and value solved my problem.


Thank you again!

You can use powershell to get blocked with a pop up notificiation when sensitive label is Highly Confidential for example :

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

(Get-LabelPolicy -Identity "Highly Confidential").settings
# you can get the GUID of your Label
Get-Label | Format-Table -Property DisplayName,Name, Guid -AutoSize
# add your domain here or any other trusted domain that you went to allow
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockTrustedDomains=""}
#use the guid of you label in this command
Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="GUID of Your Label"}