Jun 13 2023 10:23 PM
Hello Everyone,
For Information Protection we defined Internal as Default Label for Documents and Emails, and want to keep it like this. But because of this settings we are experiencing a lot that users forget to set the label to public and general for external recipients.
Now my question would be if there is a way to set up a recommendation to change the label for every this?
Jun 16 2023 04:04 AM
SolutionHi @DixonJohn
Thank you for posting your question!
This is a common configuration, and common outcome of this configuration. I understand you want to keep the configuration as is, so in order to get what you're looking for, you'll be best served to leverage Data Loss Prevention policies for Exchange Online the block sending emails with the "Internal" label to external recipients which, after all, if it is labeled "Internal", it should stay internal.
However, this can be a bit aggressive for some companies, so instead of using DLP to block the message, you can leverage DLP to provide a tooltip at the top of the message (looks similar to the below) that can remind users to change the label from Internal. Unfortunately, even if you configured a description for users on the label, that description does not appear when the label is set by default, which is what you're currently experiencing.
Now, due to the way you have this configured, you have already felt the impact on the email side of things. Another thing to consider for this configuration is the impact of encrypting files internally by default. Unless you have configured the internal label to give everyone in the org the "Co-Owner" permission or a custom set of permissions that grants the "EDITRIGHTSDATA" permission, any user that opens an existing file that has not yet been labeled will become the rights owner of that file, even if they did not originally create the file. There will be no way for the original owner to modify the label after that happens.
One thing to consider, and if this setup is working for you, by all means please ignore me, is to consider removing encryption from the internal label. In this scenario, you will want to make sure proper internal access is configured based on the files storage location (Marketing shouldn't have access to HR files, etc.) and then leverage DLP to prevent anything labeled Internal from leaving the organization. Your encrypting labels that are more restrictive than Internal are the ones that would be leveraged to share the file with external recipients and only when necessary. For those labels I'd use DLP to block the send but allow the user to override the block and provide a valid business reason for sending it.
Jun 16 2023 04:04 AM
SolutionHi @DixonJohn
Thank you for posting your question!
This is a common configuration, and common outcome of this configuration. I understand you want to keep the configuration as is, so in order to get what you're looking for, you'll be best served to leverage Data Loss Prevention policies for Exchange Online the block sending emails with the "Internal" label to external recipients which, after all, if it is labeled "Internal", it should stay internal.
However, this can be a bit aggressive for some companies, so instead of using DLP to block the message, you can leverage DLP to provide a tooltip at the top of the message (looks similar to the below) that can remind users to change the label from Internal. Unfortunately, even if you configured a description for users on the label, that description does not appear when the label is set by default, which is what you're currently experiencing.
Now, due to the way you have this configured, you have already felt the impact on the email side of things. Another thing to consider for this configuration is the impact of encrypting files internally by default. Unless you have configured the internal label to give everyone in the org the "Co-Owner" permission or a custom set of permissions that grants the "EDITRIGHTSDATA" permission, any user that opens an existing file that has not yet been labeled will become the rights owner of that file, even if they did not originally create the file. There will be no way for the original owner to modify the label after that happens.
One thing to consider, and if this setup is working for you, by all means please ignore me, is to consider removing encryption from the internal label. In this scenario, you will want to make sure proper internal access is configured based on the files storage location (Marketing shouldn't have access to HR files, etc.) and then leverage DLP to prevent anything labeled Internal from leaving the organization. Your encrypting labels that are more restrictive than Internal are the ones that would be leveraged to share the file with external recipients and only when necessary. For those labels I'd use DLP to block the send but allow the user to override the block and provide a valid business reason for sending it.