DLP policy check – Office 365 for IT Pros https://office365itpros.com Mastering Office 365 and Microsoft 365 Tue, 09 Jul 2024 14:26:18 +0000 en-US hourly 1 https://i0.wp.com/office365itpros.com/wp-content/uploads/2024/06/cropped-Office-365-for-IT-Pros-2025-Edition-500-px.jpg?fit=32%2C32&ssl=1 DLP policy check – Office 365 for IT Pros https://office365itpros.com 32 32 150103932 Configuring Outlook DLP Policy Pop-Ups for Sensitive Content https://office365itpros.com/2024/07/09/outlook-dlp-policy-tips/?utm_source=rss&utm_medium=rss&utm_campaign=outlook-dlp-policy-tips https://office365itpros.com/2024/07/09/outlook-dlp-policy-tips/#respond Tue, 09 Jul 2024 07:00:00 +0000 https://office365itpros.com/?p=65529

Set a Delay for Microsoft Content Services to Evaluate Email Content

I was asked about a Microsoft Technical Community post from July 2023 titled Oversharing Pop-up in Outlook– Customize experience via GPO settings. Some folks couldn’t get the pop-up windows to work with the newly branded Outlook (classic), so I decided to take a look.

Outlook DLP Policy Tips and Pop-Up Windows

When a tenant has configured Data Loss Prevention (DLP) policies to prevent sharing of sensitive data, Outlook and OWA evaluate message content and display policy tips if configured in DLP rules. Figure 1 shows how Outlook displays a policy tip after detecting some credit card information in a message.

DLP policy tip displayed in Outlook (classic)


Outlook DLP Policy Tips
Figure 1: DLP policy tip displayed in Outlook (classic)

Outlook sends email content to Microsoft content services for processing by DLP policies. If a violation is found and a policy tip is configured, Outlook displays the policy tip. It’s possible to use a sensitivity label to block access to content services for Microsoft Office apps. Although the intended use case for assigning such a label to an email is to stop Copilot for Microsoft 365 processing message content, the label also stops DLP policy tips. Blocking a visual indicator isn’t optimal, but a backstop exists in that the transport service can block messages when it processes the checks defined in DLP policies.

The Problem Being Solved with Outlook DLP Policy Tips

The problem that the pop-up messages attempt to solve is that it’s possible to insert sensitive data into a message and send it before Outlook has the time to send the content to Microsoft content services, which means that the user never sees the policy tip. The solution that I tested involved configuring the specify wait time to evaluate sensitivity content setting in a Cloud Policy configuration in the Microsoft 365 apps admin center (Figure 2).

Configuring a cloud policy to specify a wait time for sensitive content.
Figure 2: Configuring a cloud policy to specify a wait time for sensitive content

Enabling the setting and specifying a period (in seconds) instructs Outlook (classic) to pause for the specified period before sending a message. Allowing 15 seconds or so should be enough for Outlook to transmit the email to Microsoft content services and receive a response. During this process, users see a message to tell them that the organization requires email to have a sensitive content check before transmission (Figure 3).

Outlook sends email content for evaluation
Figure 3: Outlook sends email content for evaluation

Depending on the DLP rule conditions, a violation discovered by the content check causes Outlook to display the policy tip with or without the message being blocked. If allowed by the DLP rule, the sender can override the block and continue to send the email. Figure 4 shows a DLP rule configured with a policy tip and the ability for a sender to override the block.

DLP rule configured to allow an override
Figure 4: DLP rule configured to allow an override

When content services detect a policy violation, Outlook displays the policy tip and the dialog to allow the user to override the policy (Figure 5).

Justifying the override for a DLP rule violation.
Figure 5: Justifying the override for a DLP rule violation

DLP captures DLPRuleUndo audit records when users override a policy when sharing sensitive documents from SharePoint Online and OneDrive for Business. Exceptions cited by email senders are included in the audit data payload for the records. The same records are not captured when people override a DLP block with Outlook. I have flagged this issue to Microsoft and await their response.

Outlook DLP Policy Tips Good if You Can Handle the Sending Delay

Outlook pop-ups for sensitive data checks close a gap that might stop someone from sending a message containing sensitive content only to have DLP reject the message when it goes through the Exchange transport service. Closing any gap is goodness, as is the additional education people see when they see that messages are checked. The downside is that users might dislike the delay all outgoing messages experience to allow content services to process their content, plus the lack of audit records. If you can live with these issues, then pop-up warnings for Outlook might be a policy to experiment with a small target group before making it live for everyone.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/07/09/outlook-dlp-policy-tips/feed/ 0 65529