Protect your Data – Stop losing control over it – E-Mail Service

In the last posts, you saw how to

Now, I will show you a way to block specific classifications from being sent with Exchange/O365 to other organizations. When a document is protected, some properties are added to the file. An exchange rule can detect them and react on them. For example, if the e-mail or an attachment contains a specific Azure Information Protection Label and is sent to a contact outside your organization, then you can block the message.

To get this behavior you must create two mail flow rules in your exchange environment. The first one is to block attachments, which have the specific classification set. The classification is stored in a property called Sensitivity. Your rule should look like that:

The second rule is to block messages, which have a specific classification in their mail header. The classification and many other Azure Information properties are stored in a mail header called msip_labels.

msip_labels: MSIP_Label_40e837e6-3da8-45aa-97d8-ce91cde76b47_Enabled=True;
MSIP_Label_40e837e6-3da8-45aa-97d8-ce91cde76b47_Application=Microsoft Azure
Information Protection;

Because there is much more information in this property, we have to use the match operator. You can just search for the Label Name or you can specify “Sensitivity=Confidential” as the value.

After activating these two rules, your users can no longer send classified documents to other organizations.

After protecting your Data, you would like to see how you can monitor and react to thefts. Stay tuned and follow me on twitter @ThomasKurth_CH to get an update, when the next post of this series is online.


Thomas Kurth
Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I work for workplace management and enterprise mobility projects with Microsoft Technologies since seven years. Important for me is to simplify and automate the operational processes, because there are the heighest costs.

Thomas Kurth
Follow me