Share via


Data loss prevention policy tip reference for Outlook for Microsoft 365

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Note

Microsoft Purview data loss prevention (DLP) will only process the first 4 MB on message content for policy tip in Outlook for Microsoft 365 and only classify up to 2 MB of attachments.

Important

Mailboxes must be hosted in Exchange Online. For more information, see: Learn about data loss prevention.

Licensing

Here are the policy tip support details for various licenses and Outlook versions.

Note

For advanced DLP policy tip support, which makes additional DLP conditions, advanced classifiers, oversharing dialog, and more available, these licenses are required for each scoped user:

  • E5 or equivalent license
  • Information Protection for Office 365 - Premium" license (MIP_S_CLP2 or efb0351d-3b08-4503-993d-383af8de41e3) must be enabled.

Conditions that support policy tips for Outlook perpetual users

For Outlook perpetual versions and users These conditions apply
-E3 users
-E5 users
- For email and unencrypted Microsoft 365 files Content contains built-in/custom sensitive information types
- Content is shared from Microsoft 365

Conditions that support policy tips for Outlook for Microsoft 365 users

For Outlook for Microsoft versions and users These conditions apply
- All E3 users
- All offline E5 users
- All E5 users with connected experience disabled
- All online E5 users with production version builds lower than 2303 (Build 16.0.16216.10000)
- All online E5 users with semi-annual channel version builds lower than 2302 (Build 16.0.16130.20478)
- Content contains built-in/custom sensitive information types
- Content is shared from Microsoft 365
- All online E5 users with connected experience enabled in WW commercial and GCC/GCC-H/DoD clouds
- production version 2303 & Build 16.0 16216.10000 or higher
- semi-annual channel version 2302 & Build 16.0.16130.20478 or higher
- Content contains built-in/custom sensitive information types (works for email and unencrypted Microsoft 365 and PDF files)
- Message (includes email subject) contains built-in/custom sensitive information types
- Attachment contains built-in/custom sensitive information types
- Content contains sensitivity labels (Works for email and Office & PDF file types)
- Content is shared
- Sender is
- Sender is member of (Only Distribution lists, Azure-based Dynamic Distribution groups, and email-enabled Security groups are supported.)
- Sender domain is
- Recipient is
- Recipient is a member of (Only Distribution lists, Azure-based Dynamic Distribution groups, and email-enabled Security groups are supported.)
- Recipient domain is
- Subject contains words
- Content is not labeled
- Message is not labeled
- Attachment is not labeled
- File extension is

Actions that support policy tips

All Exchange actions support policy tips

  • Restrict access or encrypt the content in Microsoft 365 locations
  • Set headers
  • Remove header
  • Redirect the message to specific users
  • Forward the message for approval to sender's manager
  • Forward the message for approval to specific approvers
  • Add recipient to the To box
  • Add recipient to the Cc box
  • Add recipient to the Bcc box
  • Add the sender's manager as recipient
  • Removed O365 Message Encryption and rights protection
  • Prepend Email Subject
  • Add HTML Disclaimer
  • Modify Email Subject
  • Deliver the message to the hosted quarantine

Sensitive information types that support policy tips for Outlook perpetual users

For Outlook perpetual version E3 and E5 users these built-in sensitive information types and custom sensitive information types support policy tips:

Sensitive information types that support policy tips for Outlook for Microsoft 365 users

For these Outlook versions and users

  • All Microsoft 365 for Enterprise E3 users
  • All Microsoft 365 for Enterprise offline E5 users
  • All Microsoft 365 for Enterprise E5 users with connected experience disabled
  • All Microsoft 365 for Enterprise online E5 users with production version lower than 2303 (Build 16.0.16216.10000)
  • All Microsoft 365 for Enterprise online E5 users with semi-annual channel version lower than 2302 (Build 16.0.16130.20478)

These OOB sensitive information types support policy tips along with any custom and advanced sensitive information types

For these Outlook versions and users:

  • Online E5 users with connected experience enabled.
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2302 (Build 16.0.16130.20478) or higher.

These sensitive information types support policy tips:

Exact Data Match sensitive information types that support policy tips Outlook for Microsoft 365

Yes.

Applies to:

  • Online E5 users with connected experience enabled
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2302 (Build 16.0.16130.20478) or higher.

For more information on exact data match based SITs, see Learn about exact data match based sensitive information types.

Trainable classifiers support for Outlook for Microsoft 365

Yes.

Important

Trainable classifiers are not supported for the following conditions:

  • For new conditions:

  • Message contains

  • Attachment contains

  • For the existing Content contains condition when used in combination with Evaluate rule per component condition. (Preview limitation)

Applies to:

For these Outlook versions and users:

  • Online E5 users with connected experience enabled
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2302 (Build 16.0.16130.20478) or higher.

These trainable classifiers are supported:

For more information on trainable classifiers, see Learn about trainable classifiers.

Sensitivity label support for Outlook for Microsoft 365

Applies to:

  • Online E5 users with connected experience enabled
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2302 (Build 16.0.16130.20478) or higher.

For more information on sensitivity labels, see Learn about sensitivity labels.

Oversharing dialog for Outlook for Microsoft 365

The oversharing dialog is available in DLP for Outlook desktop for E5 users. It isn't supported in other Outlook clients. When enabled in a DLP rule, this feature displays popups for warning, override, or block actions to end users who are sharing labeled or sensitive emails in Outlook desktop. For more information about legacy AIP Add-in, see admin guide for the AIP client.

There are multiple types of oversharing dialogs that can be presented to your users.

Default Oversharing Dialog

Applies to:

  • Online E5 users with connected experience enabled
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2308 (Build 16.0.16731.20716) or higher.

This dialog uses the exact same text as the policy tip (default or custom) and when applicable, a noncustomizable set of justification options to override the policy.

Customized Oversharing Dialog

Applies to:

  • Online E5 users with connected experience enabled
  • Production version 2404 (Build 16.0.17531.20000 ) or higher.
  • Semi-annual channel version 2408 (Build TBD) or higher.

You can choose to tailor your oversharing dialog with a customized title, body, and dynamic variables like %%MatchedRecipientsList%%, and justification options.

For customized dialog, create a JSON file like this and ensure the following:

  • The file is UTF-8 encoded.
  • The content is plain text.
  • No comments are included.
{
    "LocalizationData": [
        {
            "Language": "en-us",
            "Title": "WARNING: A Sensitivity Label Not for External Use was Detected.",
            "Body": "The following classification(s) have been detected on this email or its attachments. <LineBreak /><LineBreak /><Bold>%%MatchedLabelName%%</Bold><LineBreak /><LineBreak />The email cannot be sent until either the following issues are corrected or a justification is provided. <LineBreak /><LineBreak />Attachment(s) needing attention (if applicable): <LineBreak />%%MatchedAttachmentName%% <LineBreak /><LineBreak />List of external recipients: <LineBreak />%%MatchedRecipientsList%% <LineBreak /><LineBreak />",
            "Options": [
                "The recipients have signed an NDA",
                "Manager has approved this email",
                "Organization required this content to be shared"
            ]
        },
{
            "Language": "es-es",
            "Title": "ADVERTENCIA: Etiqueta de sensibilidad no para uso externo detectada.",
            "Body": "Se ha detectado la(s) siguiente(s) clasificación(es) en este correo electrónico o sus archivos adjuntos. <LineBreak /><LineBreak /><Bold>%%MatchedLabelName%%</Bold><LineBreak /><LineBreak />El correo electrónico no se puede enviar hasta que se corrijan los siguientes problemas o se proporcione una justificación. <LineBreak /><LineBreak />Archivos adjuntos que necesitan atención (si corresponde): <LineBreak />%%MatchedAttachmentName%% <LineBreak /><LineBreak />Lista de destinatarios externos: <LineBreak />%%MatchedRecipientsList%% <LineBreak /><LineBreak />",
            "Options": [
                "Los destinatarios han firmado un NDA",
                "El gerente ha aprobado este correo electrónico",
                "La organización requirió que se compartiera este contenido"
            ]
        }
    ],
    "DefaultLanguage": "en-us"
}

The above JSON content can be uploaded in a DLP rule using below options:

UX instructions

Screenshot of where in the user interface to select the option for uploading a custom JSON file.

PowerShell
$content = Get-Content "path to the JSON file" -Encoding utf8| Out-String
New/Set-DlpComplianceRule -Name <Rule_name> -Policy <Policy_name> -NotifyPolicyTipCustomDialog $content -NotifyPolicyTipDisplayOption Dialog

When you run the cmdlet, validation checks are run on the content. The validation checks include, the JSON character limit, formatting and, mandatory presence of one default language validation. The administrator is notified of any errors so that they can be corrected.

Features and limitations of the dialog

The dialog title, body, and override justifications options can be customized using the JSON file. You can apply bold, underline, italic formatting, and line breaks. There can be up to three justifications options plus an option for free-text input.

The text for Acknowledgement and False positive overrides isn't customizable.

Here's the required structure of the JSON files. You use this to customize the dialog for matched rules. The keys are all case sensitive. Formatting and dynamic tokens for matched conditions can only be used in the Body key.

Keys Mandatory? Rules/Notes
{} Y Container
LocalizationData Y Array that contains all the language options.
Language Y Specify language code, limited to 10 languages.
Title Y Specify the title for the dialog. Limited to 75 characters.
Body Y Specify the body for the dialog. Limited to 800 characters. Dynamic tokens for matched conditions can be added in the body.
Options N Up to three options can be included (Limited to 100 characters each). One more can be added by setting HasFreeTextOption = true.
HasFreeTextOption N This can be set to true or false. True will display a text box as a last option in the dialog.
DefaultLanguage Y One of the languages must be defined as DefaultLanguage within the LocalizationData key.
Dynamic tokens and text formatting in custom Oversharing dialog
Placeholder Explanation
%%MatchedRecipientsList%% Display the matched recipients for a given DLP rule for these conditions:
- Recipient is
- Recipient domain is
- Recipient is a member of
- Content is shared from Microsoft 365
%%MatchedLabelName%% Display the matched labels for a given DLP rule for this condition:
- Content contains sensitivity label
%%MatchedAttachmentName%% Display the matched attachments for a given DLP rule for these conditions:
- Content contains sensitive information
- Content contains sensitivity label
- Attachment is not labeled
- File extension is
<Bold>lorem ipsum</Bold> Bold format
<Italic>lorem ipsum</Italic> Italic format
<Underline>lorem ipsum</Underline> Underline
<Linebreak /> or <br> Introduce a line break

Wait on Send dialog support for Oversharing for Outlook for Microsoft 365

After you've configured the Oversharing dialog, you can optionally enable the Wait on send dialog feature using the dlpwaitonsendtimeout Registry key (DWORD value). Do this on all devices where you want to ensure sensitive emails are evaluated according to your DLP policies before they're sent. This registry key defines the maximum amount of time to hold an email when the user selects Send. It allows DLP policy evaluation to complete for labeled or sensitive content. The Wait on send dialog is noncustomizable.

Screenshot of the Wait on send dialog box.

Applies to:

  • Online E5 users with connected experience enabled
  • Production version 2303 (Build 16.0.16216.10000) or higher.
  • Semi-annual channel version 2302 (Build 16.0.16130.20478) or higher.

Configure Wait on send

To configure Wait on send see, Steps to configure Wait on send.