Configuring Exchange Online mail flow rules for Azure Information Protection labels
Applies to: Azure Information Protection, Office 365
Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see Learn about sensitivity labels and DLP labels from the Microsoft 365 documentation.
Note
To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client, and maintenance versions will no longer be released.
- The classic client will be fully retired, and will stop functioning, on March 31, 2022.
- As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.
The content in this article is provided to support customers with extended support only. For more information, see Removed and retired services.
Use the following information to help you configure mail flow rules in Exchange Online to use Azure Information Protection labels, and to apply additional protection for specific scenarios. For example:
Your default label is General, which does not apply protection. For emails with this label that are sent externally, apply the additional Do Not Forward protection action.
If an attachment with a Confidential \ Partners label is emailed to people outside the organization and the email is not protected, apply the additional encrypt-only protection action.
Mail flow rules that apply protection as an action are ignored if the email is already protected. For example, an email message that has been protected by Do Not Forward cannot be changed by an Exchange mail flow rule to use the encrypt-only option.
You can extend these examples as well as modify them. For example, add more conditions. For more information about configuring mail flow rules, see Mail flow rules (transport rules) in Exchange Online from the Exchange Online documentation.
For more information about configuring mail flow rules to encrypt email messages, see Define mail flow rules to encrypt email messages in Microsoft 365 from the Office documentation.
Prerequisite: Know your label GUID
Because an Azure Information Protection label is stored in metadata, mail flow rules in Exchange Online can read this information for messages and Office document attachments. Mail flow rules do not support inspecting the metadata for PDF documents.
Before you configure mail flow rules to identify messages and documents that are labeled, make sure that you know the GUID of the Azure Information Protection label that you want to use.
For more information about the metadata stored by a label and how to identify label GUIDs, see Label information stored in emails and documents.
Example configurations
For the following examples, create a new mail flow rule by using the following steps:
In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Microsoft 365.
Choose the Admin tile.
In the Microsoft 365 admin center, choose Admin centers > Exchange.
In the Exchange admin center: mail flow > rules > + > Create a new rule.
Tip
If you have problems with the user interface when you configure your rules, try a different browser, such as Internet Explorer.
The examples have a single condition that applies protection when an email is sent outside the organization. For more information about other conditions that you can select, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
Example 1: Rule that applies the Do Not Forward option to emails that are labeled General when they are sent outside the organization
In this example, the General label has a GUID of 0e421e6d-ea17-4fdb-8f01-93a3e71333b8. Substitute your own label or sublabel GUID that you want to use with this rule.
In the Azure Information Protection policy, this label has been configured as the default label to classify emails as General and the label does not apply protection.
In Name, type a name for the rule, such as
Apply Do Not Forward for General emails sent externally
.For Apply this rule if: Select The recipient is located, select Outside the organization, and then select OK.
Select More options, and then select add condition.
For and: Select A message header, and then select includes any of these words:
a. Select Enter text, and enter
msip_labels
.b. Select Enter words, and enter
MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled=True
c. Select +, and then select OK.
For Do the following: Select Modify the message security > Apply Office 365 Message Encryption and rights protection > Do Not Forward, and then select OK.
Your rule configuration should now look similar to the following:
Select Save
For more information about the Do Not Forward option, see Do Not Forward option for emails.
Example 2: Rule that applies the encrypt-only option to emails when they have attachments that are labeled Confidential \ Partners and these emails are sent outside the organization
In this example, the Confidential \ Partners sublabel has a GUID of 0e421e6d-ea17-4fdb-8f01-93a3e71333b8. Substitute your own label or sublabel GUID that you want to use with this rule.
This label is used to classify and protect documents that you use for partner collaboration.
In Name, type a name for the rule, such as
Apply Encrypt to emails sent externally if protected attachments
.For Apply this rule if: Select The recipient is located, select Outside the organization, and then select OK.
Select More options, and then select add condition.
For and: Select Any attachment, and then select has these properties, including any of these words:
a. Select + > Specify a custom attachment property.
b. For Property, enter
MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled
.c. For Value, enter
True
d. Select Save, and then select OK.
For Do the following: Select Modify the message security > Apply Office 365 Message Encryption and rights protection > Encrypt, and then select OK.
Your rule configuration should now look similar to the following:
Select Save
For more information about the Encrypt option, see encrypt-only option for emails.
Next steps
For information about creating and configuring the labels to use with Exchange Online mail flow rules, see Configuring Azure Information Protection policy.
In addition, to help classify email messages that contain attachments, consider using the following Azure Information Protection policy setting: For email messages with attachments, apply a label that matches the highest classification of those attachments.