Define Default Label for Outlook and Remove Need for Mandatory Labeling
Those reading message center notification MC249779 (April 9) might wonder what Outlook support for the DisableMandatoryInOutlook and OutlookDefaultLabel settings mean and whether the change is important. What happening is a gradual transfer of functionality from the Azure Information Protection (AIP) unified labeling client to native support in the Office applications. The change is important if you want to apply mandatory labeling for documents and messages.
Sensitivity Labels and Policy Settings
In the past, organizations using AIP labels to protect sensitive documents needed to deploy the AIP client to make the functionality to encrypt and decrypt files available to Office apps. Over time, AIP became Microsoft Information Protection, AIP labels are sensitivity labels, and the AIP client is the unified labeling client. You still need the unified labeling client to apply labels to files stored outside SharePoint Online and OneDrive for Business, and the client also controls some advanced functionality like revocation and tracking of protected documents.
Over the past two years, the Office apps (on all platforms) have incorporated native support for information protection, removing the need to install an extra client. This is an important step because the AIP client supports only Windows. Office supports the basics of information protection, like assigning sensitivity labels with encryption to documents and interpreting the permissions assigned to users through labels. Figure 1 shows how Outlook for Windows applies a sensitivity label before sending a message.
The latest update marks the transition of some of the advanced functionality from the unified labeling client to Office, starting with two Outlook settings.
- DisableMandatoryInOutlook: If the sensitivity label policy dictates that applying a label is mandatory, this setting allows Outlook to avoid the need to assign labels to new messages. Set to False if Outlook should apply mandatory labeling, or True to disable mandatory labeling.
- OutlookDefaultLabel: If the sensitivity policy dictates mandatory labeling, this setting allows Outlook clients to use a different default label to the one applied to documents (as defined in the DefaultLabelId policy setting). The setting contains the GUID (label identifier) for the default label used by Outlook. Note that if a default label is defined for Outlook and mandatory labeling is required (even if disabled for Outlook), Outlook applies its label to all new messages.
MC249779 says that roll-out begins in mid-April, and while OWA and Outlook for iOS have worked for a while. I didn’t see the new policy settings work with Outlook for Windows until the arrival of version 2105 (build 14206.20052) on May 4. Apparently, the new policy settings work with Outlook for Windows (build 14008.10000 and later), OWA, iOS (4.2111+), Android (4.2111+), and Mac (16.43.1108+).
These settings are part of the sensitivity label policy assigned to user accounts. You do not need to define values for the settings. Outlook uses the default document settings in the policy if specific settings for Outlook are not present.
Licensing
Microsoft considers the default application of a sensitivity label to a message or document to be an automatic operation. As such, it is covered by the licensing requirement for automatic labeling.
Updating Sensitivity Label Policies with PowerShell
To access the cmdlets to work with sensitivity labels, connect to the compliance endpoint. This is done by connecting to the Exchange Online management module and then running the Connect-IPPSSession cmdlet to connect to the compliance endpoint. For example:
Connect-ExchangeOnline Connect-IPPSSession
Once connected to the compliance endpoint, you can use the Get-LabelPolicy cmdlet to examine the settings in a compliance policy. For instance, here are the settings for a policy in my tenant:
Get-LabelPolicy -Identity "General Sensitivity Policy" | Select -ExpandProperty Settings [requiredowngradejustification, true] [mandatory, true] [outlookdefaultlabel, 2fe7f66d-096a-469e-835f-595532b63560] [siteandgroupmandatory, false] [enablecontainersupport, True] [disablemandatoryinoutlook, True] [defaultlabelid, 27451a5b-5823-4853-bcd4-2204d03ab477]
You can see that mandatory labeling for Outlook is disabled (True), but a default label is defined. We can also see that this policy makes labeling mandatory for documents (mandatory = true) and the GUID for the default label (defaultlabelid). Running the Get-Label cmdlet reveals the label name:
(Get-Label -Identity 2fe7f66d-096a-469e-835f-595532b63560).DisplayName Public
Mandatory labeling for documents is already configurable in the Compliance Center GUI. The changes forecast by Microsoft will introduce the ability to configure a different mandatory label for Outlook and to disable mandatory labeling for Outlook if it is configured for documents. For now, you need to update the Outlook settings in label policies with PowerShell because Microsoft has not yet updated the Compliance Center GUI.
To enable labeling mandatory for Outlook, we run the Set-LabelPolicy cmdlet to update the settings.
Set-LabelPolicy -Identity "General Sensitivity Policy" -AdvancedSettings @{DisableMandatoryInOutlook="False"}
To set a default label for Outlook, use the Get-Label cmdlet to find the GUID for the label you’d like to use:
Get-Label | Format-Table DisplayName, ImmutableId
Then write the GUID for the chosen label into the policy:
Set-LabelPolicy -Identity "General Sensitivity Policy" -AdvancedSettings @{OutlookDefaultLabel=" 2fe7f66d-096a-469e-835f-595532b63560"}
Neither PowerShell nor the compliance endpoint validate the name of the advanced setting you update. If you misspell a parameter, it will be written into the label policy. If you pass an incorrect value, it will end up in the policy too. Always double-check values before updating a policy.
It can take several hours before clients pick up a policy update and the chosen values are effective.
When Multiple Policies are Assigned to an Account
You can assign multiple sensitivity label policies to an account. If you do, the account has access to the combined set of sensitivity labels from all assigned policies and the policy settings which apply are determined by the order the policies are listed in the compliance center with the lowest priority policy shown at the top and the highest at the bottom. In the set of policies shown in Figure 2, the General sensitivity policy has the highest priority.
It’s an odd priority order, but it’s consistent with the way that priority order for sensitivity labels work.
Knowing What Labels are Used
If your tenant has the appropriate licenses (think Office 365 E5), you can see details of the labels applied by user activity, including automatic application, using the Activity Explorer in the Compliance Center (Figure 3).
Office 365 E3 tenants can check the audit log for events such as MipLabel (logged when Outlook applies a sensitivity label) and SensitivityLabelApplied (an Office app like Word labels a document). An interesting edge case is when someone sends a message using one of the two Office 365 message encryption (OME) templates (Encrypt Only and Do Not Forward). In these instances, Outlook applies the label defined for documents rather than messages, probably because the message is already protected.
Analyzing audit records is not as convenient as viewing the information through the Activity Explorer, but the presence of audit events makes it feasible to understand who applies sensitivity labels and where they apply the labels. If you’ve gone to the trouble of creating a label policy which requires mandatory labeling, it’s nice to know that it’s being used.
Hi,
I have been facing the issue i have a CRM environment where i create task that tasks i am tracking to the outlook but i am seeing the HTML tags with the actual text in the outlook as well in the Task application.
i have checked the settings in outlook and its as per the MS documentation. is there any advance setting that will help me on this RTE. checked the CRM environment for the RTE but its not working. could you please help me on this.
thanks,
Sorry. I don’t have access to your tenant and therefore cannot assist.
Hi,
Testing the posibility to do exceptions for groups of users, i found out if the poclicy scope is set to “All” the “set-labelpolicy -removeexchangelocation ” command doestn remove the desired users or groups, do you know of a way to do exceptions?
I have users with to many lables showing in outlook, I want to reduce the number of labels based on groups and policies, any suggestion?
Set-LabelPolicy https://learn.microsoft.com/en-us/powershell/module/exchange/set-labelpolicy?view=exchange-ps -AddExchangeLocationException is the way to add exceptions for Exchange mailboxes (with PowerShell).
Maybe using administrative units to control who gets certain labels would work better for you?
We are running outlook 365 on desktops. Sensitivity button is greyed out in outlook no matter what we do but works fine in the web version and mobile
Very helpful to understand. Is there a way to control when the pop-up for required sensitivity labels pops up (other than setting a default)? At the moment, the pop-up appears when you first create the document. We would like the pop-up to check/display upon saving. Note: We require labels for all documents and have E5 AIP automatic search conditions and trainable classifiers enables for some of our labels, but not all.
fyi, I am referring to the online experience vs desktop.
I don’t believe that you can affect the way the online apps run in respect of the label pop-up. But you could ask the Microsoft Information Protection team on their Yammer network: https://www.yammer.com/askipteam#/home
Hi Tony,
Can we apply specific (mandatory) sensitivity label in outlook for Internal users which should not change due to keywords and for external users mandatory label should change automatically as per the identified keywords.
Please let me know if its achievable.
Thanks
Pawan
The way to do this is with an Exchange transport (mail flow) rule. The default setting in a policy is a one-size fits-all solution.
I’m looking to disable these timewasting popups as they’re only causing daily frustration, none of these commands seem to work in my Powershell, any suggestions?
Any insight into troubleshooting sensitivity label issues?
Specifically having to constantly reset labels on docs that had labels already set.
For some users, not all? Wasnt sure if a way to reset or repair (office or other) to get labels working properly (set once per doc, not over and over)
I’d file a support incident with Microsoft to have them check this out. Sensitivity labels assigned to items are stored in their metadata and shouldn’t need to be reset.
Hi,
My organization have office 365 and client desktop have office 2016 version enabled with AIP, we were drafting and sending emails says 4000 – 6000 emails, and it is hard to set sensitivity labels for all emails. We are creating all the emails using VBA and sending using VBA, we are getting popup to set Sensitivity label for each email it is hard to do this for bulk emails. Is there a solution to do. We are using mouse clicker to click allow when it prompts to send bulk emails but for AIP sensitivity label after it emails goes to outbox, it prompts for sensitivity label to set with a popup, it is hard to select using any clicker. Also i have tried using vba program to select the label but it does not works. Any workaround for this case
Is this for Exchange Online? If so, Microsoft doesn’t support using Exchange Online to send bulk email. Also, the feature I reported is for sensitivity labels, not the older AIP labels, and it depends on Outlook detecting the default, not VBA.
In your powershell sample in the article you have DisableMandatoryOutlook as the setting name rather than DisableMandatoryInOutlook. Anyone does a copy/edit/paste from the article like I did will use the wrong value.
Thanks Alan… Looks like a cut and paste error on my part that shouldn’t have made its way through. Fixed now.
This is really interesting and helpful. Wondering if you have any guidance on creating separate rules for Outlook compared to for Word? Only wanting labels to physically show in the body of Outlook and not within Word. Thanks
My outlook client sensitivity is not appears, but on web version, the sensitivity is working fine,
outlook client is running Office 365 newly installed. What should i do?
It takes a little time for Outlook to download the sensitivity labels and make them available in the UI. If this process is lasting more than a few days, I would ask Microsoft support for some help as they can check your environment (I obviously cannot).
Dear Tony,
Please do you have a guide to do this on Outlook for Desktop? Have been able to do it on Office365 but need to do same on Desktop client
Outlook (click to run – the Microsoft 365 apps for enterprise version) supports sensitivity labels. What version are you trying to use?
Hi Tony,
Thank you for your article.
I’d like to ask if you have any Microsoft official document (or what is your source of this point) where they confirm that the default application of a sensitivity label should be considered as an automatic operation and therefore it needs higher license plan? I found similar for the Retention labels in the MS documentation but not for the Sensitivity labels.
Best Regards.
Martin Trneny
https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection
Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, Office 365 E5, Enterprise Mobility + Security E5/A5/G5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling.
Any automatic (non user) application requires a higher license.