Define Default Label for Outlook and Remove Need for Mandatory Labeling

Those reading message center notification MC249779 (April 9) might wonder what Outlook support for the DisableMandatoryInOutlook and OutlookDefaultLabel settings mean and whether the change is important. What happening is a gradual transfer of functionality from the Azure Information Protection (AIP) unified labeling client to native support in the Office applications. The change is important if you want to apply mandatory labeling for documents and messages.

Sensitivity Labels and Policy Settings

In the past, organizations using AIP labels to protect sensitive documents needed to deploy the AIP client to make the functionality to encrypt and decrypt files available to Office apps. Over time, AIP became Microsoft Information Protection, AIP labels are sensitivity labels, and the AIP client is the unified labeling client. You still need the unified labeling client to apply labels to files stored outside SharePoint Online and OneDrive for Business, and the client also controls some advanced functionality like revocation and tracking of protected documents.

Over the past two years, the Office apps (on all platforms) have incorporated native support for information protection, removing the need to install an extra client. This is an important step because the AIP client supports only Windows. Office supports the basics of information protection, like assigning sensitivity labels with encryption to documents and interpreting the permissions assigned to users through labels. Figure 1 shows how Outlook for Windows applies a sensitivity label before sending a message.

Outlook requires a message have a sensitivity label before it can be sent
Figure 1: Outlook requires a message have a sensitivity label before it can be sent

The latest update marks the transition of some of the advanced functionality from the unified labeling client to Office, starting with two Outlook settings.

  • DisableMandatoryInOutlook: If the sensitivity label policy dictates that applying a label is mandatory, this setting allows Outlook to avoid the need to assign labels to new messages. Set to False if Outlook should apply mandatory labeling, or True to disable mandatory labeling.
  • OutlookDefaultLabel: If the sensitivity policy dictates mandatory labeling, this setting allows Outlook clients to use a different default label to the one applied to documents (as defined in the DefaultLabelId policy setting). The setting contains the GUID (label identifier) for the default label used by Outlook. Note that if a default label is defined for Outlook and mandatory labeling is required (even if disabled for Outlook), Outlook applies its label to all new messages.

MC249779 says that roll-out begins in mid-April, and while OWA and Outlook for iOS have worked for a while. I didn’t see the new policy settings work with Outlook for Windows until the arrival of version 2105 (build 14206.20052) on May 4. Apparently, the new policy settings work with Outlook for Windows (build 14008.10000 and later), OWA, iOS (4.2111+), Android (4.2111+), and Mac (16.43.1108+).

These settings are part of the sensitivity label policy assigned to user accounts. You do not need to define values for the settings. Outlook uses the default document settings in the policy if specific settings for Outlook are not present.

Licensing

Microsoft considers the default application of a sensitivity label to a message or document to be an automatic operation. As such, it is covered by the licensing requirement for automatic labeling.

Updating Sensitivity Label Policies with PowerShell

To access the cmdlets to work with sensitivity labels, connect to the compliance endpoint. This is done by connecting to the Exchange Online management module and then running the Connect-IPPSSession cmdlet to connect to the compliance endpoint. For example:

Connect-ExchangeOnline
Connect-IPPSSession

Once connected to the compliance endpoint, you can use the Get-LabelPolicy cmdlet to examine the settings in a compliance policy. For instance, here are the settings for a policy in my tenant:

Get-LabelPolicy -Identity "General Sensitivity Policy" | Select -ExpandProperty Settings

[requiredowngradejustification, true]
[mandatory, true]
[outlookdefaultlabel, 2fe7f66d-096a-469e-835f-595532b63560]
[siteandgroupmandatory, false]
[enablecontainersupport, True]
[disablemandatoryinoutlook, True]
[defaultlabelid, 27451a5b-5823-4853-bcd4-2204d03ab477]

You can see that mandatory labeling for Outlook is disabled (True), but a default label is defined. We can also see that this policy makes labeling mandatory for documents (mandatory = true) and the GUID for the default label (defaultlabelid). Running the Get-Label cmdlet reveals the label name:

(Get-Label -Identity 2fe7f66d-096a-469e-835f-595532b63560).DisplayName

Public

Mandatory labeling for documents is already configurable in the Compliance Center GUI. The changes forecast by Microsoft will introduce the ability to configure a different mandatory label for Outlook and to disable mandatory labeling for Outlook if it is configured for documents. For now, you need to update the Outlook settings in label policies with PowerShell because Microsoft has not yet updated the Compliance Center GUI.

To enable labeling mandatory for Outlook, we run the Set-LabelPolicy cmdlet to update the settings.

Set-LabelPolicy -Identity "General Sensitivity Policy" -AdvancedSettings @{DisableMandatoryInOutlook="False"}

To set a default label for Outlook, use the Get-Label cmdlet to find the GUID for the label you’d like to use:

Get-Label | Format-Table DisplayName, ImmutableId

Then write the GUID for the chosen label into the policy:

Set-LabelPolicy -Identity "General Sensitivity Policy" -AdvancedSettings @{OutlookDefaultLabel=" 2fe7f66d-096a-469e-835f-595532b63560"}

Neither PowerShell nor the compliance endpoint validate the name of the advanced setting you update. If you misspell a parameter, it will be written into the label policy. If you pass an incorrect value, it will end up in the policy too. Always double-check values before updating a policy.

It can take several hours before clients pick up a policy update and the chosen values are effective.

When Multiple Policies are Assigned to an Account

You can assign multiple sensitivity label policies to an account. If you do, the account has access to the combined set of sensitivity labels from all assigned policies and the policy settings which apply are determined by the order the policies are listed in the compliance center with the lowest priority policy shown at the top and the highest at the bottom. In the set of policies shown in Figure 2, the General sensitivity policy has the highest priority.

Sensitivity label policies listed in the compliance center
Figure 2: Sensitivity label policies listed in the compliance center

It’s an odd priority order, but it’s consistent with the way that priority order for sensitivity labels work.

Knowing What Labels are Used

If your tenant has the appropriate licenses (think Office 365 E5), you can see details of the labels applied by user activity, including automatic application, using the Activity Explorer in the Compliance Center (Figure 3).

Using the Activity Explorer to track label usage
Figure 3: Using the Activity Explorer to track label usage

Office 365 E3 tenants can check the audit log for events such as MipLabel (logged when Outlook applies a sensitivity label) and SensitivityLabelApplied (an Office app like Word labels a document). An interesting edge case is when someone sends a message using one of the two Office 365 message encryption (OME) templates (Encrypt Only and Do Not Forward). In these instances, Outlook applies the label defined for documents rather than messages, probably because the message is already protected.

Analyzing audit records is not as convenient as viewing the information through the Activity Explorer, but the presence of audit events makes it feasible to understand who applies sensitivity labels and where they apply the labels. If you’ve gone to the trouble of creating a label policy which requires mandatory labeling, it’s nice to know that it’s being used.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Jochem

    I’m looking to disable these timewasting popups as they’re only causing daily frustration, none of these commands seem to work in my Powershell, any suggestions?

  2. Billbo Baggins

    Any insight into troubleshooting sensitivity label issues?
    Specifically having to constantly reset labels on docs that had labels already set.
    For some users, not all? Wasnt sure if a way to reset or repair (office or other) to get labels working properly (set once per doc, not over and over)

    1. Tony Redmond

      I’d file a support incident with Microsoft to have them check this out. Sensitivity labels assigned to items are stored in their metadata and shouldn’t need to be reset.

  3. Jayakumar Krishnamoorthy

    Hi,

    My organization have office 365 and client desktop have office 2016 version enabled with AIP, we were drafting and sending emails says 4000 – 6000 emails, and it is hard to set sensitivity labels for all emails. We are creating all the emails using VBA and sending using VBA, we are getting popup to set Sensitivity label for each email it is hard to do this for bulk emails. Is there a solution to do. We are using mouse clicker to click allow when it prompts to send bulk emails but for AIP sensitivity label after it emails goes to outbox, it prompts for sensitivity label to set with a popup, it is hard to select using any clicker. Also i have tried using vba program to select the label but it does not works. Any workaround for this case

    1. Tony Redmond

      Is this for Exchange Online? If so, Microsoft doesn’t support using Exchange Online to send bulk email. Also, the feature I reported is for sensitivity labels, not the older AIP labels, and it depends on Outlook detecting the default, not VBA.

  4. Alan

    In your powershell sample in the article you have DisableMandatoryOutlook as the setting name rather than DisableMandatoryInOutlook. Anyone does a copy/edit/paste from the article like I did will use the wrong value.

    1. Tony Redmond

      Thanks Alan… Looks like a cut and paste error on my part that shouldn’t have made its way through. Fixed now.

  5. A.H

    This is really interesting and helpful. Wondering if you have any guidance on creating separate rules for Outlook compared to for Word? Only wanting labels to physically show in the body of Outlook and not within Word. Thanks

  6. Azlin Shah bin Mohd Isa

    My outlook client sensitivity is not appears, but on web version, the sensitivity is working fine,

    outlook client is running Office 365 newly installed. What should i do?

    1. Tony Redmond

      It takes a little time for Outlook to download the sensitivity labels and make them available in the UI. If this process is lasting more than a few days, I would ask Microsoft support for some help as they can check your environment (I obviously cannot).

  7. NDUBUISI OFOEGBU

    Dear Tony,

    Please do you have a guide to do this on Outlook for Desktop? Have been able to do it on Office365 but need to do same on Desktop client

    1. Tony Redmond

      Outlook (click to run – the Microsoft 365 apps for enterprise version) supports sensitivity labels. What version are you trying to use?

  8. Martin Trněný

    Hi Tony,

    Thank you for your article.

    I’d like to ask if you have any Microsoft official document (or what is your source of this point) where they confirm that the default application of a sensitivity label should be considered as an automatic operation and therefore it needs higher license plan? I found similar for the Retention labels in the MS documentation but not for the Sensitivity labels.

    Best Regards.
    Martin Trneny

    1. Tony Redmond

      https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection

      Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, Office 365 E5, Enterprise Mobility + Security E5/A5/G5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling.

      Any automatic (non user) application requires a higher license.

Leave a Reply