In the ever-evolving landscape of cybersecurity, protecting sensitive information is paramount. Microsoft has introduced a proactive feature in Outlook for Microsoft 365 that holds emails for Data Loss Prevention (DLP) scanning and alerts users with a pop-up if sensitive content is detected. This innovative approach ensures that potential data breaches are intercepted before emails enter the outbox, enhancing compliance and security. It is time to elevate email security with Intune and DLP!
Table Of Content
- The New DLP Email Scanning Feature
- Implementing With Microsoft Intune
- End User Experience
- Concluding Elevate Email Security With Intune And DLP
The New DLP Email Scanning Feature
I am not usually deep into Data Loss Prevention (DLP), but my colleague MVP Nikki Chapple constantly shares valuable insights regarding DLP in Microsoft 365 through her blog, https://nikkichapple.com/.
If you are interested in the governance and compliance space, it’s highly recommended to explore Nikki’s content as it inspires and guides establishing a comprehensive data loss prevention configuration for your tenant.
Recently, Nikki asked me if the new DLP email scanning feature could be configured on the endpoints using Intune. After checking around, I realized this was not documented for Microsoft Intune!
Nikki described how the new DLP feature integrates seamlessly with Microsoft Outlook, enhancing DLP by checking emails for sensitive information policies before sending the mail. A policy tip notification is displayed if a match is found, prompting the user to take action.
This setting is based on the new policy tip option in DLP. By configuring the Windows endpoints using Microsoft Intune, we can give the users a new oversharing popup in Outlook. This enhances the policy tip and is a significant improvement over the traditional method, where users would receive a bounce-back message after the email has already been attempted to be sent.
Implementing With Microsoft Intune
Microsoft Intune provides a robust configuration and policy enforcement platform to deploy features across managed endpoints. Since this configuration is not detailed as a Microsoft Intune option in the official Microsoft documentation (and I can’t contribute to this particular page at Microsoft Learn🥲), I will run you through setting up the Microsoft Outlook oversharing popup for Windows using Microsoft Intune in this blog post.
Oversharing popup is an E5 feature.
AIP P2 license is supported.
Intune Device Configuration Profile
In Microsoft Intune, you should create a new device configuration profile for “Windows 10 and later” and use the “Settings catalog” profile type.
Give the new configuration profile an appropriate name and description.
Add the setting “Specify wait time to evaluate sensitive content (User)” found under Microsoft Outlook 2016 and enable it.
When enabled, email messages undergo a pre-send check upon clicking Send. You can specify a time limit for the Data Loss Prevention (DLP) policy evaluation. If the evaluation doesn’t finish within this time, a Send Anyway button appears for user bypass.
The seconds values range from 0 to 9999 seconds. Values above 9999 get set to 10000, disabling the Send Anyway button. In this case, the message is held until the policy evaluation is completed, without user override. The evaluation duration depends on internet speed, content length, and defined policies. Users may experience varying frequencies of policy evaluation messages based on deployed mailbox policies.
MVP Moe Kinani has proposed a 30-second value in his blog post covering the setup of a DLP policy to support the oversharing pop-up in Outlook.
Assign the policy to a group of pilot users before extending it to all users after the initial pilot period.
End User Experience
Without The Oversharing Config
The default experience for DLP is without the use of the oversharing popup. In this situation, the e-mail would leave the user’s mailbox and then bounce back a while later if the e-mail breaks DLP policies. This might look like this:
This initial implementation of the DLP policy with e-mail bouncing may confuse end users. A more user-friendly approach is to display the oversharing popup while users compose the original email. This allows them to address any oversharing issues seamlessly within the initial email creation process flow.
An Email With A Sensitivity Label
After the sensitivity label with the new policy tip is distributed to the device, the user will see information like the following when creating an email conflicting with the implemented DLP policies:
If the oversharing popup is configured through Microsoft Intune, and the end user tries to click the Send button when the policy tip is present, the e-mail will be halted, and the user will receive the following notification saying it is not allowed to send this information to this recipient.
The user is now informed while in the creative flow and may take the corresponding action without trying to send an e-mail that will get blocked and bounced.
An Email With A Sensitivity Labeled Document
Sharing From Office Applications
Trying to share a document with a restrictive sensitivity label directly from Word will give the following message to the end user:
This is not related to the oversharing configuration, but the DLP policy will block the user.
Sharing From Outlook
If trying to add the same document as an attachment to an e-mail, the DLP policy will kick in and change or suggest changing the sensitivity label. Eventually, the policy tip will apply, saying external sharing is not allowed. The oversharing popup will now appear if the end-user tries to send the e-mail with the labeled attachment:
This is the configured oversharing popup informing the user that this sharing through e-mail is not allowed.
Sharing From New Outlook
Testing the same routine from the New Outlook client gives the same result:
The email received the policy tip as soon as the labeled document was attached, and the New Outlook clients display an oversharing popup if the email is attempted to be sent to an external recipient, breaking with the DLP policy.
Concluding Elevate Email Security With Intune And DLP
Checking emails for sensitive information against DLP policies before they are sent is a significant improvement over the traditional method, where users would receive a bounce-back message after the email had already been sent. The policy tip notification will allow the end user to take action on any DLP mismatches while they are still in the flow of composing their e-mail.
With Microsoft Intune, the deployment of the new DLP email scanning feature can be streamlined to all your managed Windows endpoints. By leveraging Microsoft Intune’s endpoint management capabilities, organizations can ensure end users get the support they need to comply with the company’s DLP policies most effectively.
One year ago, Nikke and I collaborated on another cross-posting where we complemented each other’s knowledge to provide a comprehensive solution. Have you seen it?
– How to use sensitivity labels with your PDF files (nikkichapple.com)
– Simon does How to use Intune to enable sensitivity labels on PDF files (skotheimsvik.no)