This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 83%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi
We have several mailboxes, where assistants have fullaccess permission to the mailboxes.
The owners would like to prevent the delegated users, from reading private emails.
How can this be achieved?
Regards
Peter
@Alex Zhang-MSFT
Any news, if it will be possible in the future, to add sensitivity labels to existing emails within the inbox in Outlook Web or new Outlook client?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 90%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
Hello, @Peter,
Currently, in Microsoft Outlook and Outlook Web Access (OWA), sensitivity labels can be applied when composing new emails. However, applying sensitivity labels to existing emails directly in your inbox is not a feature that's universally available at this time.
For the most accurate and up-to-date information about if it will be possible in the future, to add sensitivity labels to existing emails within the inbox in Outlook Web or new Outlook client, you can check the Microsoft 365 roadmap or contact Microsoft support. To stay informed about new features, you can also keep an eye on the updates released in the Office 365 Admin Center or subscribe to Microsoft 365 blog updates.
Best Wishes,
Alex Zhang
Protect the items with a sensitivity label, and make sure that the delegates have not been granted access to the label and to IRM protected messages in the user's mailbox. The latter is done via the set of *-MailboxIRMAccess cmdlets, if you need additional details check this article: https://office365itpros.com/2022/06/09/delegate-access-encrypted-email/
Do not rely on the "private" flag, as certain clients can actually access such items (see https://ingogegenwarth.wordpress.com/2022/02/15/outlook-and-private-items/).
Hello, @Peter,
Welcome to the Microsoft Q&A platform!
Based on your description, I understand that some owners of mailboxes in your organization want to prevent delegate users from reading private emails and you wonder how to achieve this.
Vasil Michev have provided an efficient and safe method, I am just going to make some additions and provide some official documentation for your reference.
You can create sensitivity labels as shown in the diagram below in Microsoft Purview. For information on how administrators can configure encryption., please refer to Apply encryption using sensitivity labels | Microsoft Learn. About how senders can apply sensitivity labels, please click on Apply encryption using sensitivity labels | Microsoft Learn for reference.
For information about running the Set-MailboxIRMAccess cmdlet in Exchange Online PowerShell to ensure that access to labeled and IRM-protected messages in a user's mailbox is not granted to an agent, please see Consistently block delegates or shared mailbox members from accessing protected messages in Outlook - Microsoft Community Hub. You can directly copy the command below for your convenience.
1.Check who is blocked from accessing mailbox owner’s encrypted messages:
Get-MailboxIRMAccess -Identity <MailboxIdParameter> -User <SecurityPrincipalIdParameter>
2.Block a user from reading encrypted messages in a shared or delegated mailbox:
Set-MailboxIRMAccess -Identity <MalboxIdParameter> -User <SecurityPrincipalIdParameter> -AccessLevel <Block>
3.Remove a user from the block list and allowing them to read encrypted mail:
Remove-MailboxIRMAccess -Identity <MalboxIdParameter> -User <SecurityPrincipalIdParameter>
(Note: After any of the above mailbox settings are changed, the Outlook client must be restarted.)
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thank you for your support and understanding.
Best Wishes,
Alex Zhang
Hello, @Peter,
Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
Best Wishes,
Alex Zhang
Thanks for your answer, and sorry, too busy at the moment. I am going to test it.
Regards
Peter
Hello, @Peter,
Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
Best Wishes,
Alex Zhang
Hello, @Peter,
If you need further help, please feel free to reply this post directly so we will be notified to follow it up. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
Best Wishes,
Alex Zhang
Hi
I am able to create labels, but can only assign them to new emails I write.
The goal should be, to assign labels to any email in my mailbox, to prevent that delegates can read them.
Regards
Peter
You can assign labels/RMS templates to existing items by double-clicking an item > File > Encrypt > selecting the label/template > Save the message
@Vasil Michev
Great, works in my classic outlook client, but couldn't find a possibility to do the same in outlook web or using the new outlook client.
Not possible in either of those, afaik
@Alex Zhang-MSFT do you know if this will be possible in the future, and if yes, when this will be launched?