Office 365 DLP/Sensitivity Labels with Exchange Hybrid

Marcus Wong Theen Nam 1,111 Reputation points
2021-09-13T07:01:27.06+00:00

I have Exchange hybrid environment with Exchange 2016 on-premise server and some users are in O365 and some are on-premise. I do have E3 license and would like to implement office 365 DLP such as sensitivity labeling or blocking sending email with confidential information/apply watermark.

I know that office 365 users will not have any issue with the DLP since both are in cloud, but how about on-premise Exchange server? Do we need to do anything in on-premises Exchange server? What I can see from Microsoft article is only the on-premise user sending emails to on-premise user will not have DLP apply.

So in this case, what we need to do is assign a license to the on-premise user and straight away create the DLP policy in office 365 and they should take effect from there? On-premise users sending out email externally the DLP policy will apply?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
525 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,436 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,959 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,226 Reputation points
    2021-09-14T01:49:21.1+00:00

    @Marcus Wong Theen Nam

    The DLP is used to protect the emails that send to external organization. In a hybrid mode, Exchange on-premise and Exchange online are in the same organization, so the email that sent from Exchange on-premises to Exchange online will not be applied DLP.

    If you want to protect emails that sent from Exchange on-premises to external recipients, you also need to enable DLP on your Exchange on-premises(Due to Exchange on-premises mailboxes will send email to the Internet directly, email cannot through Exchange online to the Internet in a hybrid mode).


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Sarat Chandra 581 Reputation points
    2021-09-14T04:54:35.387+00:00

    Hi, @Marcus Wong Theen Nam ,

    The On-Premises DLP 131720-webinar-faq-microsoft-on-premises-dlp.pdfprovided an overview of a MIP solution for on-premises data at rest, understanding on-prem specific challenges, implementing the methodology, and concluded with a demonstration of the most useful scenarios that can be addressed by the on-premises scanner.​

    131719-on-prem-dlp-thumbnail-blog.png

    If you have Exchange Server, SharePoint Server, and Windows file servers, you can deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents. You can also synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users, for example, by using Azure AD Connect.

    The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn’t use an on-premises PKI. For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption section in the How does Azure RMS work? article.

    Sourced from FAQ

    Reference:

    Sign up for the MIPC Preview Program: https://aka.ms/MIPC/JoinPreviews
    ➢ Follow us on twitter: twitter.com/MIPnews
    ➢ View the On-Premises DLP documentation for additional information:
    https://techcommunity.microsoft.com/t5/microsoft-security-and/find-your-unscanned-and-overexposed-shares-on-premises-with-an/ba-p/1744783
    https://techcommunity.microsoft.com/t5/microsoft-security-and/migrating-from-exchange-transport-rules-to-unified-dlp-the/ba-p/1749723
    https://learn.microsoft.com/en-us/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention
    https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-endpoint-dlp-webinar/ba-p/1799875
    ➢ Submit through UserVoice for Records management and share your feature asks here to help us prioritize and shape the solution: https://office365.uservoice.com/forums/289138-office-365-security-compliance/category/379531-information-governance-and-records-management
    ➢ Watch previous webinars: http://aka.ms/MIPC/webinars

    Source:https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-on-premises-dlp-webinar/ba-p/1878047

    *******If the response is helpful, please click "Accept Answer" and upvote it***********