Get started with oversharing pop ups

When you configure appropriate Microsoft Purview Data Loss Prevention (DLP) policy, DLP will check email messages before they are sent for any labeled or sensitive information and apply the actions defined in the DLP policy.

Oversharing popup is an E5 feature.

Important

This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.

Important

To identify the minimum version of Outlook that supports this feature, use the capabilities table for Outlook, and the row Preventing oversharing as DLP policy tip.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

AIP P2 license is supported

Permissions

The account you use to create and deploy policies must be a member of one of these role groups

• Compliance administrator
• Compliance data administrator
• Information Protection
• Information Protection Admin
• Security administrator

Important

Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator by reading Administrative units before you start.

Granular Roles and Role Groups

There are roles and role groups that you can use to fine tune your access controls.

Here's a list of applicable roles. To learn more, see Permissions in the Microsoft Purview compliance portal.

• DLP Compliance Management
• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Here's a list of applicable role groups. To learn more, see To learn more about them, see Permissions in the Microsoft Purview compliance portal.

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

Prerequisites and assumptions

In Outlook for Microsoft 365 an oversharing popup displays a popup before a message is sent. Select Show policy tip as a dialog for the user before send in policy tip when creating a DLP rule for the Exchange location. This scenario uses the Highly confidential sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:

• Learn about sensitivity labels
• Get started with sensitivity labels
• Create and configure sensitivity labels and their policies

This procedure uses a hypothetical company domain at Contoso.com.

Policy intent and mapping

We need to block emails to all recipients that have the 'highly confidential' sensitivity label applied except if the recipient domain is contoso.com. We want to notify the user on send with a popup dialogue and no one can be allowed to override the block.

Statement	Configuration question answered and configuration mapping
"We need to block emails to all recipients..."	- Where to monitor: Exchange - Administrative scope: Full directory - Action: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone
"...that have the 'highly confidential' sensitivity label applied..."	- What to monitor: use the Custom template - Conditions for a match: edit it to add the highly confidential sensitivity label
"...except if..."	Condition group configuration - Create a nested boolean NOT condition group joined to the first conditions using a boolean AND
"...the recipient domain is contoso.com."	Condition for match: Recipient domain is
"...Notify..."	User notifications: enabled
"...the user on send with a popup dialogue..."	Policy tips: selected - Show policy tip as a dialog for the end user before send: selected
"...and no one can be allowed to override the block...	Allow overrides from M365 Services: not selected

To configure oversharing popups with default text, the DLP rule must include these conditions:

• Content contains > Sensitivity labels > choose your sensitivity label(s)

and a recipient-based condition

• Recipient is
• Recipient is a member of
• Recipient domain is

When these conditions are met, the policy tip displays untrusted recipients while the user is writing the mail in Outlook, before it's sent.

Steps to configure "wait on send"

Optionally, you can set the dlpwaitonsendtimeout Regkey (Value in dword) on all the devices you want to implement "wait on send" for oversharing popups. This registry key defines the maximum amount of time to hold the email when user selects Send. This allows DLP policy evaluation to complete for labeled or sensitive content. It is under:

*Software\Policies\Microsoft\office\16.0\Outlook\options\Mail*

You can set this RegKey via group policy (Specify wait time to evaluate sensitive content), script or other mechanism for configuring registry keys.

If you're using Group Policy, make sure you've downloaded the most recent version of Group Policy Administrative Template files for Microsoft 365 Apps for enterprise and navigate to this setting from User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings. If you're using the Cloud Policy service for Microsoft 365, search for the setting by name to configure it.

When this value is set and the DLP policy are configured, email messages are checked for sensitive information before they are sent. If the message contains a match to the conditions defined in the policy, a policy tip notification appears before the user clicks Send..

This RegKey allows you to specify the "wait on send" behavior on your Outlook clients. Here's what each of the settings means.

Not configured or Disabled: This is the default. When dlpwaitonsendtimeout is not configured the message is not checked before the user sends it. The email message will be sent with no pause when Send is clicked. The DLP data classification service will evaluate the message and apply the actions defined in the DLP policy.

Enabled: The email message is checked when the Send is clicked but before the message is actually sent. You can set a time limit on how long to wait for DLP policy evaluation to complete (T value in seconds). If the policy evaluation doesn't complete in the specified time a Send anyway button appears allowing the user to bypass the presend check. The T value range is 0 to 9999 seconds.

Important

If the T value is greater than 9999, it will be replaced with 10000 and the Send Anyway button will not appear. This holds the message until the policy evalution completes with no option for user override. The duration to complete the evaluation can vary depending on factors such as internet speed, content length, and the number of defined policies. Some users may encounter policy evaluation messages more frequently than others depending on what policies are deployed on their mailbox.

To learn more about configuring and using GPO see, Administer Group Policy in a Microsoft Entra Domain Services managed domain.

Steps to create a DLP policy for an oversharing pop up

Important

For the purposes of this policy creation procedure, you'll accept the default include/exclude values and leave the policy turned off. You'll be changing these when you deploy the policy.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal > Data loss prevention > Policies

2. Choose + Create policy.

3. Select Custom from the Categories list.

4. Select Custom from the Templates list.

5. Give the policy a name.

   Important

   Policies cannot be renamed.

6. Fill in a description. You can use the policy intent statement here.

7. Select Next.

8. Select Full directory under Admin units.

9. Set the Exchange email location status to On. Set all the other location status to Off.

10. Select Next.

11. Accept the default values for Include = All and Exclude = None.

12. The Create or customize advanced DLP rules option should already be selected.

13. Select Next.

14. Select Create rule. Name the rule and provide a description.

15. Select Add condition > Content contains > Add > Sensitivity labels > Highly confidential. Choose Add.

16. Select Add group > AND > NOT > Add condition.

17. Select Recipient domain is > contoso.com. Choose Add.

    Tip

    You can also use Recipient is or Recipient is a member of instead of Recipient domain is to trigger an oversharing popup.

18. Select Add an action > Restrict access or encrypt the content in Microsoft 365 locations.

19. Select Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files, and Power BI items.

20. Select Block everyone.

21. Set the User notifications toggle to On.

22. Select Policy tips > Show the policy tip as a dialog for the end user before send (available for Exchange workload only).

23. If selected, uncheck the Allow override from M365 services option.

24. Choose *Save.

25. Change the Status toggle to On and then choose Next.

26. On the Policy mode page, select Run the policy in test mode and check the box for the Show policy tips while in simulation mode option.

27. Choose Next and then choose Submit.

Compliance portal

1. Sign in to the Microsoft Purview compliance portal > Solutions > Data loss prevention > Policies > + Create policy.

2. Select Custom from the Categories list.

3. Select Custom from the Templates list.

4. Give the policy a name.

   Important

   Policies cannot be renamed.

5. Fill in a description. You can use the policy intent statement here.

6. Select Next.

7. Select Full directory under Admin units.

8. Set the Exchange email location status to On. Set all the other location status to Off.

9. Select Next.

10. Accept the default values for Include = All and Exclude = None.

11. The Create or customize advanced DLP rules option should already be selected.

12. Select Next.

13. Select Create rule. Name the rule and provide a description.

14. Select Add condition > Content contains > Add > Sensitivity labels > Highly confidential. Choose Add.

15. Select Add group > AND > NOT > Add condition.

16. Select Recipient domain is > contoso.com. Choose Add.

    Tip

    Recipient is and Recipient is a member of can also be used in the previous step and will trigger an oversharing popup.

17. Select Add an action > Restrict access or encrypt the content in Microsoft 365 locations > Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file. > Block everyone.

18. Set User notifications to On.

19. Select Policy tips > Show the policy tip as a dialog for the end user before send.

20. Make sure that Allow override from M365 services isn't selected.

21. Choose Save.

22. Choose Next > Keep it off > Next > Submit.

PowerShell steps to create policy

DLP policies and rules can also be configured in PowerShell. To configure oversharing popups using PowerShell, first you create a DLP policy (using PowerShell) and add DLP rules for each warn, justify or block popup type.

You'll configure and scope your DLP Policy using New-DlpCompliancePolicy. Then, you'll configure each oversharing rule using New-DlpComplianceRule

To configure a new DLP policy for the oversharing popup scenario use this code snippet:

PS C:\> New-DlpCompliancePolicy -Name <DLP Policy Name> -ExchangeLocation All

This sample DLP policy is scoped to all users in your organization. Scope your DLP Policies using -ExchangeSenderMemberOf and -ExchangeSenderMemberOfException.

Parameter	Configuration
-ContentContainsSensitiveInformation	Configures one or more sensitivity label conditions. This sample includes one. At least one label is mandatory.
-ExceptIfRecipientDomainIs	List of trusted domains.
-NotifyAllowOverride	"WithJustification" enables justification radio buttons, "WithoutJustification" disables them.
-NotifyOverrideRequirements	"WithAcknowledgement" enables the new acknowledgment option. This is optional.

To configure a new DLP rule to generate a warn popup using trusted domains run this PowerShell code.

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator="Or";name="Default";labels=@(@{name=<Label GUID>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

To configure a new DLP rule to generate a justify popup using trusted domains run this PowerShell code.

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com") -NotifyAllowOverride "WithJustification"

To configure a new DLP rule to generate a block popup using trusted domains run this PowerShell code.

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

Use these procedures to access the Business justification X-Header.

See also

• Get started with the data loss prevention Alerts dashboard
• Create and Deploy data loss prevention policies