Dela via


Get started with oversharing pop ups

When you configure appropriate Microsoft Purview Data Loss Prevention (DLP) policy, DLP will check email messages before they are sent for any labeled or sensitive information and apply the actions defined in the DLP policy. This feature requires a Microsoft 365 E5 subscription, along with a version of Outlook that supports it. To identify the minimum version of Outlook required, use the capabilities table for Outlook, and look in the Preventing oversharing as DLP policy tip row.

Important

The following is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users when implementing this feature.

Tip

Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.

Before you begin

SKU/subscriptions licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Permissions

The account you use to create and deploy policies must be a member of one of the following role groups

  • Compliance administrator
  • Compliance data administrator
  • Information Protection
  • Information Protection Admin
  • Security administrator

Important

Read Administrative units before you start to make sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator.

Granular roles and role groups

There are several roles and role groups that you can use to fine tune your access controls.

Here's a list of applicable roles. To learn more, see Permissions in the Microsoft Purview compliance portal.

  • DLP Compliance Management
  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Prerequisites and assumptions

In Outlook for Microsoft 365, an oversharing pop-up displays a pop-up before a message is sent. To enable these pop-ups, first scope your policy to the Exchange location and then select the Show policy tip as a dialog for the user before send option in the policy tip when you create a DLP rule for that policy.

Our example scenario uses the Highly confidential sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:

This procedure uses contoso.com. a hypothetical company domain.

Policy intent and mapping

For this example, our policy intent statement is:

We need to block emails to all recipients that have the 'highly confidential' sensitivity label applied, unless the recipient domain is contoso.com. We want to notify the user with a pop-up dialogue when they send the email. No users can be allowed to override the block.

Statement Configuration question answered and configuration mapping
"We need to block emails to all recipients..." - Where to monitor: Exchange
- Administrative scope: Full directory
- Action: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone
"...that have the 'highly confidential' sensitivity label applied..." - What to monitor: use the Custom template
- Conditions for a match: edit it to add the highly confidential sensitivity label
"...unless..." Condition group configuration - Create a nested boolean NOT condition group joined to the first conditions using a boolean AND
"...the recipient domain is contoso.com." Condition for match: Recipient domain is
"...Notify..." User notifications: enabled
"...the user with a pop-up dialogue when they send..." Policy tips: selected
- Show policy tip as a dialog for the end user before send: selected
"...No users can be allowed to override the block... Allow overrides from M365 Services: not selected

To configure oversharing pop-ups with default text, the DLP rule must include these conditions:

  • Content contains > Sensitivity labels > choose your sensitivity label(s)

and one or more of the following recipient-based conditions

  • Recipient is
  • Recipient is a member of
  • Recipient domain is

When these conditions are met, the policy tip displays untrusted recipients while the user is writing the mail in Outlook, before they send it.

Steps to configure "wait on send"

Optionally, you can set the dlpwaitonsendtimeout Regkey (Value in dword) on all the devices where you want to implement "wait on send" for oversharing pop-ups. This registry key (RegKey) defines the maximum amount of time to hold the email when a user selects Send. This allows the system to complete the DLP policy evaluation for labeled or sensitive content. You can find this RegKey under:

*Software\Policies\Microsoft\office\16.0\Outlook\options\Mail*

You can set this RegKey via group policy (Specify wait time to evaluate sensitive content), script, or other mechanism for configuring registry keys.

If you're using Group Policy, make sure you've downloaded the most recent version of the Group Policy Administrative Template files for Microsoft 365 Apps for enterprise and then navigate to this setting from User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings. If you're using the Cloud Policy service for Microsoft 365, search for the setting by name to configure it.

When this value is set and the DLP policy is configured, email messages are checked for sensitive information before they are sent. If a message contains a match to the conditions defined in the policy, a policy tip notification appears before the user clicks Send..

This RegKey allows you to specify the wait on send behavior for your Outlook clients.

Here is what each of the settings mean:

Not configured or Disabled: This is the default. When dlpwaitonsendtimeout is not configured, the message is not checked before the user sends it. The email message will be sent immediately once Send is clicked. The DLP data classification service will evaluate the message and apply the actions defined in the DLP policy.

Enabled: The email message is checked when the Send is clicked but before the message is actually sent. You can set a time limit on how long to wait for DLP policy evaluation to complete (T value, in seconds). If the policy evaluation doesn't complete in the specified time a Send anyway button appears allowing the user to bypass the pre-send check. The T value range is 0 to 9999 seconds.

Important

If the T value is greater than 9999, it is replaced with 10000 and the Send Anyway button does not appear. This holds the message until the policy evaluation completes and does not provide the user with an override option. The duration for completing the evaluation can vary depending on factors such as internet speed, content length, and the number of policies defined. Some users may encounter policy evaluation messages more frequently than others, depending on the policies that are deployed on their mailbox.

To learn more about configuring and using GPO see, Administer Group Policy in a Microsoft Entra Domain Services managed domain.

Steps to create a DLP policy for an oversharing pop up

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Data loss prevention > Policies

  2. Choose + Create policy.

  3. Select Custom from the Categories list.

  4. Select Custom from the Regulations list.

  5. Give the policy a name.

    Important

    Policies cannot be renamed.

  6. Fill in a description. You can use the policy intent statement here.

  7. Select Next.

  8. Select Full directory under Admin units.

  9. Select only the Exchange email location.

  10. Select Next.

  11. On the Define policy settings page, select Create or customize advanced DLP rules.

  12. The Create or customize advanced DLP rules option should already be selected.

  13. Select Next.

  14. Select Create rule. Name the rule and provide a description.

  15. Select Add condition > Content contains > Add > Sensitivity labels > Highly confidential. Choose Add.

  16. Select Add group > AND > NOT > Add condition.

  17. Select Recipient domain is > contoso.com. Choose Add.

    Tip

    You can also use Recipient is or Recipient is a member of instead of Recipient domain is to trigger an oversharing pop-up.

  18. Select Add an action > Restrict access or encrypt the content in Microsoft 365 locations.

  19. Select Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files, and Power BI items.

  20. Select Block everyone.

  21. Set the User notifications toggle to On.

  22. Select Policy tips > Show the policy tip as a dialog for the end user before send (available for Exchange workload only).

  23. If already selected, uncheck the Allow override from M365 services option.

  24. Choose Save.

  25. Change the Status toggle to On and then choose Next.

  26. On the Policy mode page, select Run the policy in test mode and check the box for the Show policy tips while in simulation mode option.

  27. Choose Next and then choose Submit.

  28. Choose Done.

PowerShell steps to create policy

DLP policies and rules can also be configured in PowerShell. To configure oversharing pop-ups using PowerShell, first you create a DLP policy (using PowerShell) and add DLP rules for each warn, justify or block pop-up type.

You'll configure and scope your DLP Policy using New-DlpCompliancePolicy. Then, you'll configure each oversharing rule using New-DlpComplianceRule

To configure a new DLP policy for the oversharing pop-up scenario use this code snippet:

PS C:\> New-DlpCompliancePolicy -Name <DLP Policy Name> -ExchangeLocation All

This sample DLP policy is scoped to all users in your organization. Scope your DLP Policies using -ExchangeSenderMemberOf and -ExchangeSenderMemberOfException.

Parameter Configuration
-ContentContainsSensitiveInformation Configures one or more sensitivity label conditions. This sample includes one. At least one label is mandatory.
-ExceptIfRecipientDomainIs List of trusted domains.
-NotifyAllowOverride "WithJustification" enables justification radio buttons, "WithoutJustification" disables them.
-NotifyOverrideRequirements "WithAcknowledgement" enables the new acknowledgment option. This is optional.

To configure a new DLP rule to generate a warn pop-up using trusted domains, run the following PowerShell code:

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator="Or";name="Default";labels=@(@{name=<Label GUID>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

To configure a new DLP rule to generate a justify pop-up using trusted domains, run this PowerShell code:

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com") -NotifyAllowOverride "WithJustification"

To configure a new DLP rule to generate a block pop-up using trusted domains, run this PowerShell code:

PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

Use these procedures to access the Business justification X-Header.

See also