Custom configurations unified labeling

Posted by

Microsoft Information Protection uses policies to publish sensitivity labels and configure specific settings. These include a mandatory label or asking the user to justify when a lower label is selected. These policies were also used when we were still talking about Azure Information Protection.

One of the more advanced functions within these Azure Information Protection policies was to add so-called advanced settings. These settings were not available in the admin console but could be added to the policy by using the attributes and their values.

When using Microsoft Information Protection, you will not see these attributes when using the compliance center. They are not visible when you create or modify a policy. Nor are these attributes visible in any other part of the compliance center. The solution: use PowerShell.

You can still configure these advanced settings – although Microsoft now calls them the “Custom configurations”. The settings apply to the unified labeling client, so you will need that (installable) client for the settings below. Let’s take a look.

Connect to the environment by using the Connect-IPPSSession cmdlet. Now you can access the settings for the labels and policies. To start with, let’s take a look at the specific settings for a label policy. Use this cmdlet: (Get-LabelPolicy -Identity <Policyname>).settings

All settings for the policy are there, including the custom ones (at the bottom). Another cmdlet that you might want to use is this one: Get-label -Identity <label> | Format-list ImmutableId. This cmdlet returns the label-id. This label-id is required for some of the other cmdlets.

The other cmdlets used are Set-Label and Set-LabelPolicy

Specify a color for a label. Set-Label -Identity <policyname> -AdvancedSettings @{color=”#40e0d0″}
Exempt Outlook messages from mandatory labeling.Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{DisableMandatoryInOutlook=”True”} 
Disable custom permissions from the Windows File ExplorerSet-LabelPolicy -Identity <policyname> -AdvancedSettings @{EnableCustomPermissions=”False”}
Trust specific domains when emails are sent. These interact with the setting below.Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{OutlookBlockTrustedDomains=”<domain>”}
Warn, justify or block emails with a specific label being sent. Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel=<“labelid”>}

The warning for Outlook is a specific function. It scans either email and/or attachments for labeled content and either blocks the message or warns the users. This function is a great addition to any data loss prevention rules you may have set up. The default message contains the name of the labeled document and the intended recipients.

Customizing Outlook pop-up messages for the AIP UL client - Microsoft Tech  Community

In the table above we work with default settings for Outlook. But all of these settings and messages can be made to measure. And for this, we will need JSON.

A specific JSON script is used to create your own rules and messages when using Outlook. It will replace the other settings as displayed in the table above. Here’s a sample JSON that only scans emails that are not sent to “”. It also looks for Office and PDFs labeled with a specific label. And when found, it will warn the user not to send this type of information.

Add this configuration to Microsoft Information Protection by using this PowerShell cmdlet:

$filedata = Get-Content <json-file-location>
Set-LabelPolicy -Identity <policy> -AdvancedSettings @{OutlookCollaborationRule_1 =”$filedata”}

You can set multiple rules. These are numbered and this is crucial. You will need to add OutlookCollaborationRule_<number> to the cmdlet. Always starting from 1 upwards. This is mandatory, so don’t choose your own names! 🙂

This works great. But please be aware. When the JSON contains errors, these are not displayed when using the PowerShell cmdlet. But the unified labeling client will display an error message: the collaboration rules cannot be run. The same goes for specific versions for the client. These cannot handle email messages being added as attachments. See below. This has been solved with the new (preview) client.

I hope this gives you some insights into the possibilities for the custom configurations. A complete list of all possible configurations can be found here: 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s