Posted by Microsoft Information Protection uses policies to publish sensitivity labels and configure specific settings. These include a mandatory label or asking the user to justify when a lower label is selected. These policies were also used when we were still talking about Azure Information Protection.
One of the more advanced functions within these Azure Information Protection policies was to add so-called advanced settings. These settings were not available in the admin console but could be added to the policy by using the attributes and their values.
When using Microsoft Information Protection, you will not see these attributes when using the compliance center. They are not visible when you create or modify a policy. Nor are these attributes visible in any other part of the compliance center. The solution: use PowerShell.
You can still configure these advanced settings – although Microsoft now calls them the “Custom configurations”. The settings apply to the unified labeling client, so you will need that (installable) client for the settings below. Let’s take a look.
Connect to the environment by using the Connect-IPPSSession cmdlet. Now you can access the settings for the labels and policies. To start with, let’s take a look at the specific settings for a label policy. Use this cmdlet: (Get-LabelPolicy -Identity <Policyname>).settings
All settings for the policy are there, including the custom ones (at the bottom). Another cmdlet that you might want to use is this one: Get-label -Identity <label> | Format-list ImmutableId. This cmdlet returns the label-id. This label-id is required for some of the other cmdlets.
The other cmdlets used are Set-Label and Set-LabelPolicy
| Specify a color for a label. | Set-Label -Identity <policyname> -AdvancedSettings @{color=”#40e0d0″} |
| Exempt Outlook messages from mandatory labeling. | Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{DisableMandatoryInOutlook=”True”} |
| Disable custom permissions from the Windows File Explorer | Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{EnableCustomPermissions=”False”} |
| Trust specific domains when emails are sent. These interact with the setting below. | Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{OutlookBlockTrustedDomains=”<domain>”} |
| Warn, justify or block emails with a specific label being sent. | Set-LabelPolicy -Identity <policyname> -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel=<“labelid”>} |
The warning for Outlook is a specific function. It scans either email and/or attachments for labeled content and either blocks the message or warns the users. This function is a great addition to any data loss prevention rules you may have set up. The default message contains the name of the labeled document and the intended recipients.
In the table above we work with default settings for Outlook. But all of these settings and messages can be made to measure. And for this, we will need JSON.
A specific JSON script is used to create your own rules and messages when using Outlook. It will replace the other settings as displayed in the table above. Here’s a sample JSON that only scans emails that are not sent to “Domain.com”. It also looks for Office and PDFs labeled with a specific label. And when found, it will warn the user not to send this type of information.
Add this configuration to Microsoft Information Protection by using this PowerShell cmdlet:
$filedata = Get-Content <json-file-location>
Set-LabelPolicy -Identity <policy> -AdvancedSettings @{OutlookCollaborationRule_1 =”$filedata”}
You can set multiple rules. These are numbered and this is crucial. You will need to add OutlookCollaborationRule_<number> to the cmdlet. Always starting from 1 upwards. This is mandatory, so don’t choose your own names! 🙂
This works great. But please be aware. When the JSON contains errors, these are not displayed when using the PowerShell cmdlet. But the unified labeling client will display an error message: the collaboration rules cannot be run. The same goes for specific versions for the client. These cannot handle email messages being added as attachments. See below. This has been solved with the new (preview) client.
I hope this gives you some insights into the possibilities for the custom configurations. A complete list of all possible configurations can be found here: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations?WT.mc_id=EM-MVP-5003084
Governance, Risk, Security and Compliance 