When creating a policy for a sensitivity label you have the option to set a default label for the user the policy is pointed at. You can get more information on this process at the “Apply a default label” item on Microsoft’s Learn About Sensitivity Labels page. This method, however, has a limitation. It only works within a mail client that can connect to the Microsoft 365 Security/Compliance endpoints. Doesn’t seem like a huge issue right? Well, what about automated notifications that are sent via Power Automate or another custom solution that doesn’t utilize the Outlook (or other) client? I’ve tested this. It doesn’t work. If I send it from Outlook or OWA I get the default label. If I have an automated process within Power Automate it doesn’t. In this post, I will show you how you can apply sensitivity labels for automated processes so all of your emails can contain a sensitivity label.
Apply Sensitivity Labels for Automated Processes
Microsoft recently announced the public preview of what they are calling “Auto-labeling” of sensitivity labels within Microsoft 365. They state this utilizes “Service-Side labeling” meaning this is handled by the service the content is located in. For those of you looking for labeling of your data at rest; this is it! However, it still doesn’t label Exchange content at rest.
To accomplish our needs we are going to need to first create a sensitive information type. This is one of the requirements of an auto-apply rule. There actually three possibilities:
- Content contains sensitive info types
- Any email attachment’s content could not be scanned
- Any email attachment’s content didn’t complete scanning
“Content contains sensitive info types” fits best for what we are trying to do.
Since the intention of this process is to label emails sent via an automated process a sensitive info type should be created that looks for a phrase that exists within all of the automated notifications. A suggestion is to create a sensitive info type that looks for that unique phrase.
Next up is creating the auto-label:
- Log in to the Microsoft 365 security console (https://security.microsoft.com/)
- Click on Classification -> Sensitivity labels -> Auto-labeling (preview) -> “+ Create policy”
- The first screen displayed is the sensitivity template selection. Select Custom in the category column and then “Custom policy”. Click Next
- Provide a meaningful name and description for the policy.
- Because this is being utilized for auto notification emails only and not for other sources only enable the Exchange location
- Click on Choose users or groups
- Click Add
- Select the user(s) that will be sending out the notifications
- Click Add -> Done -> Next
- Select Advanced Settings and click Next
- You will be displayed with a screen for Exchange mail rules. Click “+ Create rule”
- Provide the rule a name and description.
- Click on “+ Add condition”
- Select “Content contains sensitive info types”
- Click Add and select Sensitive info types
- Find the sensitive type previously created for this task and click Add
- Modify the Accuracy and instance count as required.
Steps 18-20 are optional but recommended as a step provide more fine-tuning of the auto-label detection. It requires that the notification process also sends a BCC (blind carbon copy) of the notification to the account sending the notification.
- Click “+ Add Condition”
- Select the “Recipient is” option
- Type in the email address of the account sending the notifications and click add
- Click Save
- Click Next
- Click “+ Choose a label” and select the label that should be applied to the automatic notifications.
- Click Next
- The next option allows the user to run the policy under simulation (required before it can be enabled) or disabled. Select “Run policy in simulation mode” and click Next
- Review the settings and click Submit
- Click Done.
Microsoft requires that the policy runs in simulation mode for a 24-hour period to ensure the correct information is labeled properly. You can view the auto-apply labels on the “Auto-labeling” tab
Clicking on a file/email will bring up the simulation report.
Once the simulation has run for at least 24 hours (there isn’t a limit to the length of time a simulation can run) review the results to ensure all expected files have been labeled and there aren’t any labels that should not have been flagged. Then from within the label policy click on the “Turn on policy” option to enable the policy to automatically label the items
So while there isn’t a method currently to assign a default label to all emails for an automated process, the steps outlined in this post should provide a usable workaround.
Thanks for reading!