Allow DLP rule exception for encrypted outbounds
DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.
this has been here for over two years. there is a DLP / encrypted exception available for mail flow rules (but mail flow rules can't check attachments), so this is extremely important.
WHY?!? Why does Microsoft continue to ***** sys admins like this? This needs to be fixed! 4 calls and 16 hours later, support led me here. WHAT A CROCK! How do we get users to pay attention to DLP alerts when they are trying make their best effort to protect data (like encrypting email before sending) and they still get these notifications stating they did something wrong! Microsoft MUST BE REPLACED WITH A SERVICE PROVIDER THAT ACTUALLY PROVIDES SOLUTIONS THAT WORK!
This is stupid. MS, you are failing.
Josh - can you achieve your stated outcome by just auto-encrypting the outbound message if it matches your conditions? Above you want to block the message and advise the sender unless it is encrypted.
Microsoft, "hello...hello"...could you resolve this issue please?
November 4, 2018 - Still a problem. It's pretty obvious Transport Rules are not applied before DLP rules like the documentation says here - https://docs.microsoft.com/en-us/office365/securitycompliance/how-dlp-works-between-admin-centers#how-dlp-in-the-security--compliance-center-works-with-dlp-and-transport-rules-in-the-exchange-admin-center.
Considering this has been a problem for at least over a year... I wonder if Microsoft reads this stuff.
I guess I'll save my typing. What a cluster-fsck.
Agreed....Where a sender is inside the organization and has already encrypted an outgoing email, it does not make sense that the default HIPPA compliance DLP policy would then inspect the email. For the encryption process has already deemed the email as compliant.
We have been struggling with this also. If you create a Mail flow rule to try to do this, it does not work. I really wish MS would not push things out like this so untested! MS please fix DLP or Mailflow rules!
Anthony J Vlachos commented
This is still an issue, just spent almost 2 hours on the phone with support to find out we could not override the DLP rule and prevent users from being falsely notified after they sent a secure email.
Time to get this updated.
Any update on if this is going to be possible in the near future? My clients are also requesting this feature. Until it's in place, they only consider this a partial solution, or will not use it at all to help ensure financial data is secured.
Got very surprised when I discovered this could not be achieved. Now the function is quite confusing for our users who receive an email alert even if they encrypt the mail.
+The Swedish report button text is wrongly translated and has the opposite meaning. Totally misleading.
A major dropped ball in my opinion. Should be very simple - setup a rule to check for sensitive data. If the rule is triggered, stop the e-mail UNLESS the message is already encrypted, then let the message go free. Please get this changed right away MS!!
Zeff Wheelock commented
I have an email transport rule. Apply This Rule If... The Recipient is located outside of the organization AND The message contains any of these sensitive information types... U.S. Social Security Number (SSN). Do the following: Encrypt the messages with the previous version of OME AND Notify the Sender with a policy tip: Notify the sender, but allow them to send. I am trying to add an exception Except If The Subject includes encrypt (or even message header Subjects includes encrypt). I get an error One of the conditions you specified can't be used for rules where you want to notify the sender. Error Details: The NotifySender action isn't compatible with 'Subject Contains' predicate. We want to notify our users when they do not secure an email correctly.
YES this is a huge need!
Yes I agree. I would like to send an educational email back to the user (and not deliver the message) if DLP match EXCEPT if they encrypted the message
Yes this enhancement is crucial for the business process. Has there been any advancement in this area?
Yes, I agree. The emails the DLP rules under Security and Compliance are much better than the email bounces you receive when you setup DLP policies in Exchange. However, since you cannot setup keyword exceptions on the Security and Compliance section of Office 365, I agree this would be a great feature update.