Hello,

we have two options to set the 'offline access' time:
- in the protection template of a label
- via PowerShell

The more restrictive option is always prioritized.

I would like to have an Advanced Setting which lets me choose which one to enforce per label.

For example:
- Label: Confidential \ All Employees (7 days offline access)
- Label: Strictly Confidential \ Custom Permissions (0 days offline access)

When I want to enforce the 0 days offline for custom permissions I need to set them via PowerShell.
But then these 0 days are also enforced for the 'Confidential \ All Employees' label.
But here I want to have the 7 days offline access.

So I would like to configure an Advanced Setting to enforce that for this label the offline access from the protection template is used and not the more restrictive one.

Best regards

On a tenant with DKIM configured and enabled, using a domain with a configured DMARC policy, Microsoft does not DKIM sign the message.

This might seem fine to Microsoft, the message originates and terminates within their system, and to Microsoft there's no reason to enable features that allow other systems to verify the authenticity of those e-mails.

This ignores third party e-mail filters that hook in to O365 to catch phishing attempts. Phishing of internal e-mail domains would be the most difficult to catch for average users.

Another scenario not involving third party tech solutions is this that DMARC alignment with forwarded e-mails from within a Tenant is not performed. The lack of signing internal e-mails means that if those e-mails are altered and forwarded outside of the organization DMARC alignment cannot be performed to catch unauthorized alteration of a person's correspondence.

Such correspondence altering could include banking details, or their views on a topic that would benefit a rogue actor to simulate.

That could be avoided if Microsoft just indiscriminately signed messages originating in O365 regardless of where they terminate. The e-mail correspondence would be much safer.

This should at the very least be an option to enable within the DKIM configuration.

Refer https://support.microsoft.com/en-us/help/4459264/cannot-view-office-365-irm-encrypted-message-for-ddg, "Assume that you send an email to an Exchange Online Dynamic Distribution group (DDG) that has an Azure Information Protection Information Rights Management (IRM)-protected template applied, such as "Do Not Forward." When the recipient tries to open the email, they are redirected to Outlook on the web (OWA). OWA displays a button to read the message, but selecting the button does not work, and the recipient gets caught in an infinite loop without being able to view the message."

Apparently "This behavior is by design." as "IRM encryption does not support DDGs"

Please make these options work for DDGs

Some things work better on the command line. This is not one of those things. Being able to update text, and graphics with a live example of how the message will look is critical to success here. The support article doesn't talk about verification. What's the workflow here? Run some PowerShell commands, send an e-mail, wait, look at the formatting, and then try again? That's not an efficient way to edit a visual style. The editor should be like a WYSIWYG editor. As you change the elements on the right sidebar the content in the middle changes, showing what the e-mail will look like. Then you only need to send one test e-mail at the end to verify that the actual e-mail matches what was shown in the editor.

SOURCE:
https://docs.microsoft.com/en-us/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages

MIP currently grants access to content based on a fixed Access Control List defined in the policy.
Granting access based on a series of arbitrarily complex rules that use attributes from different sources (Attribute Based Access Control or ABAC) would enable more flexible document protection scenarios such as limiting access to people based on the project they work in, their role in the organizational structure, their training status and more, and including in the decision different aspects of the document including whether the document is tagged as final, if it is flagged for external use or if it is related to a specific account, among many other factors.

While document creators have by definition unrestricted access to the data they add to the document, having owner rights would allow them to later extract data others have added to the documents they created. Owner rights also allow creators to downgrade classification on documents that have already been classified.
The suggestion is to have a setting on each policy that when enabled does not automatically grant the creator of a document full control rights or the ability to reclassify once the document is closed. This should enable revocation of access for content creators and would also prevent such users from removing protection.