DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.

At the present time DLP is not able to read OCR documents, namely documents scanned to PDF. This is a GIANT, GAPING hole in terms of security. I have clients who have 100's of thousands of documents that contain sensitive information saved in OneDrive but no DLP policies can be applied to these documents, since DLP is not OCR aware. Please correct ASAP! Thanks!

Currently, documents that are labelled can be co-authored in Office, but any document that is encrypted can only be opened by one person at a time. This prevents most of the business scenarios folks use today with two three or more folks editing a document at the same time. Instead - it forces businesses to email copies of a document around after setting AIP policies to allow folks to all edit it. A huge blocker for most of our customers.

Provide in explorer visual indicators that easily shows the classification and protection status of the document, both in the icon views and in the list views showing document properties.

Enable AIP labelling of OneNote notebooks and protecting of OneNote notebooks, ideally with protection options at the page, section or notebook scopes

Surface label policies in the Office 365 DLP engines to allow consistent classification, labeling and protection

Provide a Mac AIP client that is consistent with the current Windows AIP client, and is able to classify and protect documents from the desktop. For the AIP toolbar in Mac Office, use https://msip.uservoice.com/forums/600097-azure-information-protection/suggestions/19602337-integrate-aip-natively-into-office-for-mac.

Add the ability to perform CLP on calendar items and other items like tasks and notes

Provide a central logging service for all sensitivity labeling logs

Allow AutoSave to work when a document is protected. Currently, it becomes disabled when you protect the document which then causes inconsistent behavior across documents and interferes with coauthoring.

Add new policy options to integrate and enforce Conditional Access policies (such as user, device, location etc) when accessing sensitive information depending on the label, including MFA

Expand the visual marking dynamic options to include additional user and device attributes (including from AD, AAD and devices). In particular, add support for the name or email address of the user viewing the document so visible markings can be used to dissuade some vectors for data leakage such as screen pictures.

Create a DLP Policy where you can add the Sensitive Label on it because currently, only Sensitive info type and Retention Label can be added

The ability to add a company logo or image to a signature as an admin globally for all users would be nice. Currently the suggested solution to append a disclaimer isn't ideal as it always posts the image to the very bottom of the email, not the signature. This doesn't work for a back and forth conversation thread since it starts stacking the image at the bottom.

It could be great knowing who changes a label to correct this or who violates the internal classification policy.

Right now you cannot search for administrative Event regarding Unified Labeling in Office 365 Admn portal Audit Log Search.

Office 365 Message Encryption can be leveraged in case of a delegated inbox scenario. If an encrypted message is sent to a person who's inbox is delegated e.g. to a secretary the delegated has the ability to request a one-time passcode to the delegated inbox and so full access on the OME protected message can be gained.

This scenario could be avoided by sending the one-time passcode using SMS because then the delegated has no access to the one-time passcode.

If a user is a designated delegate of a mailbox of another user, allow them to access content protected to that user

Adding encryption ome v2 (encrypt-only) to outbound emails with sensitive data detection is easy enough. However when that email is opened by the recipient and replied to, the email comes in encrypted to the sender, who has to go thru the process to decrypt. There is an option in the EOP rule to "Remove Office 365 Message Encryption and right protection" however fails since the predicate must match "The sender is located?" "Inside the organization". This is no problem with ome v1 but is not working with ome v2. Need to add the capability to decrypt those messages automatically.