Exchange Transport Rules (ETRs) stopping support for DLP scenarios

Last year, the Exchange Online data loss prevention (DLP) experience was retired from the classic Exchange admin center (EAC) (MC278896, August ’21 & MC400953, July ’22). We recommend customers use Microsoft Purview Unified DLP, which extends DLP protection to SharePoint Online, OneDrive for Business, Teams chats, devices, and more. The Microsoft Purview compliance portal provides access to advanced classification capabilities like EDM, ML, etc., along with rich alerts, incident management features, and more.

We are notifying you now that we are removing support for Exchange Online DLP in mail flow rules.

[When this will happen:]

mid-November 2023

[How this will affect your organization:]

Beginning mid-November, the ability to use the following Exchange DLP-related actions and conditions/exceptions (predicates) will be removed from mail flow rules:

  • Actions: NotifySender
  • Conditions/Predicates: MessageContainsDataClassifications (message contains sensitive information), ExceptIfMessageContainsDataClassifications, HasSenderOverride (sender has overridden the Policy Tip), ExceptIfHasSenderOverride

You will no longer be able to create new mail flow rules with these actions/predicates and any existing rules that use them will no longer be evaluated or run. If you’ve already migrated to Unified DLP, we recommend that you delete any affected mail flow rules. Otherwise, migrate and then delete any existing, affected mail flow rules before mid-November .

When the rollout reaches your tenant, you’ll see additional mail flow rule properties in the EAC and in Exchange Online PowerShell to show you which rules are no longer supported (Configuration Support and Unsupported Reason).

[What you need to do to prepare:]

Use the Get-TransportRule cmdlet to see if your organization has any existing mail flow rules that use these DLP actions or predicates. If you’ve already migrated to Unified DLP, verify that any mail flow rules that use the Exchange DLP conditions/predicates have been removed from the EAC or Exchange Online PowerShell. If you haven’t migrated to Unified DLP, migrate before mid-November, and then delete the Exchange DLP mail flow rules.

To learn more about creating rules in DLP, see Create and deploy a data loss prevention policy.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *