Create Outlook Protection Rules
Applies to: Office 365 for enterprises, Live@edu
Outlook protection rules automatically apply Information Rights Management (IRM) protection to messages in Microsoft Outlook 2010, based on message conditions that include the sender's department, who the message is sent to, and whether recipients are inside or outside of your organization. When an Outlook protection rule is enabled, Outlook 2010 inspects messages before they are sent and applies a rights management services (RMS) template if a message meets the conditions of the rule.
Note Outlook protection rules aren't applied to messages sent using Outlook Web App.
You have to use the New-OutlookProtectionRule cmdlet in Windows PowerShell to create Outlook protection rules.
- Outlook protection rules or transport rules?
- Before you begin
- Conditions for Outlook protection rules
- Create Outlook protection rules
- Prevent users from overriding an Outlook protection rule
- Disable and enable an Outlook protection rule
- Remove an Outlook protection rule
Outlook protection rules or transport rules?
As explained in Set Up and Manage Information Rights Management in Exchange Online, you can also use transport rules to IRM-protect messages.
So what's the difference between transport rules and Outlook protection rules? Let's take a look.
Feature | Outlook protection rules | Transport rules |
---|---|---|
Run on Exchange Online servers. |
No |
Yes |
Run on Outlook 2010 client. |
Yes |
No |
The user can override. |
Yes, if configured by administrator |
No |
Can be applied to Outlook Web App users |
No |
Yes |
Can be applied to e-mail clients running on mobile devices |
No |
Yes |
Encrypts messages before they're sent |
Yes |
No (Messages are in clear text in sender's Sent Items folder.) |
Top of page
Before you begin
You have to enable IRM in your cloud-based e-mail organization and distribute Active Directory Rights Management Services (AD RMS) rights policy templates before you can apply Outlook protection rules. For instructions about how to do this, see Set Up and Manage Information Rights Management in Exchange Online.
To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.
Conditions for Outlook protection rules
Use the conditions described in the following table to configure Outlook protection rules. When a message meets one of these conditions, which are parameters of the New-OutlookProtectionRule cmdlet, Outlook 2010 applies the AD RMS rights policy template that is specified by the rule.
You can use more than one condition in an Outlook protection rule.
Condition (parameter) | Description |
---|---|
FromDepartment |
Outlook looks up the sender's department attribute and applies an AD RMS rights policy template to the message if the sender's department matches the department specified in the rule. For example, you can create a rule to apply an AD RMS rights policy template to all messages sent by users in the Human Resources department. |
SentTo |
Use this condition to apply an AD RMS rights policy template to messages sent to specific users or groups. For internal users, specify the recipient's identity in the parameter value. For internal recipients, specify their SMTP address. Note The SentTo parameter doesn't accept wildcard characters. When multiple recipients are specified, messages sent to any of the specified recipients are considered a match. |
SentToScope |
Use this condition to apply an AD RMS rights policy template to messages sent inside or outside of your organization. Use one of the following values:
|
Important If you don't include a condition in an Outlook protection rule, the rule will be applied to all messages.
Create Outlook protection rules
Use the New-OutlookProtectionRule cmdlet to create Outlook protection rules.
Tip Before you create an Outlook protection rule, run the Get-RMSTemplate | fl Name
command to display the names of the AD RMS rights policy templates available in your Exchange Online organization.
Create a rule to apply an AD RMS rights policy template depending on the following | Command |
---|---|
Who sends the message. |
Example This command applies the Do Not Forward AD RMS rights policy template to any message sent by a member of the Legal department:
|
Who the message is sent to. |
Example This command applies the Company Confidential AD RMS rights policy template to any message sent to the ExternalContractors distribution group:
|
Whether recipients are inside or outside your organization. |
Example This command applies the Do Not Forward AD RMS rights policy template to any message sent a recipient in your organization:
|
Who sends the message and whether the recipient is inside or outside your organization. |
This example combines two conditions in an Outlook protection rule. Example This command applies the Do Not Reply All AD RMS rights policy template to any message sent by a person in the HR department to anyone in your organization:
|
Top of page
Prevent users from overriding an Outlook protection rule
When you create an Outlook protection rule, users can override the action taken by the rule by applying a different AD RMS rights policy template or by removing any rights protection when they compose an e-mail message.
To prevent users from overriding a rule, set the UserCanOverride parameter to $false.
To prevent users from overriding an existing Outlook protection rule, run the following command:
Set-OutlookProtectionRule -Identity <name of rule> -UserCanOverride $false
Disable and enable an Outlook protection rule
You can disable an Outlook protection rule so that it isn't applied to message. When you disable the rule, it's not deleted and it can be re-enabled.
To disable an Outlook protection rule, run the following command:
Disable-OutlookProtectionRule -Identity <name of rule>
To enable an Outlook protection rule, run the following command:
Enable-OutlookProtectionRule -Identity <name of rule>
Remove an Outlook protection rule
To permanently delete an Outlook protection rule, run the following command:
Remove-OutlookProtectionRule -Identity <name of rule>
Top of page