Message Classifications, Exchange Server, Exchange Online and Outlook


Message Classifications are a way to tag email with a property that describes the purpose of the email, for example “Internal Use Only” might be a classification to tell the recipient of the email that the message should not be forwarded. Classifications are configured by administrators and appear shortly after creation in Outlook Web App, but need further work for them to appear in Outlook. Once you have a classification system in place, you can use Transport Rules in Exchange to read the classification and act on the message, for example if the message is classified “Internal Use Only” and the recipient is in an external domain then an NDR could be returned and the message dropped.

This blog post will cover the following:

  1. Creating a message classification
  2. Localising message classifications for different geographies and language groups
  3. Classification considerations when you have multiple Exchange organizations
  4. Creating a transport rule to act on a classified message
  5. Sending messages with classification via OWA
  6. Setting up Outlook to use message classifications
  7. Sending messages with classification via Outlook

Creating a Message Classification

This needs to be done in the Exchange Management Shell. It is a single cmdlet per classification. A simple example being:

New-MessageClassification -Name “CorporateConfidential” -DisplayName “Corporate Confidential” -SenderDescription “This email is confidential for the entire company and not to be distributed outside the company”

This creates a classification called Default\Name. In the above example this would be Default\CorporateConfidential. This value is not seen by anyone other than the administrators of Exchange, users see the DisplayName value. The SenderDescription appears at the top of the message as it is being written in Outlook or OWA and you can have a different RecipientDescription for display in the recipients email. In the above example the SenderDescription (which is required) will also be the RecipientDescription as that was not specifically set.

Note that you can only have 15 message classifications per Exchange Online tenant (M365/Entra ID tenant). If you try to create more than 15 you will get the error “New-MessageClassification: |System.InvalidOperationException|A new message classification can’t be created. You have reached the limit of 15 message classifications. Remove one or more existing message classifications or locales by using the
Remove-MessageClassification command.

Localising Message Classifications

If you want to localise the classification continue with something similar to this (translations from Bing!) by changing the display and description text and setting the locale to match:

New-MessageClassification -Name “CorporateConfidential” -DisplayName “Société Confidentielle” -SenderDescription “Cet email est confidentiel pour l’ensemble de l’entreprise et de ne pas être distribués à l’extérieur de l’entreprise” -Locale FR-FR

Once you have the correct translation, which you need for the DisplayName and SenderDescription, you run the cmdlet which sets the language against the previously created classification. Note that at the time of writing this cmdlet does not work in Exchange Online (see reported issue for more).

Classifications and Hybrid Mode (or multiple Exchange organizations)

If you have both installed an Office 365 tenant and on-premises organization (i.e Hybrid Mode) then you should create the classifications in one organisation (recommend the on-premises org) and export them for use in Outlook (see later in the blog). For the other organization (recommend Exchange Online) you should use the same cmdlets to create the classifications again in Exchange Online but specify the ClassificationID that was automatically set when the classification was made on-premises – the same classification in both organizations should have matching ClassificationID. To get the ClassificationID from Exchange on-premises before running the cmdlets again in remote PowerShell use Get-MessageClassification | FT Name,ClassificationID

Creating a Transport Rule That Uses Message Classifications

1Create a new transport rule that implements RMS protection with the “CompanyName – Confidential” template if the message is flagged with the previously created classification. The following screenshot shows the required properties, or you could use PowerShell:

New-TransportRule -Name “Rights Protect Company Confidential Emails PS” -HasClassification CorporateConfidential -ApplyRightsProtectionTemplate “CompanyName – Confidential”

Remember to change the name of the classification and the RMS template name to suit. Also remember that if you have Hybrid Exchange mode enabled, you need to create the transport rule in both locations, therefore you need RMS enabled in both locations (though if you are not using RMS as this example does, you do not need it enabled to do message classificaitions).
RMS012

Classifications and OWA

Once the rule and the classification are created, send an email using OWA where you have set the classification during composing the email. Note that during testing I found it could take up to 24 hours for Exchange Online to show both the RMS templates in OWA and the message classifications.

RMS013

Note that at the time of writing there is a bug in OWA in Exchange 2013 that causes transport rules to not see the classification correctly. Tests using Outlook (see the next few steps) will work fine.

Classifications and Outlook

It is more complex to do message classifications for Outlook as you need to export the classifications from Exchange Server as an XML file, place the XML file in a location the Outlook client computer can get to and set some registry keys. The steps are as follows:

  1. To send the email using Outlook you need to first export the message classification using Export-OutlookClassification.ps1 script from Exchange on-premises (in the Exchange/v15/scripts folder of your installation). To export from Exchange Online you need to copy this script from an on-premises installation and run it in your remote PowerShell window connected to Exchange Online.
  2. Once you have the Classifications XML you need to copy this to each Outlook computer and run Regedit on these computers to enable classifications and to point to the classification file. The regedit settings are:
    1. [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Policy]
    2. “AdminClassificationPath”=”c:\\temp\\temp\\classifications.xml”
    3. “EnableClassifications”=dword:00000001
    4. “TrustClassifications”=dword:00000001
  3. You need to set the path correctly in the registry as to the location (on the local computer or always available network drive) that the classifications xml file is located, note the use of \\ in the AdminClassificationPath as you cannot use \ as that is a special character in this file. This registry set is for Outlook 2016 – change the version number from 16.0 to suit earlier versions of Outlook (2013 = 15.0, 2010 = 14.0).
  4. Once the registry is set and the classifications XML file in the location the registry will look in, restart Outlook and compose a test message, setting the classification you are looking for in transport rules.
    RMS014
  5. When the message arrives at the destination inbox, if it was sent with the classification then it should have the RMS template applied (the action of the transport rule). In the following screenshot you can see two emails in Outlook. The lower email was sent with OWA and due to an OWA bug the classification is set incorrectly and so it is not RMS protected as the transport rule does not fire. The upper email can be seen to have RMS protection, though I cannot screenshot it as it has RMS protection and that stops me using PrintScreen or OneNote screen clipping tools whilst that message is open!
    RMS015RMS016

by

Tags:

Comments

15 responses to “Message Classifications, Exchange Server, Exchange Online and Outlook”

  1. […] « Message Classifications, Exchange 2013, Exchange Online and Outlook […]

  2. Steve C. avatar
    Steve C.

    In my Exchange 2013 environment, the XML file and the reg entry “AdminClassificationPath” are completely unnecessary for Outlook 2010, 2013 and 2016 clients to view the message classifications that are applied to emails. In fact, when that key and file are present, it actually causes Outlook 2013 and 2016 to crash when you click the message.
    Unfortunately, the proper setup for MessageClassificaitons and Outlook seems to be very poorly documented by Microsoft.

    1. Brian Reid avatar

      As far as I have tested you still need the regkey and the XML file. Have you checked that the XML file is not corrupt – that would crash Outlook. Open the XML file in Internet Explorer or Edge to prove it is a valid XML file.

  3. TroubledAdmin avatar
    TroubledAdmin

    Our organization has the classification banners installed on on computers. Some of our users have issues with their profiles the cause the classification banner not to be enabled during outlook startup. This isn’t due to outlook disabling it because it took to long to load, because even with the addin force enabled it will still be disabled the next time outlook is closed. Right now the user can go in and manually enable it but it’s only whole outlook 2013 is open, if it’s shut then re opened its disabled again and the classification banner doesn’t populate when you press send. We can’t leave this up to the user to enabled.. Any thoughts?

    1. Brian Reid avatar

      Not sure what you mean by “classification banners”. The classification XML file is loaded without recurse to add-ins.

  4. Andrea Gasparetto avatar
    Andrea Gasparetto

    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Policy
    is missing in outlook 2016.
    Does it need be created before adding the other dwords?

  5. Riham avatar
    Riham

    Dear Mr. Brian Reid this article really helped me and i have set the message classification in exchange and now i have find my classification on OWA.
    I have an valid XML file and i have set the registry key. But the Permission Button still in Hide Mode (I can’t Click on It). My user computer are in a Domain environment do i need to do any other settings. please kindly advice. Thank you.

    1. Brian Reid avatar

      What version of Outlook are you using please, and if Office ProPlus have you enabled the preview option to change the UX to the new layout?

  6. Nina avatar
    Nina

    Hi there,

    Is there any way at all to make this work with Office 365 cloud?

    Thanks,

    Nina

    1. Brian Reid avatar

      This works exactly the same way with Exchange Online. There is nothing different that you need to do.

  7. TMK avatar
    TMK

    Hi All, Very helpful KB but May I know if its applicable to set a default classification for all users to be for example Company Internal ( OWA, Outlook and ActiveSync )

    1. Brian Reid avatar

      So a default classification for all users automatically – I am not aware that you can. A transport rule can do this, but Outlook cannot. So it won’t show the classification to the user before the mail is sent.

  8. Gil avatar
    Gil

    Is the message classification placed into a header? If so, what is that header called?

    1. Brian Reid avatar

      Not that I have ever looked. It might be an extended Outlook property that is sent to the server, but not as an SMTP header.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.