Marcus-9726 avatar image
0 Votes"
Marcus-9726 asked KyleXu-MSFT edited

Office 365 DLP/Sensitivity Labels with Exchange Hybrid

I have Exchange hybrid environment with Exchange 2016 on-premise server and some users are in O365 and some are on-premise. I do have E3 license and would like to implement office 365 DLP such as sensitivity labeling or blocking sending email with confidential information/apply watermark.

I know that office 365 users will not have any issue with the DLP since both are in cloud, but how about on-premise Exchange server? Do we need to do anything in on-premises Exchange server? What I can see from Microsoft article is only the on-premise user sending emails to on-premise user will not have DLP apply.

So in this case, what we need to do is assign a license to the on-premise user and straight away create the DLP policy in office 365 and they should take effect from there? On-premise users sending out email externally the DLP policy will apply?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered KyleXu-MSFT edited


The DLP is used to protect the emails that send to external organization. In a hybrid mode, Exchange on-premise and Exchange online are in the same organization, so the email that sent from Exchange on-premises to Exchange online will not be applied DLP.

If you want to protect emails that sent from Exchange on-premises to external recipients, you also need to enable DLP on your Exchange on-premises(Due to Exchange on-premises mailboxes will send email to the Internet directly, email cannot through Exchange online to the Internet in a hybrid mode).

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KyleXu-MSFT

"you also need to enable DLP on your Exchange on-premises"

Meaning the policy that we configured in Exchange online will not take effect in Exchange on-premise? We have to configure a separate DLP policy for on-prem Exchange users?

And may I know how should we enable DLP as well in Exchange on-premise, I can see there's something call RMS connector but that's for Azure Information Protection. If I want to have sensitivity label as well this connector will achieve for hybrid deployment?

0 Votes 0 ·

Any update about this thread now?
If the above suggestion helps, please be free to mark it as an answer for helping more people.

0 Votes 0 ·

Hi @KyleXu-MSFT

Just one last question, If I only need to deploy sensitivity label with Exchange hybrid environment. What I need to do is just configuring sensitivity label in O365 and install the RMS connector and configure in my Exchange on-prem servers will do?

Does my on-prem users need to have a O365 license in order to use the labels?

0 Votes 0 ·
Show more comments
sbairu avatar image
0 Votes"
sbairu answered KyleXu-MSFT commented

Hi, @Marcus-9726,

The On-Premises DLP 131720-webinar-faq-microsoft-on-premises-dlp.pdfprovided an overview of a MIP solution for on-premises data at rest, understanding on-prem specific challenges, implementing the methodology, and concluded with a demonstration of the most useful scenarios that can be addressed by the on-premises scanner.​


If you have Exchange Server, SharePoint Server, and Windows file servers, you can deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents. You can also synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users, for example, by using Azure AD Connect.

The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn’t use an on-premises PKI. For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption section in the How does Azure RMS work? article.

Sourced from FAQ


Sign up for the MIPC Preview Program:
➢ Follow us on twitter:
➢ View the On-Premises DLP documentation for additional information:
➢ Submit through UserVoice for Records management and share your feature asks here to help us prioritize and shape the solution:
➢ Watch previous webinars:


If the response is helpful, please click "Accept Answer" and upvote it

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @sbairu ,

It means if I want to have DLP apply to both Exchange online & Exchange on-premise, then I would need to have DLP enabled in Office 365 and at the same time DLP is enabled in Exchange on-premises? About the Azure Rights Managements, it is the same effect/function as DLP whereby it could protects the emails sending out to internal/external recipients which contains sensitive information like IC number/Credit card number then apply certain actions such as Watermarks, block sending, policy tips?

0 Votes 0 ·

Here are information about Exchange on-premises DLP, it is used to prevent data loss from your organization:

0 Votes 0 ·