Use Microsoft Search to Find Emails with Sensitivity Labels

In June 2023, I wrote about how to search SharePoint Online for files with sensitivity labels. The key point is to use the InformationProtectionLabelId property in the KeyQL query in a search, passing the label identifier to search for. As described in the article, the label identifier for a sensitivity label is found by running the Get-Label cmdlet and it’s possible to search for items with several different sensitivity labels at one time.

Unfortunately, I might have inadvertently created the impression that only SharePoint Online supports searches against InformationProtectionLabelId. That’s not true because Exchange Online supports searches against the same property. It’s just not a well-known fact.

Viewing Sensitivity Label Data with MFCMAPI

When I was asked recently whether it was possible to search for email with a specific sensitivity label (for instance, all messages sent by a user labeled as Confidential), my initial action was to fire up the MFCMAPI utility to see what properties Exchange Online stores for labeled email. A bunch of properties are found, including the person who labeled the email (Drmowner) and the organization that “owns” the item from a rights management perspective. The most relevant is the MSIPLabelGuid property (Figure 1), which holds the identifier of the label.

it’s quite likely that a schema normalization process will transform the property in different ways, such as giving it a different name. That’s exactly what happens here because the MSIP (Microsoft Information Protection) Guid ends up in the item’s InformationProtectionLabelId property.

Use Microsoft Search to Find Emails with Sensitivity Labels

To test the theory, you can search for labeled emails using the search box available in the Microsoft 365 browser app. Type in InformationProtectionLabelId: followed by the identifier for the label to search for. The emails found by the search are listed under the Messages tab (Figure 2). Only labeled emails received by the signed-in account are found by this search.

Even better, because Outlook clients use the Microsoft Search index, you can find email with sensitivity labels by using the same syntax with Outlook search (Figure 3).

Use Purview Content Search to Find Emails with Sensitivity Labels

Searching from a browser only finds messages in the signed-in user’s mailbox. To find labeled emails in other mailboxes, you must use a Purview content search. Microsoft is currently in the middle of “modernizing” Purview eDiscovery, but the basic idea of creating a search with a KeyQL query to find items still holds true. In this case, I used the very simple search

informationprotectionlabelid:2fe7f66d-096a-469e-835f-595532b63560 (c:c) (Kind=email)

to look for items. Content searches find all emails, received and sent. Figure 4 shows the result.

Figure 4: Viewing labeled emails found by a Purview content search

Obviously, the query could be more complex to focus on certain mailboxes, which is where the query builder comes in useful. In fact, the query builder in the modern eDiscovery UI supports sensitivity labels as a condition, and you can add a condition to search for one or more labels very easily (Figure 5).

Interestingly, when you use the modernized query builder to add sensitivity labels as a condition for a search, the query uses MipSensitiveLabel instead of Informationprotectionlabelid, and you can end up by mixing and matching the two properties in a query like this:

informationprotectionlabelid:2fe7f66d-096a-469e-835f-595532b63560 (c:c) ((Kind=email) AND ((Date=2024-01-01..2024-10-01)) AND (((SubjectTitle:Project) OR (SubjectTitle:Important) OR (SubjectTitle:Critical))) AND (((MipSensitiveLabel=2fe7f66d-096a-469e-835f-595532b63560) OR (MipSensitiveLabel=8b652c9a-a8b7-40ec-bb1a-c5334b1b7fef) OR (MipSensitiveLabel=27451a5b-5823-4853-bcd4-2204d03ab477) OR (MipSensitiveLabel=810b94b5-8ff8-4670-ab07-3e2daeda47d2))))

Searching against the MIPSensitiveLabel property works, but the older query builder doesn’t like using an equals sign between the property and value. A semi-colon works just fine.

Several Ways to Find Emails with Sensitivity Labels

The bottom line is that you can search for emails protected by sensitivity labels (with or without encryption). eDiscovery searches are the most powerful and flexible when the need arises to find a very specific item, but Microsoft 365 search in the browser can find items too.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.