Create a Microsoft Exchange Manager Approval Transport Rule
Focus
Focus
Enterprise DLP

Create a Microsoft Exchange Manager Approval Transport Rule

Table of Contents


Create a Microsoft Exchange Manager Approval Transport Rule

Create a Microsoft Exchange email transport rule to forward an email to the sender's manager for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully send an email for manager approval if sensitive data is detected by Enterprise DLP, the sender must have a manager assigned.
If no manager is assigned to the sender, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
Additionally, Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
  1. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  2. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  3. Configure the transport rule conditions.
    1. Enter a Name for the transport rule.
    2. Add the email message header.
      The fw_to_manager header is added by the DLP cloud service when an email contains sensitive information requiring manager approval.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        fwd_to_manager
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the header added by Enterprise DLP.
      Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully forward a sender's email if sensitive data is detected by Enterprise DLP, a user must have a manager assigned.
      If no manager is assigned to a user, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
      1. For Do the following, select Forward the message for approval.
      2. Select to the sender's manager.
    4. Click Next to continue.
  4. Configure the transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the transport rule settings as needed.
    3. Click Next to continue.
  5. Review the transport rule configuration and click Finish.
    Click Done when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  6. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.