Your protected emails could still be exposed!
Did you know? By default, delegates with Full Access to a mailbox can read IRM-protected emails. That’s right, even emails you thought were “for your eyes only” could be visible to others!
The good thing is that there are ways to prevent this and take back control of your sensitive emails. Depending on your setup, whether it’s a user mailbox or a shared mailbox, and whether you’re on Outlook for Windows, Mac, or mobile, you can choose the method that works best:
- Method 1: Use built-in protection like Encrypt-Only or Do Not Forward. Only the recipients in the To/Cc/Bcc fields can read the email.
- Method 2: Apply a sensitivity label that enforces Encrypt-Only or Do Not Forward. This works similarly to Method A, but utilizes labels for easier management.
- Method 3: Run the Set-MailboxIRMAccess cmdlet in Exchange Online PowerShell to block delegate access—perfect for shared mailboxes or specific scenarios.
💡Tip: If your sensitivity label assigns access to predetermined users or groups, anyone in that list can still read your message, even if they weren’t in To/Cc/Bcc. So pick the right method carefully!
Keeping control of your sensitive emails is possible; it just takes a few smart settings.