Office 365 DLP Policy Trouble

I am working on creating a DLP policy that does the following:

1) Provides a Policy Tip when Outlook detects that an email has a SSN in it.
2) Allows the user to send the message, but sends them an email advising them that they violated a policy
3) Allows an automatic override if the user supplies a subject-line based encryption trigger (encryption provided by our email security provider.  Sits in front of O365)
4) Allows an automatic override if the user requests encryption using an Outlook plugin (the plugin adds a header to the message and the email security provider detects that and encrypts the message.

The problem I am having is that Office 365 Security and Compliance DLP Policies are rudimentary and don't appear to allow requirements 3 and 4.  Exchange Online's DLP Policies allow everything but requirement 2.

Does anyone have any ideas around this?  Does the newer Security and Compliance polices allow refining with Powershell?  Thinking that maybe the GUI is rudimentary, and maybe I can get them to do what I want if I set them up with PS.

I've been beating my head against the wall on this.  It doesn't help that MS's replication schedule is an unknown.  I have no idea when the changes I make get applied.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
I do not know anything about the setting or applying this, but I did read this from

Help users learn how to stay compliant without interrupting their workflow.
You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.

In addition to the link above there looks like there is an Override option with in the template that you create.  In this link  scroll down mid way and you will see a screenshot that shows an override and what it will look like.  

Hope this helps
btanExec ConsultantCommented:
1) and 2) should be possible and you can customise the mail text and tips. But with caveats
Email notifications can be sent only to individual recipients—not groups or distribution lists.

Only new content will trigger an email notification. Editing existing content will trigger policy tips but not an email notification.
(sensitive type to look for)

For 3) it can allow modify of the mail content via use of right protection (Need the RMS component) or apply the its 365 message encryption  or requires channel TLS encryption. Not so sure if I get it that you wanted another entity to do this encryption. And if so, then minimally you should ensure the channel is encrypted to that entity
(more on the 365 encryption built on top of Azure Information Protection)

For 4) it will not be an out of box capability and currently not available. There is actually an user voice to MS for the Outlook Plugin for users to initiate and encrypted email. But there is similar sharing in one blog which it aims to have a single click to apply encryption to any outgoing email message. A brief step through is e.g. create a new message classification for encrypted emails, tagged this id to a rule that encrypt any outgoing, export classification id as xml and push out to all client so that they can click to state the email is classified under "encrypted emails"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ddotsonAuthor Commented:
Yeah, it seems that I'm going to struggle to get all 4 needs in one policy.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
Let's the experts in EE know where they can help. It is just a kick start .
 Ask new question where possible for larger pool of domain expert to chip in.
ddotsonAuthor Commented:
Thanks for the help.  This is a tough nut to crack.
yo_beeDirector of Information TechnologyCommented:
But they do say a blind squirrel finds a nut once in awhile.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.