Outlook
Storage monitoring Outlook integration
The Glasswall Halo Storage Monitoring service integrates with Microsoft Outlook mailboxes, automatically sanitizing supported file types attached to inbound emails.
Prerequisites
Before configuring Outlook monitoring, ensure the following:
- The Storage monitoring service is deployed and running.
- An application is registered in Microsoft Entra ID with the appropriate permissions. If you already have an app registration for SharePoint or OneDrive monitoring, you can reuse it — just add the Outlook permissions (
User.ReadBasic.AllandMail.ReadWrite). - The application's Client ID, Tenant ID and Client Secret are stored in Azure key vault.
- You have access to the Halo Storage Monitoring API.
For guidance, refer to the Halo Storage Monitoring Setup Guide.
Important: if you are adding Outlook permissions to an existing app registration that is already in use for SharePoint or OneDrive, you must restart the Storage Monitor service after granting the new permissions. The service caches its permissions on startup, so a restart is required for the new permissions to take effect.
Monitoring a user's mailbox
To set up monitoring, you'll need:
- User ID of the mailbox owner
You can retrieve the user ID using an endpoint provided by the Halo Storage Monitoring API. See the Storage Monitoring API documentation for details.
Optional configuration
You can optionally customize each monitor with:
- A custom policy
If no custom settings are applied, the default policy is used.
Monitors can be updated or removed at any time to change policies.
[!NOTE]: policies linked to active monitors are locked and cannot be deleted. To remove a policy, first stop or delete any associated monitors.
How monitoring works
Once activated, the monitor automatically performs the following for each supported file attached to an inbound email:
- Detects the new email via a webhook notification
- Downloads each attachment
- Applies sanitization
- Re-uploads the cleaned attachment, prefixed with
GW- - Removes the original unsanitized attachment
If the filetype of the attachment is unsupported, the original file remains unchanged without the GW- prefix.
[!NOTE] Files embedded directly in the HTML body of an email (such as inline images and email signatures) are not processed by Halo. Only discrete file attachments are sanitized.
Identifying processed and unprocessed attachments
After Halo processes an email, you can determine the status of each attachment by its filename:
- Processed (safe): attachments prefixed with
GW-(e.g.GW-report.docx) have been successfully sanitized by Glasswall. - Unprocessed: attachments without the
GW-prefix remain in their original, unsanitized state. This may occur if the file type is unsupported or if processing failed. Exercise caution when opening these files.
Blocking unprocessed attachments
By default, Halo will remove supported attachments that fail processing from the email rather than leaving the original unsanitized file. This ensures that for supported file types only successfully sanitized files remain in the user's inbox.
This behavior is controlled by the MONITORING__BlockUnprocessedAttachments configuration setting, which defaults to true.
When disabled (false), attachments that Halo cannot process are left in the email in their original state without the GW- prefix.
Email disclaimer banner (optional)
Outlook monitoring works without the email banner — it is an optional feature that can be enabled separately. Halo will still sanitize attachments regardless of whether the banner is configured.
The banner is a notice prepended to the top of inbound emails that contain attachments, informing the recipient that Glasswall is processing their attachments. It helps users identify which emails have attachments that are being or have been processed by Halo.
There are two options for setting up the banner:
Option 1 — Halo manages the banner automatically
When Exchange Online certificate authentication is configured, Halo manages the banner lifecycle automatically — creating the distribution group and transport rule on startup and keeping membership in sync with active monitors.
See Enabling the Outlook email banner via Helm for deployment instructions.
Option 2 — Manual setup with PowerShell scripts
If you prefer to manage the banner externally without granting Halo access to Exchange Online, you can run the PowerShell scripts standalone. A certificate is not required for standalone use — you can authenticate interactively via a browser login prompt.
See Enabling the Outlook email banner via PowerShell for step-by-step instructions.
Known limitations
- Distribution group caching: when removing the banner from a user by updating the distribution group, changes can take several hours to take effect. Exchange Online caches the distribution group membership used by transport rules, so the banner may continue to appear for users who have been removed until the cache refreshes.
- Mobile and web clients may require a manual refresh: users on the Outlook mobile app or Outlook on the web may need to manually refresh their inbox to see rebuilt attachments. The desktop client typically reflects changes automatically.