All about sensitivity labels in Exchange Online

Microsoft 365 admins have many tools they can use to secure documents and emails. One of those tools is a sensitivity label. I’ll explain in detail what a sensitivity label is, how to set it up and test if it works well.

Table of contents:

• What is a sensitivity label?
• Dark side of sensitivity labels
• Labels’ requirements
• Creating labels
  • Assigning permissions
  • Content marking
• Publishing sensitivity labels
• Testing
  • Emails
  • Documents
• Removing a sensitivity label

What is a sensitivity label?

A sensitivity label is a kind of digital stamp added to your business document (like DOCX or XLSX) or email in order to secure it. You can set up many labels, depending on your company needs, for example:

• Create labels for the whole company, or for specific groups or users.
• Specify different levels of access for different groups.
• Allow or deny specific actions on emails or documents (for example, you could prevent users from copying, downloading or printing a document).

You could say that you don’t need labels because you’ve already introduced role-based access control to your SharePoint content and nobody should have access to documents restricted for, say, another department. That’s where the unique sensitivity label features come into play. With a sensitivity label, you can prevent users from downloading certain documents. And even if they do download them, a sensitivity label continues to limit the access.

For most organizations, it makes sense to create multiple labels depending on the sensitivity of data. It also makes sense to grant ‘top secret’ sensitivity settings to your critical business assets, for example to make them read only and accessible only to select people. However, adding sensitivity labels to documents which you intent to share with others or those with publicly accessible data might be a bad idea.

Before I jump into setting up sensitivity labels, a few words about their ‘dark side.’

Dark side of sensitivity labels

Although extremely useful, this security-focused feature can make your life a bit harder. It all depends on how you configure the labels, of course.

First, since every time you open a labeled document or email, your Outlook/Word/Excel, etc. needs to communicate with Azure Information Protection (AIP), so it will take longer to access your resources.

Sensitivity labels are smart. It means that, for example, when they prevent copying content, it’s not only your Ctrl+C key combination that’s blocked. You won’t be able to use the Print Screen option as well. It also blocks OCR software and doesn’t allow sharing screen via Teams (the document will be blacked out). In other words, it handles almost every scenario apart from taking a picture with an external device. From security perspective, that’s a great feature until you need to discuss a labeled document during an online meeting, and it turns out nobody can see it.

Finally, I’ve seen situations in which labeled documents cause extremely bizarre issues. For example:

• Microsoft Word informs you that you can’t access the document because it’s checked out to someone else, even though it’s checked out to you.
• Microsoft Word or Outlook crashes on saving or opening a labeled document or an email.

Are the labels worth the trouble, then? Definitely! Just remember it’s not a good idea to over-protect documents if you value productivity, that is.

Sensitivity labels requirements

If your organization uses Azure Information Protection labels which are configured via the Azure Portal, you should migrate to the unified labeling platform.

To see if AIP is enabled in your tenant, go to https://portal.azure.com and then to Azure Information Protection. You should see a notification that Azure Information Protection labelling reached end of life on April 1, 2021.

If you click the notification shown above, you will be redirected to the new home of sensitivity labels:

Tenants created after April 1, 2021 have unified labeling enabled by default. Tenants created before this date require you to activate the Unified labeling feature.

Creating sensitivity labels

To manage your labels’ settings, go to Microsoft 365 compliance center > Information protection:

In most cases, you’d like to turn on the ability to process Office 365 label-protected content stored in OneDrive for Business or SharePoint. Thanks to that, you will be able to utilize features like co-authoring, eDiscovery, DLP or search:

The first step to using sensitivity labels is to create a label:

Next, specify the following:

1. Label’s name – visible in the Microsoft 365 compliance center,
2. Display name – visible to users in e.g. Microsoft Word,
3. Description for users – the tooltip that appears when users hover over the sensitivity label,
4. Description for admins – the description available from the Microsoft 365 compliance center.

Now you can define the scope for the label. I’ll apply the label to files & emails only.

Next, you can use two options. The first lets you control who can access the content with your label applied. The second can add the label’s name to headers, footers and a watermark in your documents.

In the Encryption step, you can set permissions to content with the label applied. Since the primary reason for this procedure is to secure the files, you’ll want to configure encryption settings.

In most cases, you will use the Never expires option, since it will let users access files without any time limit.

You can also allow or deny offline access to a file. Without the offline access, a user will need to be reauthenticated each time they want to open a document or email.

Finally, choose which users or groups should be able to access documents with the label set. Clicking Assign permissions opens a wizard on the right side.

Assigning permissions

You have multiple options to choose the right audience. Let’s click Add users or groups to choose a single Microsoft 365 group. Next, click Choose permissions to define access level for the group. You can choose from 4 pre-defined levels: Co-Owner, Co-Author, Reviewer, Viewer, or set a non-standard level with the Custom option.

In this example, I will choose the Co-Author permissions set. Remember to click Save to apply your settings.

Click Next when you’ve finished.

Content marking

Content marking lets you add clear information about the applied labels directly to a document. You can choose if you want to add a watermark, a header and a footer, and what it should say.

In the next step, you can turn on auto-labeling. That way certain groups or documents created in certain sites can be automatically marked with your label. This may be useful if you want to make sure nobody forgets about securing documents. On the other hand, auto-labeling can create problems if you intend to share some documents outside your organization.

Next, you can define protection settings for groups and sites. Those settings, unlike the previous ones, apply to teams, groups or sites and not the documents stored in them.

In the penultimate step, you can automatically apply labels to columns in your database. This option requires some prior setup and is in preview, so I’ll pretend it’s not here.

The last step is about revising the configuration. Revise your settings, click Create label and then Done.

Users won’t be able to use the label just yet, you’ll need to publish it first.

Publishing the sensitivity label

To publish the label, go to Label policies and click Publish label.

Next, click Choose sensitivity labels to publish and pick the label you’ve created earlier. Click Add and Next.

Choose which groups or users should have the label available. Again, click Done and Next.

Next, you can choose to use various policy settings:

• Users must provide a justification to remove the label or lower its classification.
• Require users to apply the label to their emails and documents.
• Require users to apply the label to their Power BI content.
• Provide users with a link to a custom help page.

The next step allows you to apply the default label to documents. If you leave the default None option, users will have the choice to apply the label or use the document without enhanced protection. Two next steps of the wizard let you configure the default labels for emails and Power BI.

Now you can name your label policy and provide a description.

Finally, review your policy. Click Done when everything is set.

It might take up to 24 hours for the label policy to be effectively published. I’ve seen a label published in 50 minutes and 14 hours as well, so any value in between is also possible. You can check if they started working by using Outlook on the web or Word Online.

Testing

After creating the Confidential sensitivity label, publishing it for the Sales and Marketing team and waiting for its provisioning, I’ve tested if it works correctly.

Emails

When Lynne (a user with no labels assigned) launches Outlook on the web and creates a new test message, there’s no option to apply any sensitivity labels:

On the other hand, Megan (a member of Sales and Marketing) can see the Sensitivity button. When clicked, it shows all sensitivity labels available to this particular user. As you can see, I’ve published a few additional ones, so that the Confidential label isn’t lonely. Let’s apply the Confidential label to encrypt the email and send it to Lynne (the user without permissions) and John who has permissions to pretty much anything.

All that Lynne can see is a notification she doesn’t have the permissions. That’s the expected behavior. If you look right above the email, Outlook shows that the label has been applied, just like specified in the Content marking step. By the way, this information was also visible to the sender before the email went out.

Sending the labeled email to any other mailbox without permissions might result in another protected message notification. Clicking Read the message doesn’t allow a user to access the original message’s body. Thanks to this, even if an email is sent to a wrong recipient, it won’t result in a security incident, since only permitted users are able to open it.

Now, another recipient, John, will have no problems opening the message like any ‘standard,’ unlabeled email. The only visible difference for those emails is the header and footer you’ve set up in the Content marking step. The user can’t delete the label but can reply to the message without any problems.

Documents

All the tests in this part of the article have been conducted using Word Online (https://www.office.com). Files have been saved to OneDrive for Business. Mind that it will work the same in SharePoint Online or when trying to open a file locally (sent as an attachment, for example).

To encrypt a document, use the Sensitivity button and pick a label.

After applying the sensitivity label (provided you set it up in the Content marking step), you will see appropriate information in the document’s header and footer. You will also see a watermark on each page, provided you’ve set it up as well. If you don’t see the header or footer, go to View > Header & Footer or turn on Reading View to display those elements.

Now, when you send the document to a user who doesn’t have permissions to this label (or when they try to open such a file on SharePoint Online), they will get the following notification:

Removing a label

Since I’ve set the label policy settings to ‘Users must provide a justification to remove a label or lower its classification,’ each time someone wants to change or remove a label, they need to specify why they’re doing it.

To remove a label, open a document, go to Sensitivity and click the name of the currently applied label. The Justification Required popup will show up. Pick an appropriate option and click Change. The label should be removed at this point.

The label change and justification are logged and stored in activity explorer.