[Update]: This blog post was first published on December 13, 2021. It was updated to reflect UI changes in the Microsoft Purview compliance portal (Microsoft 365 compliance center) and show new features, like inheriting a higher priority sensitivity label from email attachments.
Microsoft 365 admins have many tools they can use to secure documents and emails. One of those tools is a sensitivity label. I’ll explain in detail what a sensitivity label is, how to set it up and test if it works well.
Table of contents:
- What is a sensitivity label?
- Dark side of sensitivity labels
- Labels’ requirements
- Creating labels
- Publishing sensitivity labels
- Removing a sensitivity label
What is a sensitivity label?
A sensitivity label is a kind of digital stamp added to your business document (like DOCX or XLSX) or email in order to secure it. You can set up many labels, depending on your company needs, for example:
- Create labels for the whole company, or for specific groups or users.
- Specify different levels of access for different groups.
- Allow or deny specific actions on emails or documents (for example, you could prevent users from copying, downloading or printing a document).
You could say that you don’t need labels because you’ve already introduced role-based access control to your SharePoint content and nobody should have access to documents restricted for, say, another department. That’s where the unique sensitivity label features come into play. With a sensitivity label, you can prevent users from downloading certain documents. And even if they do download them, a sensitivity label continues to limit the access.
For most organizations, it makes sense to create multiple labels depending on the sensitivity of data. It also makes sense to grant ‘top secret’ sensitivity settings to your critical business assets, for example to make them read only and accessible only to select people. However, adding sensitivity labels to documents which you intent to share with others or those with publicly accessible data might be a bad idea.
Before I jump into setting up sensitivity labels, a few words about their ‘dark side.’
Dark side of sensitivity labels
Although extremely useful, this security-focused feature can make your life a bit harder. It all depends on how you configure the labels, of course.
First, since every time you open a labeled document or email, your Outlook/Word/Excel, etc. needs to communicate with Azure Information Protection (AIP), so it will take longer to access your resources.
Sensitivity labels are smart. It means that, for example, when they prevent copying content, it’s not only your Ctrl+C key combination that’s blocked. You won’t be able to use the Print Screen option as well. It also blocks OCR software and doesn’t allow sharing screen via Teams (the document will be blacked out). In other words, it handles almost every scenario apart from taking a picture with an external device. From security perspective, that’s a great feature until you need to discuss a labeled document during an online meeting, and it turns out nobody can see it.
Finally, I’ve seen situations in which labeled documents cause extremely bizarre issues. For example:
- Microsoft Word informs you that you can’t access the document because it’s checked out to someone else, even though it’s checked out to you.
- Microsoft Word or Outlook crashes on saving or opening a labeled document or an email.
Are the labels worth the trouble, then? Definitely! Just remember it’s not a good idea to over-protect documents if you value productivity, that is.
Sensitivity labels requirements
To see if AIP is enabled in your tenant, go to https://portal.azure.com and then to Azure Information Protection. You should see a notification that Azure Information Protection labelling reached end of life on April 1, 2021.
If you click the notification shown above, you will be redirected to the new home of sensitivity labels:
Tenants created after April 1, 2021 have unified labeling enabled by default. Tenants created before this date require you to activate the Unified labeling feature.
Creating sensitivity labels
To manage your labels’ settings, go to the Microsoft Purview compliance portal > Information protection > Labels:
In most cases, you’d like to turn on the ability to process Microsoft 365 Apps for Business (Word, Excel, etc.) label-protected content stored in OneDrive for Business or SharePoint. Thanks to that, you will be able to utilize features like co-authoring, eDiscovery, DLP or search:
The first step to using sensitivity labels is to create a label:
Next, specify the following:
- Label’s name – visible in the Microsoft Purview compliance portal,
- Display name – visible to users in e.g. Microsoft Word,
- Description for users – the tooltip that appears when users hover over the sensitivity label,
- (Optional) Description for admins – the description available from the Microsoft Purview compliance portal.
- (Optional) Label color – a color marking for an easy identification of the label.
Now you can define the scope for the label. I’ll apply the label to files & emails only.
Next, you can use two options. The first lets you control who can access the content with your label applied. The second can add the label’s name to headers, footers and a watermark in your documents.
In the Encryption step, you can set permissions to content with the label applied. Since the primary reason for this procedure is to secure the files, you’ll want to configure encryption settings.
Just below the radio button that enables encryption settings, you’ll find the option to enable co-authoring for the documents protected with sensitivity labels in Office desktop apps (unless you’ve already enabled this feature). Co-authoring allows your users to work with the same files at the same time. Super helpful in some scenarios.
In most cases, you will use the Never option for the User access to content expires setting, since it will let users access files without any time limit.
You can also allow or deny offline access to a file. Without the offline access, a user will need to be reauthenticated each time they want to open a document or email.
Finally, choose which users or groups should be able to access documents with the label set. Clicking Assign permissions opens a wizard on the right side.
You have multiple options to choose the right audience. Let’s click Add users or groups to choose a single Microsoft 365 group. Next, click Choose permissions to define access level for the group. You can choose from 4 pre-defined levels: Co-Owner, Co-Author, Reviewer, Viewer, or set a non-standard level with the Custom option.
In this example, I will choose the Co-Author permissions set. Remember to click Save to apply your settings.
Click Next when you’ve finished.
Content marking lets you add clear information about the applied labels directly to a document. You can choose if you want to add a watermark, a header and a footer, and what it should say.
In the next step, you can turn on auto-labeling. That way certain groups or documents created in certain sites can be automatically marked with your label. This may be useful if you want to make sure nobody forgets about securing documents. On the other hand, auto-labeling can create problems if you intend to share some documents outside your organization.
Next, you can define protection settings for groups and sites. Those settings, unlike the previous ones, apply to teams, groups or sites and not the documents stored in them.
In the penultimate step, you can automatically apply labels to columns in your database. This option requires some prior setup and is in preview, so I’ll pretend it’s not here.
The last step is about revising the configuration. Revise your settings and click Create label.
Users won’t be able to use the label just yet, you’ll need to publish it first.
Publishing the sensitivity label
You can move on to publishing your label right away by selecting the Publish label to users’ apps option and clicking Done in the last step of the New sensitivity label wizard – another wizard will open.
If you choose not to start the policy creation wizard for now by choosing Don’t create a policy yet and Done, you can later access it by going to Information protection > Label policies and clicking Publish label. Next, skip directly to this step.
In this guide, I’m going to create a new label policy from scratch to show you all the configuration steps. To do this, click Create new label policy. You can also publish your newly created label to an existing policy, if you have one.
Next, click Choose sensitivity labels to publish and pick the label you’ve created earlier. Click Add and Next.
In the next step, you can assign the policy to admin unit(s). For now, let’s skip this step, as it requires a lot of additional pre-configuration and is still in preview. If you’re interested in this concept, have a look at Microsoft’s documentation.
Next, choose which groups or users should have the label available. Again, click Done and Next.
Next, you can choose to use various policy settings:
- Users must provide a justification to remove the label or lower its classification.
- Require users to apply the label to their emails and documents.
- Require users to apply the label to their Power BI content.
- Provide users with a link to a custom help page.
The next step allows you to apply the default label to documents. If you leave the default None option, users will have the choice to apply the label or use the document without enhanced protection.
In the Emails step, you can also choose which label should be applied to email messages by default.
The second option (Email inherits highest priority label from attachments) lets you enable auto-inheriting higher priority labels from attachments. For example, if your user attaches a labeled file to an email, the email will get the same label. The email label won’t be changed only if the attachment’s label is of a lower priority. If you attach multiple protected documents, an email message will inherit the label of the highest priority.
Additionally, to make the inheriting mechanism less strict, you can choose to display a recommendation to change a label to your users instead of doing it automatically.
Two next steps of the wizard let you configure the default labels for meetings & calendar events and Power BI.
Now you can name your label policy and provide a description.
Finally, review your policy. Click Submit and Done when everything is set.
It might take up to 24 hours for the label policy to be effectively published. I’ve seen a label published in 50 minutes and 14 hours as well, so any value in between is also possible. You can check if they started working by using Outlook on the web or Word Online.
After creating the Confidential sensitivity label, publishing it for the Sales and Marketing team and waiting for its provisioning, I’ve tested if it works correctly.
When Lynne (a user with no labels assigned) launches Outlook on the web and creates a new test message, there’s no option to apply any sensitivity labels:
On the other hand, Megan (a member of Sales and Marketing) can see the Sensitivity button. When clicked, it shows all sensitivity labels available to this particular user. As you can see, I’ve published a few additional ones, so that the Confidential label isn’t lonely. Let’s apply the Confidential label to encrypt the email and send it to Lynne (the user without permissions) and John who has permissions to pretty much anything.
All that Lynne can see is a notification she doesn’t have the permissions. That’s the expected behavior. If you look right above the email, Outlook shows that the label has been applied, just like specified in the Content marking step. By the way, this information was also visible to the sender before the email went out.
Sending the labeled email to any other mailbox without permissions might result in another protected message notification. Clicking Read the message doesn’t allow a user to access the original message’s body. Thanks to this, even if an email is sent to a wrong recipient, it won’t result in a security incident, since only permitted users are able to open it.
Now, another recipient, John, will have no problems opening the message like any ‘standard,’ unlabeled email. The only visible difference for those emails is the header and footer you’ve set up in the Content marking step. The user can’t delete the label but can reply to the message without any problems.
All the tests in this part of the article have been conducted using Word Online (https://www.office.com). Files have been saved to OneDrive for Business. Mind that it will work the same in SharePoint Online or when trying to open a file locally (sent as an attachment, for example).
To encrypt a document, use the Sensitivity button and pick a label.
After applying the sensitivity label (provided you set it up in the Content marking step), you will see appropriate information in the document’s header and footer. You will also see a watermark on each page, provided you’ve set it up as well. If you don’t see the header or footer, go to View > Header & Footer or turn on Reading View to display those elements.
Now, when you send the document to a user who doesn’t have permissions to this label (or when they try to open such a file on SharePoint Online), they will get the following notification:
Removing a label
Since I’ve set the label policy settings to ‘Users must provide a justification to remove a label or lower its classification,’ each time someone wants to change or remove a label, they need to specify why they’re doing it.
To remove a label, open a document, go to Sensitivity and click the name of the currently applied label. The Justification Required popup will show up. Pick an appropriate option and click Change. The label should be removed at this point.
The label change and justification are logged and stored in activity explorer.