Using Dynamic Watermarking with Sensitivity Labels

New Option to Deter Sharing of Confidential Documents

We like to keep an eye on the development of sensitivity labels. Understanding features like blocking access to content services to restrict access to labeled files by Copilot for Microsoft 365 help to solve problems that arise from other Microsoft 365 technologies. The latest innovation is a feature called dynamic watermarking, which is designed to prevent people from taking screenshots of sensitive documents, much like watermarking in Teams meetings is a deterrent against data leakage such as taking and sharing screenshots of information displayed on-screen during calls.

Office Apps Required for Dynamic Watermarking

Dynamic watermarking works for Office files on desktop, browser, and mobile applications. It is currently in preview, with Microsoft 365 roadmap item 400717 predicting general availability in November 2024, when the feature should be available in the Current Channel for Microsoft 365 enterprise applications. See Microsoft’s documentation for information about the required software versions to support different sensitivity label features.

If you decide to deploy sensitivity labels with dynamic watermarking, it’s important that everyone who might receive a document protected by a label uses a version of Office which supports dynamic watermarking. If someone who uses an old version of the Office applications receives a protected document, they won’t be able to open the file even if their account possesses the right to access the content. Obviously, sensitivity labels with dynamic watermarking are likely only to be used to protect highly confidential documents, so the number of users affected by the deployment is probably limited.

Static and Dynamic Watermarks

Sensitivity labels have long supported content marking for Office documents. The watermarks inserted by content marking are static in that they are persistent and remain in the document unless the value of the watermark is changed by a user or following an update to label settings. Dynamic watermarking adds a visual indicator to documents during file opening and removes the watermark when the file is closed. Both static and dynamic watermarking can be specified for a sensitivity label.

Microsoft says that dynamic watermarking is more secure than its static counterpart because a user cannot remove or change the watermark. However, if the access rights granted to a user allow the action, they can print the file or export it to a format that doesn’t support dynamic watermarking (like PDF) and the watermark won’t be visible. One way to stop people exporting to a format like PDF is to remove the EXPORT usage right from the permissions assigned to users in the label. If you don’t want people to print confidential documents, remove the PRINT usage right.

Adding Dynamic Watermarks to a Sensitivity Label

Dynamic watermarking only works with administrator-defined permissions. This is the configuration created when administrators specify the rights-based permissions for a label. Labels with user-defined permissions, where users have the opportunity to assign permissions for individual documents, don’t support dynamic watermarking. Once again, this shouldn’t be an issue because sensitivity labels with administrator-defined permissions are more likely to be used to limit access to confidential material.

You can create a new sensitivity label with dynamic watermarking or add the feature to an existing label. Adding a new label might be the better approach if you think users will react badly to the sudden appearance of watermarks when they edit or view an Office document. I chose to edit an existing label called Ultra Confidential. To add the feature, go to the access control section for a sensitivity label and select the ‘Use dynamic watermarking’ option (Figure 1).

After saving the label, allow a little time for the update to permeate throughout the tenant and be picked up by client applications. The Office Online applications are the fastest to pick up changes while the Office desktop applications require several hours to refresh their cache.

The ideal time to make changes to sensitivity labels is at the weekend or during a holiday period when an update can be tested in the production environment without causing any disruption to users. This tactic also allows label updates to be ready for users when they come back to work.

Dynamic Watermarking in Action

Users see dynamic watermarking when they read or edit an Office file protected by a sensitivity label that enables watermarking. Figure 2 shows a document being edited with Word Online (see this article about using colors to highlight sensitivity labels). The email address for the account is clearly visible.

The same effect happens when another user opens the file as a result of sharing or by receiving a copy of the document as an email attachment (Figure 3). In this case, the watermark is different because the value used is the user’s email address (hence the ‘dynamic’ nature of the watermark).

Dynamic watermarking has no effect on email assigned the sensitivity label (Figure 4). Given the profusion of email clients used with Microsoft 365, it would be unreasonable to prevent clients opening messages if they didn’t support sensitivity labels with dynamic watermarking, so the setting is ignored.

Dynamic Watermarking Setting in Label Properties

The LabelActions properties for a sensitivity label store the details for dynamic watermarking. For instance, the label used to illustrate examples in this article has the following setting:

applydynamicwatermarking         {@{Key=disabled; Value=false}, @{Key=dynamicwatermarkdisplay; Value=${Consumer.PrincipalName}}}

We can see that dynamic watermarking is enabled (disabled = false) and that the display value is the user’s principal name. This runs slightly contrary to the Microsoft documentation for the feature, which discusses customization of the displayed value by running the Set-Label cmdlet to set the DynamicWatermarkDisplay parameter using strings or variables. The documentation says that the variable used is the user’s email address rather than their user principal name. Given that it is best practice to match an account’s primary SMTP address with their user principal name, this shouldn’t be an issue.

This article describes how to report the settings of sensitivity labels using the properties defined for labels.

A Label Setting to Use Sparingly

I like the idea of dynamic watermarking, and the implementation seems solid. The sole caveat I have is that this setting is not one to use with every sensitivity label, or even many labels. Dynamic watermarking is a setting best reserved for sensitivity labels intended to protect your most sensitive and confidential Office documents.

When you consider the sensitivity labels and scenarios where dynamic watermarking might help, make sure to brief users who’ll see the watermarks. Apart from not wanting to surprise people, it’s important that users don’t see dynamic watermarks as evidence that the organization doesn’t trust their ability to manage confidential information.