New Option to Deter Sharing of Confidential Documents
We like to keep an eye on the development of sensitivity labels. Understanding features like blocking access to content services to restrict access to labeled files by Copilot for Microsoft 365 help to solve problems that arise from other Microsoft 365 technologies. The latest innovation is a feature called dynamic watermarking, which is designed to prevent people from taking screenshots of sensitive documents, much like watermarking in Teams meetings is a deterrent against data leakage such as taking and sharing screenshots of information displayed on-screen during calls.
Office Apps Required for Dynamic Watermarking
Dynamic watermarking works for Office files on desktop, browser, and mobile applications. It is currently in preview, with Microsoft 365 roadmap item 400717 predicting general availability in November 2024, when the feature should be available in the Current Channel for Microsoft 365 enterprise applications. See Microsoft’s documentation for information about the required software versions to support different sensitivity label features.
If you decide to deploy sensitivity labels with dynamic watermarking, it’s important that everyone who might receive a document protected by a label uses a version of Office which supports dynamic watermarking. If someone who uses an old version of the Office applications receives a protected document, they won’t be able to open the file even if their account possesses the right to access the content. Obviously, sensitivity labels with dynamic watermarking are likely only to be used to protect highly confidential documents, so the number of users affected by the deployment is probably limited.
Static and Dynamic Watermarks
Sensitivity labels have long supported content marking for Office documents. The watermarks inserted by content marking are static in that they are persistent and remain in the document unless the value of the watermark is changed by a user or following an update to label settings. Dynamic watermarking adds a visual indicator to documents during file opening and removes the watermark when the file is closed. Both static and dynamic watermarking can be specified for a sensitivity label.
Microsoft says that dynamic watermarking is more secure than its static counterpart because a user cannot remove or change the watermark. However, if the access rights granted to a user allow the action, they can print the file or export it to a format that doesn’t support dynamic watermarking (like PDF) and the watermark won’t be visible. One way to stop people exporting to a format like PDF is to remove the EXPORT usage right from the permissions assigned to users in the label. If you don’t want people to print confidential documents, remove the PRINT usage right.
Adding Dynamic Watermarks to a Sensitivity Label
Dynamic watermarking only works with administrator-defined permissions. This is the configuration created when administrators specify the rights-based permissions for a label. Labels with user-defined permissions, where users have the opportunity to assign permissions for individual documents, don’t support dynamic watermarking. Once again, this shouldn’t be an issue because sensitivity labels with administrator-defined permissions are more likely to be used to limit access to confidential material.
You can create a new sensitivity label with dynamic watermarking or add the feature to an existing label. Adding a new label might be the better approach if you think users will react badly to the sudden appearance of watermarks when they edit or view an Office document. I chose to edit an existing label called Ultra Confidential. To add the feature, go to the access control section for a sensitivity label and select the ‘Use dynamic watermarking’ option (Figure 1).
After saving the label, allow a little time for the update to permeate throughout the tenant and be picked up by client applications. The Office Online applications are the fastest to pick up changes while the Office desktop applications require several hours to refresh their cache.
The ideal time to make changes to sensitivity labels is at the weekend or during a holiday period when an update can be tested in the production environment without causing any disruption to users. This tactic also allows label updates to be ready for users when they come back to work.
Dynamic Watermarking in Action
Users see dynamic watermarking when they read or edit an Office file protected by a sensitivity label that enables watermarking. Figure 2 shows a document being edited with Word Online (see this article about using colors to highlight sensitivity labels). The email address for the account is clearly visible.
The same effect happens when another user opens the file as a result of sharing or by receiving a copy of the document as an email attachment (Figure 3). In this case, the watermark is different because the value used is the user’s email address (hence the ‘dynamic’ nature of the watermark).
Dynamic watermarking has no effect on email assigned the sensitivity label (Figure 4). Given the profusion of email clients used with Microsoft 365, it would be unreasonable to prevent clients opening messages if they didn’t support sensitivity labels with dynamic watermarking, so the setting is ignored.
Dynamic Watermarking Setting in Label Properties
The LabelActions properties for a sensitivity label store the details for dynamic watermarking. For instance, the label used to illustrate examples in this article has the following setting:
applydynamicwatermarking {@{Key=disabled; Value=false}, @{Key=dynamicwatermarkdisplay; Value=${Consumer.PrincipalName}}}
We can see that dynamic watermarking is enabled (disabled = false) and that the display value is the user’s principal name. This runs slightly contrary to the Microsoft documentation for the feature, which discusses customization of the displayed value by running the Set-Label cmdlet to set the DynamicWatermarkDisplay parameter using strings or variables. The documentation says that the variable used is the user’s email address rather than their user principal name. Given that it is best practice to match an account’s primary SMTP address with their user principal name, this shouldn’t be an issue.
This article describes how to report the settings of sensitivity labels using the properties defined for labels.
A Label Setting to Use Sparingly
I like the idea of dynamic watermarking, and the implementation seems solid. The sole caveat I have is that this setting is not one to use with every sensitivity label, or even many labels. Dynamic watermarking is a setting best reserved for sensitivity labels intended to protect your most sensitive and confidential Office documents.
When you consider the sensitivity labels and scenarios where dynamic watermarking might help, make sure to brief users who’ll see the watermarks. Apart from not wanting to surprise people, it’s important that users don’t see dynamic watermarks as evidence that the organization doesn’t trust their ability to manage confidential information.
The Real Person!
The Real Person!
Tony, here is one we need help with. How do you customize the Watermark? Where to put it on the page? Font? Size? We are running into a problem where the options Microsoft gives are basic options. The business case is customization of the watermark to land on the page exactly where we want it. I was hoping for a field, but doesn’t appear to be. Especially if dynamic watermarking.
Microsoft support points us to knowledge articles, which are of no help. Ever run into this use case?
You can customize the static watermarking, which is what I think Microsoft support is pointing to. For now, dynamic watermarking doesn’t support customization. It is what it is… but it’s a preview feature and you can influence its final form by lobbying Microsoft through your account team.
The Real Person!
The Real Person!
I’m currently trying to implement sensitivity labels at my organisation, however I’m struggling to work out how to send encrypted files to external parties. I’ve tried adding domains such as ‘Hotmail.co.uk’ to the permission section but files still won’t open. Any help would be much appreciated!
It’s difficult to know what’s going on without being able to see what’s configured in your tenant. Have you asked Microsoft Support to review your settings? Essentially, the label must grant the right for users in a remote domain to access the content. Domains like hotmail should work.
The Real Person!
The Real Person!
I’ve added ‘Hotmail.co.uk’ in the Specific users section and the encrypted files still don’t open when I send them to my personal Hotmail account…
Did you add your specific account or anyone in Hotmail.co.uk? And I presume you’re using assign permissions https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#assign-permissions-now now rather than user defined permissions?
In either case, if you can’t read the files, you should ask Microsoft support to check the settings in your tenant. It’s entirely possible that something is not set correctly. I can’t see the data in your tenant, so I can’t tell you where the error might be.