New Option to Deter Sharing of Confidential Documents

We like to keep an eye on the development of sensitivity labels. Understanding features like blocking access to content services to restrict access to labeled files by Copilot for Microsoft 365 help to solve problems that arise from other Microsoft 365 technologies. The latest innovation is a feature called dynamic watermarking, which is designed to prevent people from taking screenshots of sensitive documents, much like watermarking in Teams meetings is a deterrent against data leakage such as taking and sharing screenshots of information displayed on-screen during calls.

Office Apps Required for Dynamic Watermarking

Dynamic watermarking works for Office files on desktop, browser, and mobile applications. It is currently in preview, with Microsoft 365 roadmap item 400717 predicting general availability in November 2024, when the feature should be available in the Current Channel for Microsoft 365 enterprise applications. See Microsoft’s documentation for information about the required software versions to support different sensitivity label features.

If you decide to deploy sensitivity labels with dynamic watermarking, it’s important that everyone who might receive a document protected by a label uses a version of Office which supports dynamic watermarking. If someone who uses an old version of the Office applications receives a protected document, they won’t be able to open the file even if their account possesses the right to access the content. Obviously, sensitivity labels with dynamic watermarking are likely only to be used to protect highly confidential documents, so the number of users affected by the deployment is probably limited.

Static and Dynamic Watermarks

Sensitivity labels have long supported content marking for Office documents. The watermarks inserted by content marking are static in that they are persistent and remain in the document unless the value of the watermark is changed by a user or following an update to label settings. Dynamic watermarking adds a visual indicator to documents during file opening and removes the watermark when the file is closed. Both static and dynamic watermarking can be specified for a sensitivity label.

Microsoft says that dynamic watermarking is more secure than its static counterpart because a user cannot remove or change the watermark. However, if the access rights granted to a user allow the action, they can print the file or export it to a format that doesn’t support dynamic watermarking (like PDF) and the watermark won’t be visible. One way to stop people exporting to a format like PDF is to remove the EXPORT usage right from the permissions assigned to users in the label. If you don’t want people to print confidential documents, remove the PRINT usage right.

Adding Dynamic Watermarks to a Sensitivity Label

Dynamic watermarking only works with administrator-defined permissions. This is the configuration created when administrators specify the rights-based permissions for a label. Labels with user-defined permissions, where users have the opportunity to assign permissions for individual documents, don’t support dynamic watermarking. Once again, this shouldn’t be an issue because sensitivity labels with administrator-defined permissions are more likely to be used to limit access to confidential material.

You can create a new sensitivity label with dynamic watermarking or add the feature to an existing label. Adding a new label might be the better approach if you think users will react badly to the sudden appearance of watermarks when they edit or view an Office document. I chose to edit an existing label called Ultra Confidential. To add the feature, go to the access control section for a sensitivity label and select the ‘Use dynamic watermarking’ option (Figure 1).

Configuring a sensitivity label for dynamic watermarking.
Figure 1: Configuring a sensitivity label for dynamic watermarking

After saving the label, allow a little time for the update to permeate throughout the tenant and be picked up by client applications. The Office Online applications are the fastest to pick up changes while the Office desktop applications require several hours to refresh their cache.

The ideal time to make changes to sensitivity labels is at the weekend or during a holiday period when an update can be tested in the production environment without causing any disruption to users. This tactic also allows label updates to be ready for users when they come back to work.

Dynamic Watermarking in Action

Users see dynamic watermarking when they read or edit an Office file protected by a sensitivity label that enables watermarking. Figure 2 shows a document being edited with Word Online (see this article about using colors to highlight sensitivity labels). The email address for the account is clearly visible.

Editing a Word document with dynamic watermarking
Figure 2: Editing a Word document with dynamic watermarking

The same effect happens when another user opens the file as a result of sharing or by receiving a copy of the document as an email attachment (Figure 3). In this case, the watermark is different because the value used is the user’s email address (hence the ‘dynamic’ nature of the watermark).

Dynamic watermarking works when reading Office documents too
Figure 3: Dynamic watermarking works when reading Office documents too

Dynamic watermarking has no effect on email assigned the sensitivity label (Figure 4). Given the profusion of email clients used with Microsoft 365, it would be unreasonable to prevent clients opening messages if they didn’t support sensitivity labels with dynamic watermarking, so the setting is ignored.

No trace of dynamic watermarking in email
Figure 4: No trace of dynamic watermarking in email

Dynamic Watermarking Setting in Label Properties

The LabelActions properties for a sensitivity label store the details for dynamic watermarking. For instance, the label used to illustrate examples in this article has the following setting:

applydynamicwatermarking         {@{Key=disabled; Value=false}, @{Key=dynamicwatermarkdisplay; Value=${Consumer.PrincipalName}}}

We can see that dynamic watermarking is enabled (disabled = false) and that the display value is the user’s principal name. This runs slightly contrary to the Microsoft documentation for the feature, which discusses customization of the displayed value by running the Set-Label cmdlet to set the DynamicWatermarkDisplay parameter using strings or variables. The documentation says that the variable used is the user’s email address rather than their user principal name. Given that it is best practice to match an account’s primary SMTP address with their user principal name, this shouldn’t be an issue.

This article describes how to report the settings of sensitivity labels using the properties defined for labels.

A Label Setting to Use Sparingly

I like the idea of dynamic watermarking, and the implementation seems solid. The sole caveat I have is that this setting is not one to use with every sensitivity label, or even many labels. Dynamic watermarking is a setting best reserved for sensitivity labels intended to protect your most sensitive and confidential Office documents.

When you consider the sensitivity labels and scenarios where dynamic watermarking might help, make sure to brief users who’ll see the watermarks. Apart from not wanting to surprise people, it’s important that users don’t see dynamic watermarks as evidence that the organization doesn’t trust their ability to manage confidential information.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Jonathan Merrill

    Tony, here is one we need help with. How do you customize the Watermark? Where to put it on the page? Font? Size? We are running into a problem where the options Microsoft gives are basic options. The business case is customization of the watermark to land on the page exactly where we want it. I was hoping for a field, but doesn’t appear to be. Especially if dynamic watermarking.

    Microsoft support points us to knowledge articles, which are of no help. Ever run into this use case?

    1. Avatar photo
      Tony Redmond

      You can customize the static watermarking, which is what I think Microsoft support is pointing to. For now, dynamic watermarking doesn’t support customization. It is what it is… but it’s a preview feature and you can influence its final form by lobbying Microsoft through your account team.

  2. Michael

    I’m currently trying to implement sensitivity labels at my organisation, however I’m struggling to work out how to send encrypted files to external parties. I’ve tried adding domains such as ‘Hotmail.co.uk’ to the permission section but files still won’t open. Any help would be much appreciated!

    1. Avatar photo
      Tony Redmond

      It’s difficult to know what’s going on without being able to see what’s configured in your tenant. Have you asked Microsoft Support to review your settings? Essentially, the label must grant the right for users in a remote domain to access the content. Domains like hotmail should work.

      1. Michael

        I’ve added ‘Hotmail.co.uk’ in the Specific users section and the encrypted files still don’t open when I send them to my personal Hotmail account…

        1. Avatar photo
          Tony Redmond

          Did you add your specific account or anyone in Hotmail.co.uk? And I presume you’re using assign permissions https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#assign-permissions-now now rather than user defined permissions?

          In either case, if you can’t read the files, you should ask Microsoft support to check the settings in your tenant. It’s entirely possible that something is not set correctly. I can’t see the data in your tenant, so I can’t tell you where the error might be.

Leave a Reply