Constant and Evolving Change to Improve Sensitivity Label Functionality

Microsoft released sensitivity labels for Office 365 in September 2018 to replace Azure Information Protection (AIP) labels. At the time, sensitivity labels offered limited functionality and required users to install a separate client before they could apply labels to Office documents. Since then, Microsoft has steadily pushed out new features and capabilities. Perhaps 2023 will be the year when your organization deploys sensitivity labels to protect and classify information stored in Exchange Online and SharePoint Online.

Licensing Sensitivity Labels

Sensitivity labels are part of the Microsoft Purview Information Protection product. Anyone with an Office 365 license can read documents or emails protected by labels. Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 compliance licenses. Automatic is a broad term and includes assigning a default sensitivity label for a SharePoint document library (the same requirement exists to apply a default retention label for a document library).

Users who don’t belong to a Microsoft 365 tenant can still receive and access protected content. In these scenarios, attempts to access the content will redirect to the Office 365 Message Encryption (OME) portal. Once authenticated, the user can read the content.

Managing Sensitivity Labels

Sensitivity label management is through the Information Protection section of the Microsoft Purview Compliance portal (Figure 1). Note that each label has a priority number from 0 (zero – the lowest priority). SharePoint Online uses the priority order to decide if users store confidential information on sites intended for more general access (a label mismatch).

Microsoft Purview compliance portal displays a set of sensitivity labels
Figure 1: Microsoft Purview compliance portal displays a set of sensitivity labels

The tasks involved in managing sensitivity labels are:

  • Defining the usage of the labels.
  • Defining settings for individual labels.
  • Publishing labels through label policies to target audiences (user accounts). A label policy (Figure 2) consists of one or more specified labels and a target audience (user accounts). Publication must make labels available to users before they can apply the labels to documents and emails.
Details of a sensitivity label publishing policy
Figure 2: Details of a sensitivity label publishing policy

Two Broad Categories of Functionality

Sensitivity label functionality divides into two broad categories.

Protection: This was the original focus for sensitivity labels, where protection came from Azure Information Protection rights management. Essentially, users can only access protected content if the creator grants them the right to do so. The rights granted define the actions a user can take. For instance, they might be able to read a document but not print it. To help users understand that they’re dealing with confidential information, sensitivity labels can apply visual markers to documents and messages. For example, a label might insert text like “Confidential – Do Not Release Outside the Company” in a footer in Office documents.

Sensitivity labels also support the use of color as a visual indicator for the relative importance of labeled content. Labels applied to the most confidential material might be red, while those applied to less sensitive information might be yellow, green, or whatever other color hex code you think appropriate.

Either Microsoft (the default) or the tenant (BYOK or bring your own key) manages the encryption keys used for protection. Double-key encryption (DKE) is also available where both Microsoft and the tenant have separate keys, both of which must be available before a user can access the content. Finally, Outlook supports sensitivity labels that use S/MIME to encrypt and apply digital signatures to email. BYOK, DKE, and S/MIME show how Microsoft has expanded sensitivity labels to accommodate different forms of protection used by customers. However, the most common form of protection continues to be where Microsoft manages the encryption keys in its Rights Management service.

Container Management: Originally, a container is a team, group, or site. Recently, Microsoft has added OWA meetings and Teams meetings to the set (the latter requires Teams Premium licenses). Container management is a way for an organization to apply policy through labels. For instance, an organization probably doesn’t want guest users to be members of teams where people review highly sensitive information. By applying a label to the team that has the Guest Access setting disabled, no one except an administrator can add an external user to the team’s membership. Another example is the setting to control the sharing capability for a SharePoint site. In our example, it’s unlikely that the organization wants people to share documents from the site owned by the team with external users. The same sensitivity label that stops guest user access can also limit the external sharing capability for the site to be “Only people in your organization” (Figure 3).

Sensitivity label settings to control sharing and conditional access
Figure 3: Sensitivity label settings to control sharing and conditional access

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Separate Sets of Sensitivity Labels

It’s possible to use sensitivity labels for both protection and container management. However, I prefer to create separate sets of labels to handle the two functions. I think this approach makes label management easier to understand. The scope of the labels shown in Figure 1 tells you the use of each label. “Site, UnifiedGroup” means that a label is for container management, while “File, Email” means that the label is for protection. “Meetings” is the latest scope used to protect meetings.

It’s important to emphasize that any implementation of sensitivity labels involves a considerable effort to plan and deploy labels. Even items that appear simple, like label naming, require care. Users will do the right thing to protect sensitive information if they are guided by good names, descriptions, and limited choices. By that, I mean that it’s hard for users to decide between three or four labels that might be very similar. A label naming scheme that is clear, precise, and easy to follow is always better than giving too many choices. Take the example shown in Figure 4. Eighteen labels is too many, and the names of some do not clearly indicate the intended usage.

Too many sensitivity labels to choose from?
Figure 4: Too many sensitivity labels to choose from?

The screenshot comes from my tenant, and I know the reason why so many labels are present. But think of the average user who’s asked to choose from the array of available labels and then reflect on how many errors might happen.

Sensitivity Label Clients

The biggest change for sensitivity labels over the past few years is native mode support for labels within applications. Native mode means that an application includes code built using the Microsoft Information Protection SDK to apply, read, and respect sensitivity labels. As noted above, originally, labeling depended on a separate client (the AIP client and later the unified labeling client). Now, the Microsoft 365 enterprise desktop apps (Word, Excel, and PowerPoint), their online equivalents, and the paid-for version of Adobe Acrobat can interact with sensitivity labels directly. Support extends to protecting PDFs generated by Office applications.

The unified labeling client is now in maintenance mode. However, it’s still needed to apply sensitivity labels to files stored outside Microsoft 365 or files belonging to applications that don’t support information protection. This article discusses how to use the client to apply sensitivity labels to the MP4 files generated for Teams meeting recordings.

SharePoint Online and Sensitivity Labels

Another area of major improvement over the last few years has been the support of sensitivity labels within SharePoint Online. Initially, although it was possible to store protected content in a document library, SharePoint Online couldn’t do anything with the encrypted file. SharePoint Online stores item metadata separately to the blobs used to hold documents in Azure SQL, so the metadata (like document names and authors) was always available. However, services like Microsoft Search couldn’t index the encrypted content, which meant that other Microsoft 365 services like Data Loss Prevention (DLP) policies couldn’t work.

The solution is for SharePoint Online to decrypt content before storing files and to encrypt files when users access the content. This makes it possible for other services to access and use protected content stored in both SharePoint Online and OneDrive for Business. The mechanism sounds simple, but a lot of engineering effort happened to make it possible.

Before an organization can use sensitivity labels with SharePoint Online in an integrated manner, it must opt-in to support sensitivity labels. This simple step tells SharePoint Online that it should decrypt protected content before storage.

Sensitivity Label Challenges

Microsoft has made great progress to improve and refine how sensitivity labels work across Microsoft 365. Some challenges still exist, including the lack of APIs to allow organizations to apply sensitivity labels to content (this is coming), but overall, the picture is very positive.

That is until you venture outside the boundaries of day-to-day work with Office/PDF files. Management of protected files can be difficult, especially for third-party applications. Take backup products for example. They request data from SharePoint and download protected files, which the backup product then copies to its repository. But recovery and access to the backup files by end users is less certain. Conceptually, the challenge is easier for the forthcoming Microsoft Syntex backup service because all data remains within Microsoft, but it’s still something to test.

The same question of how to deal with protected content exists for tenant-to-tenant migrations when millions of emails and documents might move from one tenant to another. User accounts created in the target tenant can open unprotected files, but it’s likely that rights assigned to protected files won’t include their email address and block access. Removing encryption from documents before the transfer can be done (the same process is used to recover protected documents left behind by ex-employees), but it’s painful and slow.

No doubt improvements will happen in these areas in the future. I can’t say when, so my anticipation is more in hope than with certitude.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Mike

    Hi Tony,
    Thanks for this article and all the materials here! Great stuff!

    I have a question for you about using sensitivity labels to limit users from creating public SPO groups/sites.
    I’ve created 2 labels and published them via a single label policy, however I haven’t figured out how to prevent users from using one of the labels (for public sites), while the other (default, for private sites) would be the only one they could use.
    The goal is to make the users have to ask for admin approval to create public sites (which should be as few as possible).

    I tried to do it in Entra ID conditional access policies + groups, but they don’t seem to be the right tool to me…is MS Defeder -> Policies (which I’ve only started exploring) the right answer?

    Any advice would be highly appreciated 🙂

    Many thanks!
    Mike

    1. Avatar photo
      Tony Redmond

      If you want that kind of control over public groups, I would only publish container management labels that allow users to create private groups/sites/team and implement a process to allow them request that a group/site/team be changed to public through application of a label that is only published to administrators.

      1. Mike

        Thanks Tony, that makes sense!

  2. John T

    Do you have a recommended best practices for testing labels, label policies, and DLP policies?

    1. Avatar photo
      Tony Redmond

      Get a free development tenant.
      Set it up as closely as possible to the environment of the production tenant.
      Test policies thoroughly in the development tenant before bringing them to production.

  3. Rafael de Miguel

    Hello good afternoon.
    Excellent article, very useful for today..

    We are experiencing the same scenario described in the paragraph:

    “The same issue of how to handle protected content exists for tenant-to-tenant migrations when millions of emails and documents can move from one tenant to another. User accounts created in the destination tenant can open unprotected files, but it is likely that rights assigned to protected files do not include your email address and block access. Remove encryption from documents before the transfer can be made (the same process is used to recover protected documents left behind by former employees), but it is painful is slow.”

    Do you have any strategy recommendations for “reclassifying” protected files en masse?

    We thought about MCAS, but it seems that it has limitations for changing encrypted files through governance actions.

    1. Avatar photo
      Tony Redmond

      I do have ideas, but I suggest that you engage the help of someone experienced who has been through a T2T migration involving encrypted content. There is no substitute for experience.

  4. Josh

    Hi Tony –
    Great info, thanks. Question: I have an auto-labeling policy applying a label to all files in a teams site. If I change the label in the auto-labeling policy, will it override and change the label that was previously applied by the policy? Do you know if the auto-labeling policy will apply to files in private channels created later too? I can’t find anything definitive about this.

      1. Josh

        Thanks. And so far in my testing, an auto-label policy will not place labels on files in a private channel unless you add the private channel SharePoint site to the scope of the policy.

        1. Avatar photo
          Tony Redmond

          Yes, that’s right. The site belonging to a private channel is a separate site and therefore needs to be specified in the scope for an auto-label policy.

  5. Krishna

    Hello, I need to disable external access to the some of my sharepoint sites connected to the same hub site called “Finance”. Based on the hub site, I need to restrict external user access to all these sites . So can you guide me to apply sensitivity label for this scenario ? Thanks!

    1. Avatar photo
      Tony Redmond

      What kind of sites are you using? Team sites are the only type that support sensitivity labels.

      1. Krishna

        Hello Tony, Thanks for the response. We are using Team sites connected with M365 groups. I could see that we can use ‘External sharing and conditional access’ but how can set the adoptive scope as all my team sites connected to the Hub Site ? I could see only the Users and Groups only option under Information Protection –> Label Policy . Thanks for the help.

          1. Krishna

            Thanks . You put me in the correct direction . Your response really helpful for me. I do have one more requirement. I have other batch of sites with same List (Category), as a common list for every site. I need to apply sensitivity label and restrict external access for these sites. Do you think , here also I should go with PowerShell Script to apply label for each site ? Please confirm

          2. Avatar photo
            Tony Redmond

            I really can’t say because I don’t know the full circumstances of your environment. The decision about how to apply a sensitivity label (manually or via PowerShell) is one that you’ll have to make.

  6. Anne

    Hi Tony, this is very useful information, thank you.

    I do have a question, I’m hoping you can help me with. If the company shareholders all have E5 licensing and apply a confidential label to a folder (in SharePoint or Teams) so that only the shareholders can view documents within that folder, what happens if a staff member with an E3 license tries to access that folder?

    1. Avatar photo
      Tony Redmond

      You apply sensitivity labels to documents, not folders (you can apply a retention label to folders). If the label settings do not permit users to access content, they won’t be able to open the files.

  7. Travis

    Great article! Thanks

    I’m still a bit confused by the split between E3 and E5 capabilities. I’m hoping you can help me out.

    If I only have E3 licences and apply a sensitivity label to a SharePoint site will all the documents in that site inherit that sensitivity label?

    1. Avatar photo
      Tony Redmond

      If you apply a default sensitivity label to a SharePoint document library, all new documents (but not existing document) will inherit the label. This is deemed to be an automatic function and therefore requires E5.

  8. Alex

    Hi there, solid info.

    One quick question though

    One of my customers is running with Business Premium License + Information Protection & Governance E5 license.

    When deploying a sensitive label linked with an Azure AD authentication context it returns a client error: “Protection Level” not supported because the tenant is not E5 or the flight is off”

    I thought we had the necessary licenses for this already, assume this means we need another license ?

    Thansk

      1. Peter

        I am in the same situation as Alex. However I am not so sure about the Syntex advanced management license requirement. The section https://learn.microsoft.com/en-us/sharepoint/authentication-context-example#set-a-sensitivity-label-to-apply-the-authentication-context-to-labeled-sites you referred to, mentions “Sensitivity labels require Microsoft 365 E5 or Microsoft 365 E3 plus the Advanced Compliance license.” Especially Advanced Compliance license seems odd as this seems to be a discontinued SKU.

        Syntex advanced management license is mentioned in the section before “Apply the authentication context directly to a site”. However this also works with Business Premium and Information Protection & Governance E5.

        Support is still struggling with this. I am already at my third ticket for this with an additional GitHub issue for the docs clarification. Also because https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-information-protection-sensitivity-labeling seems to mention other license prerequisites.

        1. Avatar photo
          Tony Redmond

          One of the Microsoft program managers working on SharePoint Online support for sensitivity labels is here at the TEC 2023 conference in Atlanta so I asked him. The response is that authentication context requires EITHER an E5 (Office 365/Microsoft 365) license OR the Syntex-SharePoint advanced management license. He suggested that if Microsoft support has an issue, they can ask about the topic in the https://www.yammer.com/askipteam#/home Viva Engage community.

          1. Peter

            Thank you for your feedback. Support hasn’t come back to me yet, sort of playing ball with the case between the M365 support team and Azure AD support, which is quite frustrating.

            I already went the road with Syntex-SharePoint advanced management license, at least I guess this is behind “SharePoint advanced management plan 1” which I am on a trial right now. However this didn’t change anything with respect to the error message even after some days of having the trial active in my tenant.

          2. Avatar photo
            Tony Redmond

            Ask the Microsoft support team to speak to Sanjoyan Mustafi. He’s the PM for the feature.

          3. Peter

            Microsoft support guy just came back to me with the information that this only works with full E5. No E3 + some E5 add-on (like E5 Compliance). Just full-blown E5.

          4. Avatar photo
            Tony Redmond

            Well that’s a bummer. It quite takes away some of the advantage of having a separate Syntex-SharePoint advanced management license. Who said that Microsoft licensing is easy…

  9. Tomáš Drozd

    Very useful read, thank you for that.
    My question is how are users supposed to deal with a document that carries a sensitivity label of another tenant and they are forced to apply a label from their own tenant when editing it.
    As per my tests the existence of the sensitivity label from another tenant does not stop the user’s home tenant from forcing him to apply another sensitivity label.
    Am I missing something or is there any way how to solve this?
    Thank you!

    1. Avatar photo
      Tony Redmond

      A document can only have one sensitivity label with encryption (it can have multiple labels that don’t encrypt content). Users won’t be able to remove and replace a label on a document they receive unless they have the right to do so (Co-Owner). In your tests, did the label on the inbound attachment encrypt the content or is it just a visual marker?

  10. Antonio

    That was a great read! Although I have a question, if you may;
    I’ve managed to create labels and a policy to apply them, and they work like a charm on the office online apps,
    but they don’t show up at all on the desktop version. This may be silly, but I can’t quite figure this one out.

  11. Markus

    Is it now possible to force external users to use true MFA when using Sensitivty labels on an email? When i’ve been experimenting with this before i could not find a scenario where i could encrypt/label an email to force the user to authenticate with true MFA (Authenticator, SMS etc) before opening the email. Only email OTP was possible, and that was only when the external user was using something other than Microsoft, for example gmail.

  12. Yves

    It’s sad that you cannot apply labels to one note content. Makes me wonder how much development is left for this app. You can apply flip but not sensitivity or one note and I haven’t found a third party app yet either.

    1. Avatar photo
      Tony Redmond

      It’s certainly curious that Microsoft has not yet plunged into labeling OneNote files, but the structure of a OneNote file might mitigate against the kind of protection they have. I don’t know. This is just idle speculation.

  13. Jonas Heller

    Great information, as always from you @tony 🙂

Leave a Reply