Constant and Evolving Change to Improve Sensitivity Label Functionality

Microsoft released sensitivity labels for Office 365 in September 2018 to replace Azure Information Protection (AIP) labels. At the time, sensitivity labels offered limited functionality and required users to install a separate client before they could apply labels to Office documents. Since then, Microsoft has steadily pushed out new features and capabilities. Perhaps 2023 will be the year when your organization deploys sensitivity labels to protect and classify information stored in Exchange Online and SharePoint Online.

Licensing Sensitivity Labels

Sensitivity labels are part of the Microsoft Purview Information Protection product. Anyone with an Office 365 license can read documents or emails protected by labels. Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 compliance licenses. Automatic is a broad term and includes assigning a default sensitivity label for a SharePoint document library (the same requirement exists to apply a default retention label for a document library).

Users who don’t belong to a Microsoft 365 tenant can still receive and access protected content. In these scenarios, attempts to access the content will redirect to the Office 365 Message Encryption (OME) portal. Once authenticated, the user can read the content.

Managing Sensitivity Labels

Sensitivity label management is through the Information Protection section of the Microsoft Purview Compliance portal (Figure 1). Note that each label has a priority number from 0 (zero – the lowest priority). SharePoint Online uses the priority order to decide if users store confidential information on sites intended for more general access (a label mismatch).

Microsoft Purview compliance portal displays a set of sensitivity labels
Figure 1: Microsoft Purview compliance portal displays a set of sensitivity labels

The tasks involved in managing sensitivity labels are:

  • Defining the usage of the labels.
  • Defining settings for individual labels.
  • Publishing labels through label policies to target audiences (user accounts). A label policy (Figure 2) consists of one or more specified labels and a target audience (user accounts). Publication must make labels available to users before they can apply the labels to documents and emails.
Details of a sensitivity label publishing policy
Figure 2: Details of a sensitivity label publishing policy

Two Broad Categories of Functionality

Sensitivity label functionality divides into two broad categories.

Protection: This was the original focus for sensitivity labels, where protection came from Azure Information Protection rights management. Essentially, users can only access protected content if the creator grants them the right to do so. The rights granted define the actions a user can take. For instance, they might be able to read a document but not print it. To help users understand that they’re dealing with confidential information, sensitivity labels can apply visual markers to documents and messages. For example, a label might insert text like “Confidential – Do Not Release Outside the Company” in a footer in Office documents.

Sensitivity labels also support the use of color as a visual indicator for the relative importance of labeled content. Labels applied to the most confidential material might be red, while those applied to less sensitive information might be yellow, green, or whatever other color hex code you think appropriate.

Either Microsoft (the default) or the tenant (BYOK or bring your own key) manages the encryption keys used for protection. Double-key encryption (DKE) is also available where both Microsoft and the tenant have separate keys, both of which must be available before a user can access the content. Finally, Outlook supports sensitivity labels that use S/MIME to encrypt and apply digital signatures to email. BYOK, DKE, and S/MIME show how Microsoft has expanded sensitivity labels to accommodate different forms of protection used by customers. However, the most common form of protection continues to be where Microsoft manages the encryption keys in its Rights Management service.

Container Management: Originally, a container is a team, group, or site. Recently, Microsoft has added OWA meetings and Teams meetings to the set (the latter requires Teams Premium licenses). Container management is a way for an organization to apply policy through labels. For instance, an organization probably doesn’t want guest users to be members of teams where people review highly sensitive information. By applying a label to the team that has the Guest Access setting disabled, no one except an administrator can add an external user to the team’s membership. Another example is the setting to control the sharing capability for a SharePoint site. In our example, it’s unlikely that the organization wants people to share documents from the site owned by the team with external users. The same sensitivity label that stops guest user access can also limit the external sharing capability for the site to be “Only people in your organization” (Figure 3).

Sensitivity label settings to control sharing and conditional access
Figure 3: Sensitivity label settings to control sharing and conditional access

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Separate Sets of Sensitivity Labels

It’s possible to use sensitivity labels for both protection and container management. However, I prefer to create separate sets of labels to handle the two functions. I think this approach makes label management easier to understand. The scope of the labels shown in Figure 1 tells you the use of each label. “Site, UnifiedGroup” means that a label is for container management, while “File, Email” means that the label is for protection. “Meetings” is the latest scope used to protect meetings.

It’s important to emphasize that any implementation of sensitivity labels involves a considerable effort to plan and deploy labels. Even items that appear simple, like label naming, require care. Users will do the right thing to protect sensitive information if they are guided by good names, descriptions, and limited choices. By that, I mean that it’s hard for users to decide between three or four labels that might be very similar. A label naming scheme that is clear, precise, and easy to follow is always better than giving too many choices. Take the example shown in Figure 4. Eighteen labels is too many, and the names of some do not clearly indicate the intended usage.

Too many sensitivity labels to choose from?
Figure 4: Too many sensitivity labels to choose from?

The screenshot comes from my tenant, and I know the reason why so many labels are present. But think of the average user who’s asked to choose from the array of available labels and then reflect on how many errors might happen.

Sensitivity Label Clients

The biggest change for sensitivity labels over the past few years is native mode support for labels within applications. Native mode means that an application includes code built using the Microsoft Information Protection SDK to apply, read, and respect sensitivity labels. As noted above, originally, labeling depended on a separate client (the AIP client and later the unified labeling client). Now, the Microsoft 365 enterprise desktop apps (Word, Excel, and PowerPoint), their online equivalents, and the paid-for version of Adobe Acrobat can interact with sensitivity labels directly. Support extends to protecting PDFs generated by Office applications.

The unified labeling client is now in maintenance mode. However, it’s still needed to apply sensitivity labels to files stored outside Microsoft 365 or files belonging to applications that don’t support information protection. This article discusses how to use the client to apply sensitivity labels to the MP4 files generated for Teams meeting recordings.

SharePoint Online and Sensitivity Labels

Another area of major improvement over the last few years has been the support of sensitivity labels within SharePoint Online. Initially, although it was possible to store protected content in a document library, SharePoint Online couldn’t do anything with the encrypted file. SharePoint Online stores item metadata separately to the blobs used to hold documents in Azure SQL, so the metadata (like document names and authors) was always available. However, services like Microsoft Search couldn’t index the encrypted content, which meant that other Microsoft 365 services like Data Loss Prevention (DLP) policies couldn’t work.

The solution is for SharePoint Online to decrypt content before storing files and to encrypt files when users access the content. This makes it possible for other services to access and use protected content stored in both SharePoint Online and OneDrive for Business. The mechanism sounds simple, but a lot of engineering effort happened to make it possible.

Before an organization can use sensitivity labels with SharePoint Online in an integrated manner, it must opt-in to support sensitivity labels. This simple step tells SharePoint Online that it should decrypt protected content before storage.

Sensitivity Label Challenges

Microsoft has made great progress to improve and refine how sensitivity labels work across Microsoft 365. Some challenges still exist, including the lack of APIs to allow organizations to apply sensitivity labels to content (this is coming), but overall, the picture is very positive.

That is until you venture outside the boundaries of day-to-day work with Office/PDF files. Management of protected files can be difficult, especially for third-party applications. Take backup products for example. They request data from SharePoint and download protected files, which the backup product then copies to its repository. But recovery and access to the backup files by end users is less certain. Conceptually, the challenge is easier for the forthcoming Microsoft Syntex backup service because all data remains within Microsoft, but it’s still something to test.

The same question of how to deal with protected content exists for tenant-to-tenant migrations when millions of emails and documents might move from one tenant to another. User accounts created in the target tenant can open unprotected files, but it’s likely that rights assigned to protected files won’t include their email address and block access. Removing encryption from documents before the transfer can be done (the same process is used to recover protected documents left behind by ex-employees), but it’s painful and slow.

No doubt improvements will happen in these areas in the future. I can’t say when, so my anticipation is more in hope than with certitude.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Ale

    Hi Tony, what is the best practice to manage digitally signed documents (e.g. Adobe Sign, Docusign, …) with encrypted sensitivity labels? I would like to be able to label those as well but it’s impossible, which make sense because the encryption would modify the document integrity. But we have many contracts etc which we would like to classify as “Employees Only”. Is the solution to store / send those files within an “encrypted envelop” (e.g. an email with encrypted label with the digitally signed doc as attachment)? Or else? Thanks!

  2. Jeneffer

    I am in the testing phase to apply sensitivity labels at the company where I work. But I have faced a series of compatibility issues when opening files protected by labels that apply encryption and that were created before the labels were deployed to users, especially when users try to open these documents in Office Web (F3 Licenses, E1). For example, if I create a new word document (from scratch) and apply a confidential label that applies encryption and send it to a colleague who only has Office Web, he can open the document correctly. But if I take an old document, created last month (before the labels were deployed), for example, and apply this same confidentiality label. When I share it with my colleagues who use Office Web, they are unable to open the document and are presented with the message: “Sorry, this document is protected by Information Rights Management (IRM) and contains special properties that Word does not support in a browser. …..”

    And that’s weird, because it’s the exact same label. However, one is applied to a file created after the deployment of the confidentiality labels and the other is applied to a file that already existed before this deployment.

    1. Avatar photo

      I tried to replicate this by taking some old documents about Exchange 2013 (from 2012-13) and applying a sensitivity label that I updated yesterday to them. All worked as expected and I was able to open the protected documents with Edge. Obviously, I have no access to your tenant, so I think you should report the issue to Microsoft and ask them to check out tenants, labels, policies, access rights, etc. to make sure that everything is configured as it should be.

  3. Mike

    Tony– I’ve used sensitivity labels for about 7 years to protect access with an expiration date. In August, I began having problems that some users who were authorized were denied access. We tried an alternate email address for access, which worked half the time and then stopped working. Microsoft had us rebuild the registry for Office file/credentials. That worked for some for a few weeks. Last week Microsoft had us run a command in Powershell to fix the problem and now I can’t access the labels: I get ‘not able to find IRM template’ error message. Our problem is creating huge problems by users not having access to documents.

    Did this change to Purview cause this? Do you know a fix (Microsoft doesn’t)?

    Many thanks!

    1. Avatar photo

      I don’t have a magic bullet for you to fire. This sounds like something you need to escalate within the Microsoft suppprt organization. You’re paying for support, so they should deliver it. Not being able to find the IRM template is serious because it could mean that the database where the templates are kept is inaccessible. Can you edit labels through the Purview compliance center? Either way, I think I’d be making a big noise with Microsoft Support and asking for escalation for assistance from engineering…

      1. mike

        Thank you. I have been working with Microsoft support for months without resolution. I appreciate you taking time to read and learn that this is tough nut.

  4. Ellya

    A most helpful article, thanks for pulling that together.

    I work in a highly regulated finance firm and we want to encrypt highly sensitive SharePoint docs (inc PDF) from Teams/SharePoint admins (i.e. me!) from accessing those docs once labels are applied.

    The content is unstructured and virtually impossible to create rules for, so container protection I guess is the way to go.
    I’m thinking of creating a parent label called Restricted, with a bunch of sub-labels for each of the types of data being protected, then controlling access to those sublabels through Entra M365 Groups (not the Teams Groups), so only our security team can effectively manage label access. Is this the way to go? Or am I barking up the wrong tree! :o)

    Cheers, Ellya
    SharePoint Dude

    1. Avatar photo

      First, by container protection, do you mean setting a default sensitivity label for document libraries? That will certainly work to assign a label to all new documents created in the library, providing users have Office 365 E5 (or equivalent) licenses.

      Second, why would you have sub-labels for each type of data being protected? The usage rights assigned in labels apply to users and groups, not file types. Do you mean that you will have different labels for different groups within the company?

  5. Mike

    Hi Tony,
    Thanks for this article and all the materials here! Great stuff!

    I have a question for you about using sensitivity labels to limit users from creating public SPO groups/sites.
    I’ve created 2 labels and published them via a single label policy, however I haven’t figured out how to prevent users from using one of the labels (for public sites), while the other (default, for private sites) would be the only one they could use.
    The goal is to make the users have to ask for admin approval to create public sites (which should be as few as possible).

    I tried to do it in Entra ID conditional access policies + groups, but they don’t seem to be the right tool to me…is MS Defeder -> Policies (which I’ve only started exploring) the right answer?

    Any advice would be highly appreciated 🙂

    Many thanks!
    Mike

      1. Mike

        Thanks Tony, that makes sense!

  6. John T

    Do you have a recommended best practices for testing labels, label policies, and DLP policies?

  7. Rafael de Miguel

    Hello good afternoon.
    Excellent article, very useful for today..

    We are experiencing the same scenario described in the paragraph:

    “The same issue of how to handle protected content exists for tenant-to-tenant migrations when millions of emails and documents can move from one tenant to another. User accounts created in the destination tenant can open unprotected files, but it is likely that rights assigned to protected files do not include your email address and block access. Remove encryption from documents before the transfer can be made (the same process is used to recover protected documents left behind by former employees), but it is painful is slow.”

    Do you have any strategy recommendations for “reclassifying” protected files en masse?

    We thought about MCAS, but it seems that it has limitations for changing encrypted files through governance actions.

  8. Josh

    Hi Tony –
    Great info, thanks. Question: I have an auto-labeling policy applying a label to all files in a teams site. If I change the label in the auto-labeling policy, will it override and change the label that was previously applied by the policy? Do you know if the auto-labeling policy will apply to files in private channels created later too? I can’t find anything definitive about this.

      1. Josh

        Thanks. And so far in my testing, an auto-label policy will not place labels on files in a private channel unless you add the private channel SharePoint site to the scope of the policy.

  9. Krishna

    Hello, I need to disable external access to the some of my sharepoint sites connected to the same hub site called “Finance”. Based on the hub site, I need to restrict external user access to all these sites . So can you guide me to apply sensitivity label for this scenario ? Thanks!

      1. Krishna

        Hello Tony, Thanks for the response. We are using Team sites connected with M365 groups. I could see that we can use ‘External sharing and conditional access’ but how can set the adoptive scope as all my team sites connected to the Hub Site ? I could see only the Users and Groups only option under Information Protection –> Label Policy . Thanks for the help.

        1. Avatar photo

          To use an adaptive scope with sites, you set a property on each site: https://practical365.com/using-adaptive-scopes-retention-policies-sharepoint-online/. However, adaptive scopes don’t currently support label application to sites.

          The solution is therefore to go ahead and apply the appropriate sensitivity label to each of the team sites. This can be scripted using PowerShell.

          1. Krishna

            Thanks . You put me in the correct direction . Your response really helpful for me. I do have one more requirement. I have other batch of sites with same List (Category), as a common list for every site. I need to apply sensitivity label and restrict external access for these sites. Do you think , here also I should go with PowerShell Script to apply label for each site ? Please confirm

  10. Anne

    Hi Tony, this is very useful information, thank you.

    I do have a question, I’m hoping you can help me with. If the company shareholders all have E5 licensing and apply a confidential label to a folder (in SharePoint or Teams) so that only the shareholders can view documents within that folder, what happens if a staff member with an E3 license tries to access that folder?

  11. Travis

    Great article! Thanks

    I’m still a bit confused by the split between E3 and E5 capabilities. I’m hoping you can help me out.

    If I only have E3 licences and apply a sensitivity label to a SharePoint site will all the documents in that site inherit that sensitivity label?

  12. Alex

    Hi there, solid info.

    One quick question though

    One of my customers is running with Business Premium License + Information Protection & Governance E5 license.

    When deploying a sensitive label linked with an Azure AD authentication context it returns a client error: “Protection Level” not supported because the tenant is not E5 or the flight is off”

    I thought we had the necessary licenses for this already, assume this means we need another license ?

    Thansk

      1. Peter

        I am in the same situation as Alex. However I am not so sure about the Syntex advanced management license requirement. The section https://learn.microsoft.com/en-us/sharepoint/authentication-context-example#set-a-sensitivity-label-to-apply-the-authentication-context-to-labeled-sites you referred to, mentions “Sensitivity labels require Microsoft 365 E5 or Microsoft 365 E3 plus the Advanced Compliance license.” Especially Advanced Compliance license seems odd as this seems to be a discontinued SKU.

        Syntex advanced management license is mentioned in the section before “Apply the authentication context directly to a site”. However this also works with Business Premium and Information Protection & Governance E5.

        Support is still struggling with this. I am already at my third ticket for this with an additional GitHub issue for the docs clarification. Also because https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-information-protection-sensitivity-labeling seems to mention other license prerequisites.

        1. Avatar photo

          One of the Microsoft program managers working on SharePoint Online support for sensitivity labels is here at the TEC 2023 conference in Atlanta so I asked him. The response is that authentication context requires EITHER an E5 (Office 365/Microsoft 365) license OR the Syntex-SharePoint advanced management license. He suggested that if Microsoft support has an issue, they can ask about the topic in the https://www.yammer.com/askipteam#/home Viva Engage community.

          1. Peter

            Thank you for your feedback. Support hasn’t come back to me yet, sort of playing ball with the case between the M365 support team and Azure AD support, which is quite frustrating.

            I already went the road with Syntex-SharePoint advanced management license, at least I guess this is behind “SharePoint advanced management plan 1” which I am on a trial right now. However this didn’t change anything with respect to the error message even after some days of having the trial active in my tenant.

          2. Peter

            Microsoft support guy just came back to me with the information that this only works with full E5. No E3 + some E5 add-on (like E5 Compliance). Just full-blown E5.

  13. Tomáš Drozd

    Very useful read, thank you for that.
    My question is how are users supposed to deal with a document that carries a sensitivity label of another tenant and they are forced to apply a label from their own tenant when editing it.
    As per my tests the existence of the sensitivity label from another tenant does not stop the user’s home tenant from forcing him to apply another sensitivity label.
    Am I missing something or is there any way how to solve this?
    Thank you!

    1. Avatar photo

      A document can only have one sensitivity label with encryption (it can have multiple labels that don’t encrypt content). Users won’t be able to remove and replace a label on a document they receive unless they have the right to do so (Co-Owner). In your tests, did the label on the inbound attachment encrypt the content or is it just a visual marker?

      1. Joe Tenga

        The Real Person!

        Author Joe Tenga acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

        Tony, all documentation that I can find indicates that a document can NOT have multiple labels applied simultaneously. Can you clarify?

  14. Antonio

    That was a great read! Although I have a question, if you may;
    I’ve managed to create labels and a policy to apply them, and they work like a charm on the office online apps,
    but they don’t show up at all on the desktop version. This may be silly, but I can’t quite figure this one out.

  15. Markus

    Is it now possible to force external users to use true MFA when using Sensitivty labels on an email? When i’ve been experimenting with this before i could not find a scenario where i could encrypt/label an email to force the user to authenticate with true MFA (Authenticator, SMS etc) before opening the email. Only email OTP was possible, and that was only when the external user was using something other than Microsoft, for example gmail.

  16. Yves

    It’s sad that you cannot apply labels to one note content. Makes me wonder how much development is left for this app. You can apply flip but not sensitivity or one note and I haven’t found a third party app yet either.

  17. Jonas Heller

    Great information, as always from you @tony 🙂

Leave a Reply