Sensitivity Labels

Azure Information Protection

Sensitivity labels, often referred to as data classification labels, are a way of categorizing and managing data based on its sensitivity or importance to an organization. These labels are typically applied to digital documents, emails, or other types of data to indicate the level of confidentiality, privacy, or regulatory compliance required for handling that information.

ABOUT SENSITIVITY LABELS?
TYPES OF LABELS
END USER EXPIRENCE
LEARN MORE

Cyber Security Questions?

CONTACT US

Constant and Evolving Change to Improve Sensitivity Label Functionality

Microsoft introduced sensitivity labels for Office 365 in September 2018 as a replacement for Azure Information Protection (AIP) labels. Initially, these sensitivity labels had limited functionality and required a separate client installation to apply labels to Office documents. Since then, Microsoft has continuously rolled out new features and enhancements. 2023 might be the year your organization implements sensitivity labels to protect and classify information in Exchange Online and SharePoint Online.

Licensing Sensitivity Labels

Sensitivity labels are part of the Microsoft Purview Information Protection product. Anyone with an Office 365 license can read documents or emails protected by these labels. To manually apply a label, users need an Office 365 E3 or higher license. For automatic, policy-driven application of labels, an Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Compliance license is required. “Automatic” includes actions like assigning a default sensitivity label to a SharePoint document library, which also applies to default retention labels for document libraries.

Users who are not part of a Microsoft 365 tenant can still receive and access protected content. In these cases, attempts to access the content will redirect them to the Office 365 Message Encryption (OME) portal. After authentication, they can read the content.

Managing Sensitivity Labels

You can manage sensitivity labels through the Information Protection section of the Microsoft Purview Compliance portal (Figure 1). Each label is assigned a priority number, starting from 0 (zero, the lowest priority). SharePoint Online utilizes this priority order to determine if users are storing confidential information on sites intended for more general access, helping to prevent label mismatches.

Sensitivity Labels

Managing sensitivity labels involves several tasks:

  1. Defining the usage of the labels.
  2. Setting up individual label configurations.
  3. Publishing labels to target audiences (user accounts) through label policies. A label policy (Figure 2) includes one or more specified labels and a target audience. Labels must be published and made available to users before they can be applied to documents and emails.

Two Broad Categories of Functionality

Sensitivity label functionality is divided into two broad categories:

Protection: This was the initial focus of sensitivity labels, utilizing Azure Information Protection rights management. Essentially, users can only access protected content if the creator grants them the right to do so, with the specific rights defining the actions a user can take. For instance, a user might be able to read a document but not print it. To make users aware that they are handling confidential information, sensitivity labels can add visual markers to documents and messages. For example, a label might insert text like “Confidential – Do Not Release Outside the Company” in the footer of Office documents.

Sensitivity labels also support using color as a visual indicator for the relative importance of labeled content. Labels for the most confidential material might be red, while those for less sensitive information might be yellow, green, or any other appropriate color.

The encryption keys used for protection can be managed either by Microsoft (the default) or by the tenant (BYOK, or bring your own key). Double-key encryption (DKE) is also available, where both Microsoft and the tenant manage separate keys, both of which must be available for a user to access the content. Additionally, Outlook supports sensitivity labels that use S/MIME to encrypt and apply digital signatures to emails. BYOK, DKE, and S/MIME demonstrate how Microsoft has expanded sensitivity labels to accommodate different forms of protection used by customers. However, the most common form of protection remains where Microsoft manages the encryption keys through its Rights Management service.

Container Management: Initially, a container referred to a team, group, or site. Recently, Microsoft has added OWA meetings and Teams meetings to this set (the latter requires Teams Premium licenses). Container management allows an organization to apply policies through labels. For instance, an organization might not want guest users to be members of teams handling highly sensitive information. By applying a label that disables the Guest Access setting to such a team, only administrators can add external users to the team’s membership. Another example is controlling the sharing capabilities for a SharePoint site. The same sensitivity label that prevents guest user access can also restrict the site’s external sharing capability to “Only people in your organization” (Figure 3).

Sensitivity Labels

Separate Sets of Sensitivity Labels

Sensitivity labels can be used for both protection and container management. However, I prefer to create separate sets of labels for each function, as this approach makes label management easier to understand. The scope of the labels, as shown in Figure 1, indicates their usage: “Site, UnifiedGroup” denotes labels for container management, while “File, Email” denotes labels for protection. “Meetings” is the latest scope used to protect meetings.

Implementing sensitivity labels requires a considerable effort in planning and deployment. Even seemingly simple tasks, like label naming, require careful attention. Users are more likely to protect sensitive information correctly when guided by well-chosen names, descriptions, and limited choices. It’s challenging for users to decide between three or four similar labels. A clear, precise, and easy-to-follow naming scheme is always better than providing too many options. For example, Figure 4 shows eighteen labels, which is excessive, and some label names do not clearly indicate their intended usage.

The screenshot comes from my tenant, so I understand why so many labels are present. However, consider the average user who is asked to choose from this array of labels. The abundance of options can lead to confusion and increase the likelihood of errors.

Sensitivity Labels

Sensitivity Label Clients

The biggest change for sensitivity labels over the past few years is the native mode support within applications. Native mode means that an application includes code built using the Microsoft Information Protection SDK to apply, read, and respect sensitivity labels. Initially, labeling depended on a separate client (the AIP client and later the unified labeling client). Now, the Microsoft 365 enterprise desktop apps (Word, Excel, and PowerPoint), their online equivalents, and the paid version of Adobe Acrobat can interact directly with sensitivity labels. This support also extends to protecting PDFs generated by Office applications.

The unified labeling client is now in maintenance mode. However, it is still necessary for applying sensitivity labels to files stored outside Microsoft 365 or to files from applications that don’t support information protection. This article discusses how to use the client to apply sensitivity labels to the MP4 files generated from Teams meeting recordings.

SharePoint Online and Sensitivity Labels

Another major improvement over the last few years has been the support of sensitivity labels within SharePoint Online. Initially, while it was possible to store protected content in a document library, SharePoint Online couldn’t process the encrypted files. SharePoint Online stores item metadata separately from the blobs used to hold documents in Azure SQL, so metadata (like document names and authors) was always accessible. However, services like Microsoft Search couldn’t index the encrypted content, meaning other Microsoft 365 services like Data Loss Prevention (DLP) policies couldn’t function.

The solution is for SharePoint Online to decrypt content before storing files and to encrypt files when users access them. This allows other services to access and use protected content stored in both SharePoint Online and OneDrive for Business. Although the mechanism sounds simple, it required significant engineering effort to implement.

Before an organization can use sensitivity labels with SharePoint Online in an integrated manner, it must opt-in to support sensitivity labels. This step instructs SharePoint Online to decrypt protected content before storage.

Sensitivity Label Challenges

Microsoft has made significant progress in improving and refining how sensitivity labels work across Microsoft 365. While some challenges still exist, such as the lack of APIs to allow organizations to apply sensitivity labels to content (which is coming), the overall outlook is very positive.

However, difficulties arise when dealing with scenarios beyond the day-to-day handling of Office/PDF files. Managing protected files can be especially challenging for third-party applications. For instance, backup products request data from SharePoint and download protected files, which are then copied to the backup repository. However, end-user recovery and access to these backup files are less certain. Conceptually, this challenge is easier for the forthcoming Microsoft Syntex backup service because all data remains within Microsoft, but it still requires thorough testing.

The same issue of dealing with protected content arises during tenant-to-tenant migrations, where millions of emails and documents might move from one tenant to another. User accounts created in the target tenant can open unprotected files, but it’s likely that rights assigned to protected files won’t include their email addresses, blocking access. Removing encryption from documents before the transfer is possible (the same process used to recover protected documents left by ex-employees), but it’s a slow and painful process.

Sensitivity Labels, Azure Information Protection (AIP) is a cloud-based service that helps organizations classify, label, and protect sensitive data. It enables users to apply encryption, access controls, and rights management to documents and emails, safeguarding them both within and outside the organization’s boundaries, enhancing data security and compliance.

Sensitivity Label Types

  • Public

    Documents with this label will be able to be viewed by anyone. both internally and externally to the organization.

    LEARN MORE

  • General

    Information can be shared internally and with trusted partners but isn’t for general public viewing

    LEARN MORE

  • External Confidential

    Sensitive Information intended for specific people inside or outside of the organisation

    LEARN MORE

  • Internal Confidential

    Sensitive Information intended for people WITHIN our organisation

    LEARN MORE

  • Confidential – View Only

    Use to communicate sensitive information but dont want to be printed, forwarded or copied.

    LEARN MORE

Public Label

Public Label

Documents with this label will be able to be viewed by anyone. both internally and externally to the organization.

This will allow Anyone to view the document when this label is applied

Colour: Clear

Scope: Items, Files, Email’s, Groups and Sites

Content Marking: None

Auto Labelling: none

Protection Settings:

  • Privacy and external user access: yes
  • External Sharing and Conditional Access: yes

Privacy and external user access settings

  • Privacy: Public
  • External User Access: Yes

External Sharing and Conditional Access:

  • Enabled
  • Anyone

General Label

General Label

Decryption: Information can be shared internally and with trusted partners but isnt for general public viewing

Colour: Green

Scope: Items, Files, Email’s, Groups and Sites

Protection settings

  • Content Marking: none
  • Apply content marking: none

Auto Labelling: none

Protection Settings:

  • Privacy and external user access: yes
  • External Sharing and Conditional Access: yes

Privacy and external user access settings:

  • Privacy: none
  • External User Access: Yes

External Sharing and Conditional Access:

  • Enabled
  • New and existing guests

External Confidential Label

External Confidential Label

Decryption: Sensitive Information intended for specific people inside or outside of the organisation

Colour: Amber

Scope: Items, Files, Email’s, Groups and Sites

Protection settings

  • Content Marking: yes
  • Apply content marking: yes

Access Control

  • Configure Access Control settings: yes
  • Assign permissions now: yes
  • Allow Offline Access: 30 Days
  • Assign Permissions: Add any authenticated users

Content Marking

  • Header: Confidential External

Auto Labelling: none

Protection Settings:

  • Privacy and external user access: yes
  • External Sharing and Conditional Access: yes

Privacy and external user access settings:

  • Privacy: Private
  • External User Access: Yes

External Sharing and Conditional Access:

  • Enabled
  • New and existing guests

Internal Confidential Label

Internal Confidential Label

Decryption: Sensitive Information intended for people WITHIN our organisation

Colour: Orange

Scope: Items, Files, Email’s, Groups and Sites

Protection settings

  • Content Marking: yes
  • Apply content marking: yes

Access Control

  • Configure Access Control settings: yes
  • Assign permissions now: yes
  • Allow Offline Access: 30 Days
  • Assign Permissions: Add all users and groups in your organization

Content Marking

  • Header: Confidential Internal

Auto Labelling: none

Protection Settings:

  • Privacy and external user access: yes
  • External Sharing and Conditional Access: yes

Privacy and external user access settings:

  • Privacy: Private
  • External User Access: no

External Sharing and Conditional Access:

  • Enabled
  • Only People in your organization

Confidential View Label

Confidential – View Only

Decryption: Use to communicate sensitive information but dont want to be printed, forwarded or copied.

Colour: Dark red

Scope: Items, Files, Email’s

Protection settings

  • Content Marking: yes
  • Apply content marking: yes

Access Control

  • Configure Access Control settings: yes
  • Assign permissions now: yes
  • Allow Offline Access: 30 Days
  • Assign Permissions: Add any authenticated users

Permissions: custom

  • view rights:yes
  • reply:yes
  • reply all:yes
  • Allow Macros:yes

Content Marking

  • Header: Confidential – view only

Auto Labelling: none

Protection Settings:

  • Privacy and external user access: no
  • External Sharing and Conditional Access: no

Privacy and external user access settings:

  • Privacy: Private
  • External User Access: no

External Sharing and Conditional Access:

  • Enabled
  • Only People in your organization

End User Expirence

Public Label

When an Azure sensitivity label of “Public” is applied to a document or resource, the end user can expect the following:

  1. Accessibility: The content labeled as “Public” is considered non-sensitive and is typically available to anyone, either inside or outside the organization. It may be shared widely without concerns over confidentiality.
  2. Sharing Permissions: End users are usually allowed to share “Public” documents without restriction. Depending on the configuration, this could mean sharing via email, links, or external platforms.
  3. No Special Encryption or Protections: Unlike confidential or highly restricted labels, “Public” does not enforce any special encryption, access restrictions, or tracking. Users can freely view and download the content without needing special permissions.
  4. Label Visibility: In some cases, users may see a visible label or watermark (depending on the organization’s configuration) indicating that the document is classified as “Public,” but this label does not impose any usage restrictions.
  5. Auditing: While the content is freely available, it may still be tracked or logged as part of organizational compliance measures. However, the label itself does not impose strict security controls.

In essence, a “Public” sensitivity label indicates that the content is safe to be openly distributed and accessed by a wide audience without concern for security or privacy issues.

General Label

When using the “General” sensitivity label in Azure, the end user can expect the following:

  1. Moderate Accessibility: The “General” label typically indicates that the content is for internal use but not highly sensitive. It can usually be shared within the organization and sometimes with trusted external partners, depending on the organization’s policies.
  2. Limited Sharing: Content marked as “General” may have some restrictions on sharing outside the organization. Users may need explicit permissions to share such documents externally, and there could be limitations on sharing via external links or non-secure methods.
  3. Light Security Measures: The “General” label may apply some security measures, such as encryption, to protect the content. While it is not highly restricted, certain access controls or warnings might be in place to ensure that the document is handled appropriately.
  4. Label Visibility: Like other sensitivity labels, “General” may appear as a visible tag or watermark on the document, alerting users to handle the content with care but not with the same level of caution as “Confidential” or “Highly Confidential” labels.
  5. Tracking and Auditing: While not heavily restricted, documents labeled as “General” may still be logged and tracked for compliance and governance purposes. This ensures that organizations can audit how the content is used and shared.
  6. No Highly Sensitive Data: This label is typically used for documents that don’t contain sensitive personal information, financial data, or intellectual property. It is often a middle ground for content that doesn’t require strict security but should still be handled responsibly.

In summary, the “General” sensitivity label is intended for internal or semi-public use within an organization, with moderate security controls and limited external sharing.

External Confidential Label

When using the “External Confidential” sensitivity label in Azure, the end user can expect the following:

  1. Controlled Sharing with External Parties: The “External Confidential” label indicates that the content is sensitive but can be shared with trusted external recipients. However, there are typically stricter controls in place compared to less sensitive labels. Users may be required to explicitly grant permission to specific external recipients.
  2. Encryption: Content labeled as “External Confidential” is often encrypted to protect it during storage and transmission. This encryption ensures that only authorized users (inside and outside the organization) can access the content, providing an additional layer of security.
  3. Restricted Access and Permissions: Users can expect to encounter more controls when dealing with content labeled as “External Confidential.” For example, permissions like viewing, editing, copying, and printing may be restricted or tightly controlled. In some cases, external users may need to authenticate themselves (e.g., via a secure link or email verification) before accessing the content.
  4. Visibility of Label: As with other sensitivity labels, the “External Confidential” label may be visibly applied as a tag, header, or watermark, alerting users—both internal and external—that the content should be handled with caution and confidentiality.
  5. Expiration and Access Revocation: In many cases, documents labeled as “External Confidential” might have expiration dates for access, or the organization could revoke external access at any time. This adds another layer of control over the content’s distribution and usage.
  6. Tracking and Auditing: Content marked with the “External Confidential” label is typically logged and tracked for compliance and auditing purposes. Organizations may monitor who accesses the document, when, and how it is used, ensuring that the document is handled appropriately.
  7. Data Protection Policies: Policies governing content with this label may ensure that personal data, financial information, intellectual property, or other sensitive information is shared responsibly with trusted external partners, but only under specific conditions and protections.

In summary, the “External Confidential” label is used to protect sensitive content that is allowed to be shared outside the organization, but only with trusted recipients under strict access controls and security measures.

Internal Confidential Label

When using the **”Internal Confidential”** sensitivity label in Azure, the end user can expect the following:

1. **Restricted to Internal Use**: The **”Internal Confidential”** label is typically applied to sensitive content that is intended for use only within the organization. It generally prohibits external sharing, ensuring that the information remains confidential to internal employees and authorized personnel.

2. **Enhanced Security and Encryption**: Documents or data labeled as **”Internal Confidential”** are often encrypted to protect them from unauthorized access. This encryption may prevent unauthorized copying, sharing, or editing, and ensures that only designated internal users can access the content.

3. **Limited Sharing Within the Organization**: Even internally, access to **”Internal Confidential”** content may be restricted to specific groups, departments, or individuals. Users may be required to have certain permissions to view or edit the document, and sharing it with others in the organization might require additional steps, such as requesting permission.

4. **Visible Labels and Watermarks**: As with other sensitivity labels, content marked as **”Internal Confidential”** is likely to display a visible label, header, or watermark indicating its classification. This serves as a reminder to users that the content should be handled carefully and not shared outside the organization.

5. **Access and Usage Restrictions**: Users can expect controls over what actions they can perform on documents labeled **”Internal Confidential”**. For example, printing, copying, or forwarding might be disabled or restricted to maintain confidentiality. In some cases, users may only be able to view the document without making edits.

6. **Auditing and Monitoring**: Content classified as **”Internal Confidential”** is typically subject to logging and tracking. Organizations can monitor who accesses the document, when it was accessed, and any actions taken with the content, providing an audit trail for compliance and governance.

7. **Protected Sensitive Data**: This label is used for internal content that contains sensitive information, such as proprietary data, internal strategies, personal employee information, or other confidential business-related materials. The label helps ensure that such information is not accidentally or intentionally shared outside the organization.

In summary, the **”Internal Confidential”** label is designed to protect sensitive information that should remain within the organization, applying stronger security measures to prevent unauthorized access or sharing, even among internal users. It is intended for content that requires confidentiality but does not need to be shared externally.

Confidential View Label

When using the “Confidential – View Only” sensitivity label in Azure, the end user can expect the following:

  1. Restricted to Viewing: The “Confidential – View Only” label strictly limits the user’s actions to viewing the document or content. This means users can see the content but cannot edit, copy, print, or forward it. The goal is to maintain the confidentiality of the information by preventing any changes or unauthorized distribution.
  2. Strong Encryption: Content labeled as “Confidential – View Only” is typically encrypted to protect it from being altered or copied. This encryption ensures that even if the file is accessed, only authorized individuals can view it, and they can’t make any changes or unauthorized distributions.
  3. Limited Internal or External Access: While the content might be shared within the organization or with external trusted partners, access will be tightly controlled. Recipients can only view the document and may need explicit permissions to access it. This label may also prevent the use of features like screenshots or screen capturing, depending on the configuration.
  4. Label Visibility: A visible label or watermark (e.g., “Confidential – View Only”) is likely applied to the document to remind users that they are not allowed to alter or share the content. This serves as a visual cue that the information is sensitive and must be handled appropriately.
  5. Auditing and Monitoring: Content marked as “Confidential – View Only” is often logged and monitored by the organization. Auditing features track who views the document, when, and for how long. This tracking helps ensure that the content is being handled properly and can alert the organization to any suspicious activity.
  6. Revocable Access: Organizations can revoke access to documents labeled “Confidential – View Only” at any time. For example, if the content is shared externally and the organization later decides to restrict it further, they can disable access or enforce expiration dates for the document.
  7. Protected Sensitive Data: This label is applied to highly sensitive information that must remain confidential, such as financial reports, proprietary research, internal business strategies, or sensitive personal data. The “View Only” restriction ensures that the content cannot be accidentally or intentionally altered or distributed beyond the intended audience.

In summary, the “Confidential – View Only” label is used to ensure that sensitive content can be viewed but not edited, copied, printed, or shared, offering maximum protection while still allowing authorized individuals to access the information for reference purposes.

Default sensitivity label is set to General.

Sensitivity label selection option in Word.

When setting to public, will be requested to advise for the Justification.

Sensitivity label settings in outlook.

Public Sensitivity Label

– Will be able to be opened by anyone

Confidnetial Internal – when an end user who is not able to authenticate attempts to open the link.

Confidential read only – end user will not be able to screen shot, print or forward to other email addresses

Total Solutions IT provides modern and secure digital workplaces, focusing on the B2B market with comprehensive services in Telecommunications, Internet, Cloud, IT Managed Services, and Cyber Security.

Navigation

Customer Service

Contact

EMAIL
[email protected]

PHONE
(02) 6061 4222

ADDRESS
2/601 Dean Street
Albury NSW 2640 Australia

Microsoft Defender – Cyber Security Defence for your businessStandards