Sensitivity Labels in SharePoint and OneDrive
Protecting corporate data is one of the most important tasks of our time. Microsoft 365 helps you protect your data with the Unified Labeling feature. This feature is the modern successor to Azure Information Protection (AIP) and Rights Management System (RMS).
The configuration of a sensitivity label defines what happens when you assign the label to an Office document. Possible actions of a sensitivity label include encrypting the data, adding a content marker, and automatically applying the label.
If a document is encrypted, some features in SharePoint or OneDrive are no longer available to you. Therefore, you must learn about the implications before configuring document encryption.
Also, you can use an assigned label to prevent the ability to forward an email message in Outlook. You can use a content marker to add content to headers and footers, or an individual watermark.
The following screenshot shows the ease-of-use of assigning a sensitivity label via the Ribbon Bar in Excel.
By assigning the Project - Falcon label, the document is encrypted. As a result, it is no longer possible to use the Office AutoSave-feature to SharePoint. The user is informed about this circumstance in the Excel message line (violet frame).
Using sensitivity labels requires not only the configuration of the desired labels. To allow users to use these labels, you must configure policies for publishing the labels to users or user groups. In such a policy, you define which sensitivity labels are available to the users and whether, for example, one of the labels should be applied automatically to documents and emails.
In addition, you can specify that the targeted user group of the selected labels is forced to assign a label or must provide a justification if the user selects a label of a lower classification level, e.g., from Confidential to Public. Besides, you can provide users with a link to more information through the policy.
The use of Sensitivity Labels in SharePoint is an opt-in functionality and therefore requires editing of your SharePoint Online tenant configuration. You
enable Sensitivity Labels for SharePoint Online using the SharePoint Online PowerShell module. If your company already uses SharePoint Information Rights Management (IRM), read the section on using SharePoint IRM and Sensitivity Labels together in the article mentioned above.
The Microsoft 365 Compliance Center offers you an option to create automatic assignment policies for Sensitivity Labels. Microsoft 365 identifies data requiring protection automatically using a rule set. You can select rule sets from a predefined list of rule sets that are similar to the DLP rules you might know from Exchange Server or Exchange Online. There are predefined rules for the financial sector, healthcare, and personal information. In addition to the predefined rule sets, you can also configure individual rules for identifying company-specific data.
You can assign such an automatic assignment policy to selected targets in Exchange Online, SharePoint Online, or OneDrive. A beneficial feature is the option to execute the policy for automatically assigning labels in simulation mode. The policy results report provides you with information about the policy matches for each configured target after the simulation run is complete.
Technical implementation of Sensitivity Labels can only be as good as the classification of company data and the definition of the groups of users that will work with Sensitivity Labels. Your organization's IT department is only responsible for the technical implementation, but never for determining the necessary classifications. This task is always the responsibility of the business units of your company. An undefined responsibility for data classification is often the core problem of successful implementation to protect corporate data.
With Sensitivity Labels, you use consistent data protection across your business data in Microsoft 365. The days of individual configurations per Office 365 workload are over. If you already have experience with RMS and AIP, now is the time to switch to a modern way of protecting company data.
If you want to provide feedback on Sensitivity Labels, you can share your requests and suggestions using the Office 365 UserVoice Forum.
- Sensitivity Label Online Documentation
- Microsoft 365 Security & Compliance Licensing Guidance
- Sensitivity Label in Office Apps
- Considerations for Encrypted Content
- Office 365 UserVoice
Monitor AD FS & MFA with ENow
Proactively monitor AD FS from the end-users perspective with ENow's industry leading monitoring platform. ENow monitors all of your AD FS servers and performs synthetic transactions, including performing a Single-Sign-On against Office 365 from inside your organization and outside (remote tests).