This will be a two part section as there is a lot to talk about Sensitivity labels.
Table of Contents
Implement and manage sensitivity labels
In this section we are talking on how to Protect your data scope. There is a clear story line on this journey as we can see.
What are labels?
Sensitivity labels are like customizable tags for your documents. They clearly show how sensitive the information is, with options like Personal, Public, General, Confidential, and Highly Confidential. You can tweak them to match your organization’s needs.
These labels are stored in plain text (Metadata) with your files and emails, so other apps can understand them. This means those apps can add extra security when needed.
In your organization, users see these labels as easy-to-spot tags in their everyday apps. It helps them work smoothly and securely.
Implement roles and permissions for administering sensitivity labels
By default, global administrators of your tenant can access this admin center and grant access to compliance officers and others without assigning them full tenant admin privileges. To provide this restricted administrative access, you can utilize the following role groups:
- Information Protection
- Information Protection Admins
- Information Protection Analysts
- Information Protection Investigators
- Information Protection Readers
You can access the permissions tab from here https://compliance.microsoft.com/permissions
And you can find Compliance portal permissions here https://compliance.microsoft.com/compliancecenterpermissions
Or if you want to use the built-in permission available.
You can find Azure roles here https://compliance.microsoft.com/aadpermissions
Licensing needed for AU.
- Entra ID:
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Privileged Role Administrator role
- Microsoft.Graph module when using Microsoft Graph PowerShell
- Azure AD PowerShell module when using PowerShell
- AzureADPreview module when using PowerShell and restricted management administrative units
- Admin consent when using Graph explorer for Microsoft Graph API
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Purview licensing:
- Microsoft 365 E5/A5
- Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance
- Microsoft 365 E5/A5/F5 Information Protection & Governance
If you want to use Administrative Units (AU) you can use them in the following.
Read more on the permissions from Learn
Enable Labels for Microsoft 365 groups
When encryption-enabled sensitivity labels are used on Office files in SharePoint and OneDrive, web versions of Word, Excel, and PowerPoint won’t be able to access the content. Consequently, coauthoring, eDiscovery, data loss prevention, search, Delve, and other features won’t function. Enabling this setting allows these features to work even with encrypted labels applied.
And when you start to create an Label, you will see this.
No worries, this is how you can Enable labels for M365 groups.
# First install AzureADPreview module
Close PowerShell and reopen then. Otherwise you won’t find all the commands.
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting
If the value of EnableMIPLabels is False
Then run this
# Define variable
$Setting["EnableMIPLabels"] = "True"
# And to apply the settings this
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
# To check the settings
And you will see MIPLabels as Enabled.
Then we can see creation of labels.
Define and create sensitivity labels
When you create an label, you can define Client-side processing for it by defining Classifiers or SITs to discover from the content and recommending or requiring a label
When you want to create a label, Information protection tab from Compliance portal and first Define the visuals
Then the scope of the label, which means the service you can use it.
Author note! Did you know that you can use the same labels inside Purview Data Governance portal and with Data maps
Next you can enable Encryption, apply watermark, header and footer if you want, you don’t have to. You can just label files.
But it’s strongly suggested to keep the content you labeled protected. If you do, you will be presented this page.
Assign permissions now or let users decide
If you choose “Let users assign” you will be presented with the following and you have to choose at least Prompt users to specify
User access to content expires
To restrict user access to content labeled, set an expiration date or a duration. Files with this label won’t open after the specified time. Note that email expiration may not always apply due to caching. If you choose a date, it’s effective at midnight in your local time zone. If you opt for days, the countdown starts when the label is applied.
Allow offline access
When you set labeled content to be offline-unavailable or offline-available for a limited time, users must reauthenticate and their access is logged once the time limit is reached. If their credentials aren’t cached, they’ll be prompted to sign into Microsoft 365 before accessing the document or email.
From the permissions you can select the following.
Any authenticated users Includes any user who:
- Has an email account that’s authenticated by Azure AD or a federated social provider.
- Is authenticated by a Microsoft account.
- Uses a one-time passcode for email only.
And with specific email or domain you can add external domain names and email addresses for internal and external users and groups. Be sure to click ‘Add’ after entering the address or domain.
And from the permissions menu you add the following with different predefined sets or with the custom mode
You can define the Auto-labeling options or not, if you choose to do so, you can use SITs and Classifiers to find predefined information from the content and Require or Recommend a label for it.
Client-side auto-labeling occurs directly on the user’s workstation while they are creating or editing a document or email within applications. It assesses the content and, depending on what it detects, automatically assigns a label or suggests one to the user based on label properties. It’s also possible to designate a default label for documents and emails. Unlike service-side auto-labeling, client-side labeling does not assess document content against conditions specified in a global policy; instead, it relies on the properties defined for each individual label.
Note that Automatic and recommended labeling works differently for items in Office 365 vs. files stored on Windows devices.
If you select Groups and Sites to the scope, you will the following properties to configure.
Those Privacy settings that define Groups to be Public, Private or let at the owner decide.
And External sharing settings
And we are done, just click Create
So now we have a label but it’s now visible to anyone and we need to publish it.
Configure and manage sensitivity label policies
In this list, label order matters as it mirrors their priority. Place the most restrictive label, like ‘Highly Confidential,’ at the bottom and the least restrictive, like ‘Public,’ at the top
You can assign the priority by moving the label to the top and just upward. If the the label has a high priority you can lower it by moving it down or to the bottom.
Now you have to publish the label with a Label policy, just choose Publish label.
From here you can specify Admin units
And / or users and groups
And choose settings for the policy.
- Choose which users and groups see the labels: Determine which users and groups can view labels. Labels can be shared with specific users, email-enabled security groups, distribution groups, or Entra ID Microsoft 365 groups, including those with dynamic membership.
- Specify a default label: Set a default label for unlabeled documents, emails, meeting invites, new containers (in cases where sensitivity labels are enabled for Teams, Microsoft 365 groups, and SharePoint sites), and Power BI content. You can use the same label for all these items or choose different ones. Users can change the default sensitivity label to better match their content’s sensitivity.
- Require a justification for changing a label: Implement label change justifications. When users attempt to remove or replace a label with a lower-order number (e.g., changing from Confidential to Public), they must provide a reason, except for teams and groups. Administrators can access this justification along with the label change details.
- Require users to apply a label: Enforce mandatory labeling for various item types and supporting containers. Also known as mandatory labeling, this ensures users apply a label before saving documents, sending emails, creating groups or sites, or using unlabeled Power BI content. Labels for documents and emails can be assigned manually, automatically through configured conditions, or by default, as explained earlier.
- Provide help link to a custom help page: Include a link to a customized help page. If your users have questions about the meaning and usage of sensitivity labels, you can offer a “Learn More” URL. This link will be displayed following the list of available sensitivity labels within Office apps.
And to define a Default label if required
For emails you can specify the inheritance from Attachments.
Once you have create the Label policy it can take up to 24 hours to publish the labels to the selected users’ apps.
Quick recap on what was in this section.
Labels are like customizable tags for your documents. They clearly show how sensitive the information is, with options like Personal, Public, General, Confidential, and Highly Confidential. You can tweak them to match your organization’s needs.
What permissions are available for Compliance https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/scc-permissions
You can use the same labels inside Purview Data Governance portal and with Data maps.
What permissions are available and from where to add them. You can still see more here https://learn.microsoft.com/en-us/purview/microsoft-365-compliance-center-permissions
That you can use Administrative Units in the following:
That Client-side auto-labeling occurs directly on the user’s workstation while they are creating or editing a document or email within applications. It assesses the content and, depending on what it detects, automatically assigns a label or suggests one to the user based on label properties.
That you can use SITs and Classifiers on Client-side Auto-labeling.
How to create policies and their different settings, which include.
- Control Visibility: Choose who can see labels by sharing them with specific users, email-enabled security groups, distribution groups, or Entra ID Microsoft 365 groups.
- Set Default Labels: Specify default labels for documents, emails, meeting invites, containers, and Power BI content. You can use the same label or different ones for each type.
- Justify Label Changes: Require users to provide a reason when changing labels, except for teams and groups. Administrators can review these justifications.
- Mandatory Labeling: Make it mandatory for users to apply labels before saving documents, sending emails, creating groups, sites, or using unlabeled Power BI content. Labels can be assigned manually, automatically, or by default.