This is the second part of Sensitivity labels.
Table of Contents
Sensitivity label content continued
Configure auto-labeling policies for sensitivity labels
Using Auto-labeling policies is called Service-side processing
Service-side auto-labeling
Auto-labeling on the service side, also known as auto-labeling for data at rest and data in transit, operates differently from client-side auto-labeling. In contrast to client-side auto-labeling, which relies on the client to analyze document content during its creation, service-side auto-labeling focuses on evaluating content that is either stored (at-rest) in SharePoint or OneDrive document libraries or in transit within Exchange, such as when a message is submitted for transport. All policy reviews and enforcement occur within the service itself.
Comparison
Here is comparison table between Service and Client side processing
Capabilities | Service side | Client side |
Application support | SharePoint, OneDrive and Exchange Online | Word, PowerPoint, Excel or Outlook Microsoft 365 apps, or AIP plugin for Office |
File types supported | .docx, .xlsx, .pptx and related formats | .docx, .xlsx, .pptx and related formats |
Policy scoping | By site, group or user | By label |
Classification options | Standard Sensitive Info Types; Custom Sensitive Info Types (incl. dictionaries); Exact Data Matching Trainable classifiers (in private preview) | Standard Sensitive Info Types; Custom Sensitive Info Types (incl. dictionaries); Exact Data Matching; Trainable Classifiers |
Labeling conditions | Sensitive content; Content is shared; Recipient properties; Sender properties; Email subject; Document title; Attachment extension; Attachment can’t be scanned; Attachment is encrypted; Email headers | Sensitive content in document or email body; Sensitive content in attachment |
Interaction with users | Label visible after user opens document | Automatic labeling: user can override; Recommended label: user can accept or dismiss |
Applied to | New and existing documents (including simulation mode); New emails | Content that’s created or edited by users |
Behaviors | Label is applied; Outbound email is protected; Outbound attachment is protected (Office and PDF documents); Protection is applied to document; Content markings are applied after user opens document and saves it | Label is applied; Document is protected; Email is protected; Attachment is protected (Office attachment only); Content marking is applied |
Label external incoming emails | Yes | On reply or forward |
Labeling limits | 25k documents labeled per day | None |
How to use?
Open Auto-labeling from https://compliance.microsoft.com/informationprotection/autolabeling
And choose a template or create a custom definition from scratch.
Choose the location(s)
And you can use common or advanced rules
You can example label content that is Shared outside and has certain SITs in it. For this you have to first add the content shared and then content contain, otherwise the policy creation will fail.
If you choose Custom rules, you have to define separate rules to all the services that you chose in the beginning.
And you can also set exceptions based on the following
And finally choose the label which you want to automatically attached based on the rules.
Note that if you choose a Label not having encryption, you will not get prompted.
And the additional settings for Email (if you choose it)
And you can simulate it for 7 days and then automatically turn it on or leave it off after. You can also just leave it off.
And then you can see inside Content and Activity explorer how it’s doing.
Monitor data classification and label usage by using Content explorer, Activity explorer, and audit search
Data Classification Analytics in Microsoft Purview Compliance Portal
- Overview: Shows digital content locations and common sensitive information types and labels.
- Content Explorer: Provides visibility into sensitive data quantity and types, enabling filtering by label or sensitivity type for detailed location insights.
- Activity Explorer: Reveals activities tied to sensitive data and labels, including label changes and potential content exposure.
Content explorer
Content Explorer Features:
- Indexes and identifies sensitive documents in Microsoft 365 workloads.
- Detects sensitivity and retention labels on documents.
Inside Content explorer you will find the SITs and Labels matched in your locations.
And you can drill deeper to see who has matches, you need specific permissions to view the user-based matches. A Global admin, can assign the necessary group membership.
- Content Explorer List viewer: Membership in this role group allows you to see each item and its location in list view. The
data classification list viewer
role has been pre-assigned to this role group. - Content Explorer Content viewer: Membership in this role group allows you to view the contents of each item in the list. The
data classification content viewer
role has been pre-assigned to this role group.
Activity Explorer
Activity Explorer Features:
- Centralized view for admins to monitor user-related sensitive data activities.
- Includes label actions, DLP logs, auto-labeling, Endpoint DLP, and more.
Explicit permissions needed:
Microsoft Purview Roles | Microsoft Purview Role Groups | Microsoft 365 Roles | Microsoft 365 Role Groups |
---|---|---|---|
Information Protection Admin | Information Protection | Global Admins | Compliance Administrator |
Information Protection Analyst | Information Protection Admins | Compliance Admins | Security Administrator |
Information Protection Investigator | Information Protection Investigators | Security Admins | Security Reader |
Information Protection Reader | Information Protection Analysts | Compliance Data Admins | |
Information Protection Readers |
And the view from Activity explorer
Read more on Activity explorer from Learn
Audit Log
Your organization needs access to vital audit log events for insights and deeper user activity analysis. In the past, your search capabilities in the Microsoft Purview compliance portal were restricted to concurrent audit searches and reviewing historical search jobs. Additionally, these critical audit searches relied on keeping the browser window open for completion.
In example you can search for Label actions with these filters
You can also use Audit to search the same content and more. You can even do an un-scoped search but it will find all the logs and types.
If you define a scope, you have way less hits from the Audit logs. In this example we have a user that lowered an label and you can see the Justification from the logs.
You can also export the logs
And once done, just hit Download
And it will export the results as CSV-file
See more from Learn on the Audit Logs.
Apply bulk classification to on-premises data by using the Microsoft Purview Information Protection scanner
The information protection scanner can inspect any files that Windows can index. If you’ve configured sensitivity labels to apply automatic classification, the scanner can label discovered files to apply that classification, and optionally apply or remove protection.
You must have at least one sensitivity label configured in the Microsoft Purview compliance portal for the scanner account, to apply classification and, optionally, encryption.
The scanner account is the account that you’ll specify in the DelegatedUser parameter of the Set-AIPAuthentication cmdlet, run when configuring your scanner.
See here more on how to run the scanner
Note that for scanner versions 2.7.101.0 and below, consider refreshing the policy more frequently, especially during testing. To do this, manually clear the %LocalAppData%\Microsoft\MSIP\mip<processname>\mip directory and then restart the Azure Information Protection service.
If you’ve adjusted encryption settings for sensitivity labels, wait an additional 15 minutes after saving the changes before restarting the Azure Information Protection service.
Manage protection settings and marking for applied sensitivity labels
If you want to edit those existing Label, you can’t change the name but you can re-order the priority or change other settings
But if you have have the label in question assigned with an Auto-labeling policy, you cannot change the Encryption settings for the label before it is removed from the policy.
If you want to edit another Label, the user will notice differences at their end after saving those settings.
If we change the priority for the label
And the user will see the labels re-ordered
And after a while it will change to the end-user too.
See more on the different aspects from Learn
Or from this excellent blog by Tony Redmond
What’s in GA for Labels in September 2023
- In SharePoint and Teams, you can see and apply sensitivity labels to documents by using the details pane.
- New conditions are now generally available for auto-labeling policies. Just the final new condition listed requires an advanced rule, and is applicable to OneDrive and SharePoint only. All the other new conditions are available in common rules:
- Attachment or file extension is
- Attachment or document name contains words or phrases
- Attachment or document property is
- Attachment or document size equals or is greater than
- Document created by
Closure
That was labels in all their forms and there could be even more content on them but have limit the amount. Let’s see the recap.
Service-side processing is called Auto-labeling policy and it does auto-labeling for data at rest and data in transit, operates differently from client-side auto-labeling. In contrast to client-side auto-labeling, which relies on the client to analyze document content during its creation, service-side auto-labeling focuses on evaluating content that is either stored (at-rest)
- 25k documents labeled per day per tenant
- You can use Common or Advanced rules, common rules are for all selected services and Advanced rules are created per service
Data Classification Analytics in Microsoft Purview Compliance Portal
- Overview: Shows digital content locations and common sensitive information types and labels.
- Content Explorer: Provides visibility into sensitive data quantity and types, enabling filtering by label or sensitivity type for detailed location insights.
- Activity Explorer: Reveals activities tied to sensitive data and labels, including label changes and potential content exposure.
You need specific permissions to view the user-based matches. A Global admin, can assign the necessary group membership.
Your organization needs access to vital audit log events for insights and deeper user activity analysis. In the past, your search capabilities in the Microsoft Purview compliance portal were restricted to concurrent audit searches and reviewing historical search jobs. Additionally, these critical audit searches relied on keeping the browser window open for completion.
Audit logs can be exported as CSV
You must have at least one sensitivity label configured in the Microsoft Purview compliance portal for the scanner account, to apply classification and, optionally, encryption.
The scanner account is the account that you’ll specify in the DelegatedUser parameter of the Set-AIPAuthentication cmdlet, run when configuring your scanner.
If you want to edit those existing Label, you can’t change the name but you can re-order the priority or change other settings.
You cannot change the Encryption settings for the label before it is removed from the policy.
Modifying the priority of the document will correlate to end-user after 15 to 30 mins.