Detailed Information on Sensitivity Labels in Microsoft 365

Read time 10 minutes

To complete their tasks, employees in your organization collaborate with others both inside as well as outside the organization. It means that all sorts of content flow everywhere, across different departments and teams in the organizations, and it no longer stays behind a firewall.Therefore, it becomes important to understand how to do it in a secure and protected way that meets your organization’s compliance policies.

To do that effectively without compromising the user productivity and their ability to collaborate, Microsoft Purview Information Protection introduced Sensitivity Labels which allow you to classify and protect all the data shared within the organization. In this blog, we will discuss sensitivity labels, how to set them up, and how it works.

What are Sensitivity Labels?

Sensitivity labels are like a digital stamp added to your business document or email to secure it. They allow you to protect sensitive data within the file. Applying them enables you to state how sensitive certain data is. A sensitivity label appears to users like a tag applied to a document or email, and it is:

Customizable – Based on your organization or business needs, you can create different level categories of sensitive content such as Personal, Public, General, Confidential, and Highly Confidential.

Clear Text – Labels are stored in the clear text format in the metadata for emails and files. So that third-party applications and services can read them and, if required, apply their protective actions.

Persistent – No matter where the label is saved or stored, it stays with the content because it is stored in the metadata for emails and files. Unique label identification becomes the way to apply and enforce your configured policies.

As we already discussed, sensitivity labels appear like a tag on documents and emails that can be easily integrated into users’ workflows. Moreover, documents and emails can have both sensitivity labels as well as retention labels applied to them.

We can use sensitivity labels to:

• Enforce protection settings such as encryption and content markings. For example, users can apply a Confidential Label to an email or document, and that label encrypts the content and puts on a Confidential Watermark. Headers, footers, and watermarks are included in content markings.
• Protect Office apps on different platforms and devices. It is supported by Excel, PowerPoint, Word, and Outlook on Windows, Mac, iOS, and Android.
• Protect content in third-party apps and services using Microsoft Defender for Cloud Apps. It allows you to detect, classify, and protect content in third-party apps and services like Salesforce, Box, or DropBox. You can apply it on third-party apps or services that don’t read or support sensitivity labels.
• Protect containers that include Microsoft 365 groups, SharePoint sites, and Teams for properties such as privacy settings, unmanaged devices access, and external user access or sharing.
• Extend sensitivity labels to third-party apps. You can read sensitivity labels and apply protection settings using the Microsoft Information Protection SDK.
• Extend sensitivity labels to Power BI. Turn on this capability to apply and view sensitivity labels in Power BI and protect the data saved outside the service.
• Classify content without using any protection settings. You can also assign labels to classify the content and use these labels to generate usage reports and watch activity data for your sensitive content. You can choose to apply protection settings later based on this information.

You must have access to one of the admin centers (Microsoft 365 Security Center, Microsoft 365 Compliance Center, Security & Compliance Center) to create and manage sensitivity labels. The Global Administrator has access to admin centers and can grant non-admin access to compliance officers and other non-users.

To grant this limited admin access, it’s important to go to one of these admin center’s permission page and add new members to the Compliance Administrator, Compliance Data Administrator, or Security Administrator group.

If you prefer granting permissions to groups, you must create a new role group and add either Organization Configuration or Sensitive Administration role to this group. Use the sensitivity Label Reader, which initially supported just the Office 365 PowerShell labeling cmdlets for read-only access.

Once we have enabled unified sensitivity labels and assigned the required roles and permissions, it’s time to create and publish a few sensitivity labels and see them in action. The steps to create a sensitivity level are as follows:

• Step 1 – Login to Microsoft 365 admin center.
• Step 2 – Open Office 365 Security & Compliance and select Sensitivity labels.
• Step 3 – Select Create a label in the Information protection window.
• Step 4 – Fill out all the necessary information about the sensitivity level you are creating, as shown in the below image.
• Step 5 – Now define the label scope, which determines these two things:
  1. The label setting you configure for that label
  2. Where the users will see the label
• Step 6 – Configure encryption and content marking settings to protect files and emails.
• Step 7 – Using encryption, you can set permission to control who can access files and email messages with this label. You can assign permissions only to specific users, domains, and groups or let users apply the policy to select who can have access to labeled content. It’s also possible to control offline access and set content expiration date.
• Step 8 – Click on Assign Permissions, as shown in the above image. Here you will get multiple options to choose the right audience. Choose permissions and then click on save to apply your settings.
• Step 9 – Content marking allows you to add clear information about the applied labels. You can configure whether you want to add a watermark, header, footer, or all of them.
• Step 10 – Next, you have an option to on auto-labeling. This way, certain documents or groups created on certain sites can be automatically marked with a label. It might be helpful to ensure nobody forgets about securing documents.
• Step 11 – In the next step, you can define protection settings for groups and sites. These settings apply to teams, groups, and sites, not directly to the files stored in them.
• Step 12 – The last step is to review your sensitivity label settings and click on create label.
  1. Once the process completed, you will see a confirmation screen like this:
  2. After the sensitivity label has been created, you will need to publish it so that users can use it.
• Step 13 – Publishing the Sensitivity label: To publish the created sensitivity label, go to the Label policies and click on Publish label.Then, click on choose sensitivity labels to publish and select the label you created earlier. Click on Add and then Next.
• Step 14 – Now, select which users or groups should have the label available. Click on Done and then Next.
• Step 15 – Next, you can select to use various policy settings and then click on Next
• Step 16 – In the next step, you have the option to apply a default label to documents. If you leave it at the None option, users will have a choice to use the document or apply the label without enhanced protection.In the next two steps, you can configure the default labels for emails and Power BI.
• Step 17 – Now,name your label policy and provide a description for it.Finally, review the policy and click on Submit to publish it.

To remove a sensitivity label or lower its classification, users must provide a justification. They need to specify why they are changing or removing a label. Follow these steps to remove a label:

1. Open a document and go to the Sensitivity
2. Click on the name of the currently applied label
3. Now, the justification required pop-up will appear, pick an appropriate option, and click on Change.
4. Finally, the label should be removed at this point.

All the created labels will appear in a list on the Sensitivity tab of the Labels page. The order of the label in this list is important because it indicates their priority. You want your least restrictive sensitivity label, such as Public or Personal, to come at the top of the list and the most restrictive label, highly confidential,to appear at the bottom.

Using sub-labels, you can also group multiple labels below a parent label (users see it in an Office app). But sub-labels don’ inherit any features or settings from their parent label. While publishing a sub-label, users can apply the sub label, but they can’t just apply the parent label to the content. If you select a parent label as the default label or configure it to apply automatically or recommended, it won’t apply to the content.

Wrap Up

Undoubtedly, sensitivity label isa powerful Office 365 feature that can help boost Microsoft 365 data security and force your employees to be careful while sharing or accessing the data. Using sensitivity label tags, you can easily protect content in other applications, track content’s activity, encrypt emails, automatically label content, and much more.

Even after all this, there might be a possibility of data loss in Office 365 due to several reasons. In this case, we suggest you use an automated tool named Kernel Export Office 365 to Restore, which allows you to back up the mailbox data of Microsoft 365, hosted Exchange, and on-premises Exchange. To learn more about this automated tool, download its free demo version.