Responsible for securing sensitive data in Microsoft 365? Sensitivity labels let you classify and protect your organization’s data without hindering productivity. Learn what they are and how to use them in this handy how-to guide.
With the large-scale shift to distributed teams and fully-remote work, the ability for employees to collaborate with others both inside the outside the organization—and across devices, apps, and services—is crucial for getting their work done. When that data roams, IT admins are responsible for making sure it does so in a secure, protected way that meets their organization’s business and compliance policies.
Related reading: Teams governance best practices for IT admins
The thing is, not all data is created equal. You don’t need to apply the same controls to an internally shared lunch menu as you would to a highly confidential spreadsheet with info about quarterly earnings. In fact, applying unnecessary blanket restrictions can actually end up backfiring, negatively impacting user adoption and resulting in people turning to other, un-approved tools.
So, how do you loosen security requirements for some teams while enforcing stricter rules for others? Can you customize each team’s security settings without hindering end user productivity?
Our engineers did a ton of research into container-level data protection while developing our latest ShareGate release—group sensitivity labels—and part of that process included looking at sensitivity labeling in the Microsoft 365 compliance center. We wanted to share what we learned, so we created this handy guide to using sensitivity labeling to secure sensitive data in Microsoft 365.
Table of contents
What is sensitive data?
In order to protect your sensitive data, you first need to understand:
- What kind of data is considered “sensitive” within your organization?
- Where does that sensitive data live?
Broadly speaking, sensitive data is classified information that needs to be protected from unauthorized access to mitigate business risk. Typically, data that’s sensitive should have policies in place that make it inaccessible to outside parties unless they’ve been granted explicit permission.
Some types of information—such as customer credit card numbers or bank transfer details—are obviously sensitive and should clearly be protected.
But in many other cases, the definition of what constitutes “classified” information varies greatly between organizations depending on business needs. For example, a national pizza chain might consider the ingredient list for their secret sauce to be classified information that should never be shared externally.
Making sure your organization has a clearly defined data classification scheme for Microsoft 365 is a crucial first step; categorizing your data in a way that conveys its level of sensitivity helps you better understand where sensitive data lives, what users are doing with it, and why it could be at risk.
And, according to Microsoft MVP Joanne Klein, one of the best ways to approach data security at scale is from the perspective of container governance: security and compliance policies applied at the level of Microsoft teams and Microsoft 365 groups. Classifying each team at the container level according to its data’s level of sensitivity is a great way to gain a better understanding of where your sensitive data lives.
Once you have your classification scheme in place, there are many things you can implement building on top of it. And one of the most effective is sensitivity labels.
Azure Information Protection vs Microsoft’s unified labeling client: What’s the difference?
Up until 2018, Microsoft 365 only had built-in retention labels that enabled you to classify documents and emails for auditing and retention when that content was stored in Microsoft 365 services.
Alternatively, Azure Information Protection (AIP) labels, configured at the time using the AIP classic client in the Azure portal, enabled you to apply AIP labels enabled a more advanced subscription that let you apply a consistent classification and protection policy for documents and emails whether they were stored on-premises or in the cloud.
Then, at Microsoft Ignite 2018 in Orlando, Microsoft introduced a unified labeling solution for Microsoft 365—Microsoft Information Protection (MIP)— that offered centralized management of labels and protection settings in the Security & Compliance center (the labeling admin center at the time). Microsoft also announced previews of labeling functionality for Office apps—in other words, built-in sensitivity labels in Microsoft 365.
The unified labeling experience in Microsoft 365 provides organizations with a more integrated and consistent approach to creating, configuring, and automatically applying comprehensive policies to protect and govern your data—across devices, apps, cloud services, and on-premises.“Microsoft Information Protection and Unified Labeling” blog announcement, November 5th, 2018
This was welcome news for organizations who previously leveraged AIP in their Microsoft 365 (then named Office 365) tenants, since labels defined in Office 365 and Azure Information Protection were not the same thing. Previously, a data loss prevention (DLP) label policy created in Office 365 meant DLP only applied to data in Office 365, and AIP labels were not visible for use in Office 365 DLP policies.
Microsoft announces timelines for sunsetting label management in the Azure portal and AIP client (classic)
In the wake of strong customer adoption and interest in the MIP unified labeling client, Microsoft introduced multiple new features in response to user feedback, including:
- Support for dynamic content marking and pre-app content marking
- Support for customizable policy tips for automatic and recommended labels
- Support for offline labeling
- Improvement of migration from third-party solutions to sensitivity labeling
- Inclusion of the unified labeling scanner for on-premises data discovery, which provides more accurate and flexible data classification by extending support to custom information types, complex conditions, and dictionaries
With label management in the Microsoft 365 compliance center at parity with the AIP portal experience, it wasn’t exactly surprising that Microsoft announced the deprecation of label management in the Azure portal and AIP client (classic) at the start of last year. Both label management and the classic client will be sunsetting on March 31, 2021.
This time frame allows all current Azure Information Protection customers to transition to the unified labeling solution using the Microsoft Information Protection unified labeling platform. Head over to Microsoft’s official documentation for more details on how to migrate AIP labels to unified sensitivity labels.
It’s important to understand that Azure Information Protection itself isn’t going anywhere; it remains a cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content. AIP is part of the Microsoft Information Protection (MIP) solution and extends the labeling and classification functionality provided by Microsoft 365 to additional file types, as well as to the File Explorer and PowerShell.
Essentially, AIP is a more advanced subscription with additional capabilities that make it better suited for hybrid environments.
FAQs for labeling in Azure Information Protection and Microsoft Information Protection
Still have questions about labeling in Azure Information Protection and Microsoft Information Protection? See if it’s answered here.
The main difference between Azure Information Protection and Microsoft Information Protection is that AIP is a more advanced subscription with additional capabilities that make it better suited to hybrid environments. For example, you can use the AIP client to encrypt documents on a traditional file server, right in Windows Explorer. This means that AIP works regardless of whether you have Microsoft 365—it could even be purchased as a standalone subscription and used to classify content on any server, or in any cloud.
Microsoft Information Protection, on the other hand, isn’t a subscription or product that you can buy. Instead, MIP is a framework for products and integrated capabilities that help you protect your organization’s sensitive information.
When Microsoft 365 only had built-in retention labels, Azure Information Protection labels—configured at the time using the AIP classic client in the Azure portal—filled the gap by enabling you to apply a consistent classification and protection policy for documents and emails, whether they were stored on-premises or in the cloud.
Now, Microsoft 365 supports sensitivity labels and retention labels. However, in contrast to AIP labels, Microsoft 365 sensitivity labels are specifically available within Microsoft 365 apps.
If you have legacy AIP labels configured in your Azure portal, Microsoft recommends migrating them to the unified labeling platform so that you can use them as sensitivity labels by clients and services that support unified labeling.
If you obtained your subscription for Azure Information Protection in June 2019 or later, then your tenant is automatically on the unified labeling platform and no further action is needed. Alternatively, your tenant might already be on this platform because somebody migrated your Azure Information Protection labels.
Head over to the official Microsoft documentation for further instructions on how to tell whether or not your tenant is on the unified labeling platform.
Securing data with sensitivity labels through Microsoft Information Protection (MIP)
Built-in sensitivity labels from the Microsoft Information Protection (MIP) framework are managed through a single portal—the Microsoft 365 compliance center—which unifies labeling and protection policy management across AIP, Microsoft 365, and Windows.
Like AIP labels, sensitivity labels from the MIP solution let you classify and protect your organization’s data while making sure that user productivity and their ability to collaborate isn’t hindered.
Sensitivity labels in Microsoft 365 can help you take the right actions on the right content. With sensitivity labels, you can classify data across your organization, and enforce protection settings based on that classification.
You can use sensitivity labels from the MIP framework to:
- Enforce protection settings like encryption or watermarks on labelled content
- Protect Office 365 content across platforms and devices
- Extend sensitivity labels to protect content in third-party apps and services
- Protect containers that include Teams, Microsoft 365 groups, and SharePoint sites (requires an Azure AD Premium P1 license)
Once a sensitivity label has been applied to a piece of content, such as a document or an email, the label is stored in the metadata of that email or document. This means the label roams with the content and becomes the basis for applying and enforcing policies.
When viewed by users, a sensitivity label appears like a tag on apps that they use and can be easily integrated into their existing workflows.
Defining the scope: How to configure different sensitivity label settings in the Microsoft 365 compliance center
When you create a sensitivity label, you’re asked to configure the label’s scope.
The label scope determines two things:
- Which label settings you can configure that label
- Where the label will be visible to users
This configuration allows you to create sensitivity labels that are just for documents and emails and can’t be selected for containers. And alternatively, you can create sensitivity labels that are just for containers and can’t be selected for documents and emails.
Depending on how you want to use sensitivity labels in your tenant, the different scopes can be configured to accomplish different things:
- Files & emails: Enables you to configure a sensitivity label to encrypt, mark, and protect labeled emails and Office files. This scope is always selected by default.
- Groups & sites: Lets you configure a sensitivity label to protect content in containers when you enable the capability to use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites. You can’t configure protection settings for groups and sites until you enable this capability, but once enabled this scope is also selected by default.
- Azure Purview assets (preview): Allows you to apply a sensitivity label to assets in Azure Purview, including SQL columns, files in Azure Blob Storage, and more. This scope is also selected by default once this feature is enabled for your tenant.
“Files & emails” scope
Labels that can be configured to apply encryption and content marking to files and emails have been around longer and are what most people think of when they hear the term “sensitivity label”.
Protection settings that can be applied to an email or document, including encryption and content marking, are configured by selecting the Files & emails scope.
Depending on the type of license your organization has in place (you can read more about the licensing requirements for Microsoft Information Protection here), sensitivity labels with “Files & emails” scope settings configured can be applied automatically or applied to documents and emails manually by the end user.
The ability to configure settings at the “Files & emails” scope does not require any additional licensing and is enabled by default.
“Groups & sites” scope
Now, in addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labeling to protect content in the following containers:
- Microsoft Teams sites
- Microsoft 365 groups
- SharePoint Online sites
Protection settings that can be applied at the level of these containers are configured by selecting the Groups & sites scope.
Sensitivity labels applied at the container-level serve a different purpose than sensitivity labeling for documents and emails—despite sharing a name and the ability to include settings for both scopes in the same sensitivity label.
For this container-level classification and protection, you can use the following label settings:
- Privacy (public or private) of team sites and Microsoft 365 groups
- External user access
- Access from unmanaged devices
- External sharing from SharePoint sites (in preview)
Unlike sensitivity label settings for the “Files & emails” scope, you can’t configure protection settings for groups and sites until you enable this capability. Until you enable this support, the settings are visible in the wizard, but you can’t configure them:
We should also point out that to configure this feature, you need to possess at least one active Azure Active Directory Premium P1 license in your Azure AD organization.
Once enabled, you can configure protection settings for “Groups & sites” and “Files & emails” within a single sensitivity label.
For example, if you want to have one label called “Confidential”, you can configure the “Files & emails” settings to apply content marking to any documents with that label and you can also configure the “Groups & sites” settings to restrict external access when that label is applied to a container.
You can also separate your labels by scope if you choose to. When only the “Groups & sites” scope is selected for a label, the label won’t be displayed in Office apps that support sensitivity labels and can’t be applied to files and emails. According to Microsoft, the separation of labels can be helpful for both users and administrators but can also add to the complexity of your label deployment. It really depends what will work best for you!
Essentially, all sensitivity labels are called sensitivity labels in the world of Microsoft—what differs is the level at which you apply them (defining the scope) and the licensing requirements to enable labeling at the group and site level. The fact is, the two scopes of sensitivity labelling are complementary; to really ensure your organizational data stays secure, it’s a good idea to use a combination of tactics.
Using sensitivity labels with Microsoft Teams
Microsoft Teams is closely tied to Microsoft 365 Groups and SharePoint Online team sites. So, if you’ve published sensitivity labels that have site and group settings enabled, those labels can also be applied to a team in Microsoft Teams.
Sensitivity labels allow Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams.
For example, you can use sensitivity labels configured in the Microsoft compliance center to:
- Set the privacy level (public or private) for teams
- Control guest access to teams
For example, you can use sensitivity labels to control guest access to your teams. Teams created with a label that doesn’t allow guest access will only be available to users in your organization—people outside your organization will not be able to be added to the team.
This is an especially useful safeguard in light of the recent change to default configuration for guest access in Teams: As of February 8th, 2021, Microsoft is turning on guest access capabilities in Microsoft Teams by default for any customers you have not configured this setting.
Check out the official Microsoft documentation for more details and step-by-step instructions for how to turn on or turn off guest access to Microsoft Teams.
Sensitivity labels: Use case comparison table
To help highlight some popular use cases for sensitivity labels, we created this handy table based on common scenarios put forth by Microsoft in their official documentation.
|If you want to…||Then…||For more details, check out…|
|*Enable users to label and protect files from Windows computers using Office apps, File Explorer, and PowerShell||Deploy the Azure Information Protection unified labeling client||Azure Information Protection unified labeling client for Windows|
|Encrypt documents and emails with sensitivity labels and restrict who can access that content/how it can be used||Configure Microsoft 365 sensitivity labels at the Files & emails scope||Restrict access to content by using sensitivity labels to apply encryption|
|Manage sensitivity labels for Office apps so that content is labeled as it’s created||Configure Microsoft 365 sensitivity labels at the Files & emails scope||Use sensitivity labels in Office apps|
|Let users apply sensitivity labels in Office on the web||Configure Microsoft 365 sensitivity labels at the Files & emails scope||Enable sensitivity labels for Office files in SharePoint and OneDrive|
|*Automatically apply sensitivity labels to documents and emails||Configure Microsoft 365 sensitivity labels at the Files & emails scope||Apply a sensitivity label to content automatically|
|*Use sensitivity labels to protect content in Microsoft Teams and SharePoint||Configure Microsoft 365 sensitivity labels at the Groups & sites scope||Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites|