Deploying Sensitivity Labels in 3 Steps

What are sensitivity labels?

A sensitivity label is a little like an envelope into which you can put a document.

An envelope typically has a name and address on it and might have other things like a stamp or a message about how important it is. An envelope is designed to protect the contents and because of this is not generally see-through but opaque.

If you wanted to go one step further you could seal the envelope using wax and a stamp in an attempt to ensure that no one had tampered with the contents in transit. You could even send it via a trusted courier to ensure it reached its destination rapidly without being intercepted.

A sensitivity label is a feature of Microsoft 365 that allows you to effectively do the same thing. It can visually mark a document, apply controls around who can access the document in order to read it, and when combined with Data Loss Prevention in Microsoft 365, can provide controls around the distribution of the document.

However, while sensitivity labels sound pretty straightforward, they can be awfully complex in implementation and usage.

This guide attempts to explain some of the features and provide some basics around implementing sensitivity labels in a manner that won’t break your day to day operations.

What’s required to get started with sensitivity labels?

To enable users to apply a sensitivity label to a document you essentially do three things:

  1. Create some sensitivity labels in Microsoft 365
  2. Publish the sensitivity labels for users to use
  3. Provide users a means with which to use the labels

1. Creating Labels

Sensitivity Labels are pretty easy to create – you log into Microsoft 365, go to Admin Center, then Compliance Center, select Information Protection from the left navigation, then click the “+Create a label” button and follow the menu driven dialogues.

The bigger question is what settings you want to configure for your labels. There are lots of configuration options and how you combine these will affect how many labels you create and what you use those labels to achieve.

Our recommendation is that you plan your labels based on what you intend to achieve with them. Fundamentally sensitivity labels are about classifying documents and then controlling what can be done with those documents based on the classification. If you create too many different labels then users will end up confused about which label should be applied under what circumstances. If you create too few labels then it’s possible users will not see an option that matches the classification or controls they are looking to apply.

If two different labels apply different visual markings but the same controls are they really serving different purposes? We recommend creating the minimum number of sensitivity labels you can to meet the requirement you’re looking to satisfy.

What decisions do you need to make about sensitivity labels?

  • Name: Each label needs a unique name (unique within your environment)
  • Display Name: A label has both an actual name and a display name – this allows you to have multiple versions of the same label appear essentially the identical to the user
  • Scope: Where should the label be used – on files, email, SharePoint/OneDrive sites
  • Do you want to encrypt / protect the data?
  • Do you want to visually mark documents and emails?
  • Do you want to allocate the application of the label to a site or team to control who can access the site?
  • Do you want to allocate the application of the label to a site or team to control who can add external users?
  • Do you want to allocate the application of the label to a site or team to control how the site or team is shared externally?

Sensitivity labels have an order that’s important when the label is changed – so it’s important to ensure that the label you want to attach to the most important information has the highest number in the list.

2. Publishing Labels to users

Much as for the creation of sensitivity labels, the creation of a sensitivity label publishing policy is pretty straightforward. You log into Microsoft 365, go to Admin Center, then Compliance Center, select Information Protection from the left navigation, then select the “Label policies” tab, and select “Publish label” and follow the menu driven dialogues.

But what do these dialogues require you to define? You must choose which labels to publish, who you want to publish them to, then you configure some settings for how the users will use the labels, then you give the policy a name and you’re finished. The users will be able to see the labels you have published within a few hours.

I’d suggest here that there are a few things to think about before you go through this process:

  • First, who will you publish the labels to? There are three options; all users, specific selected users, or specific selected groups. The groups have to be Microsoft 365 groups – security groups do not show up in the selection options. Nor can you include some groups and exclude specific users. So our recommendation here is to create some Microsoft 365 groups for pilot users and if there are groups of users that should never have the labels then do not use the “all users” option but rather cover in scope users by including them in a dedicated M365 group.
  • Second, do you want users to have to justify in writing when they downgrade the sensitivity label attached to a document? If so, you must select the “Users must provide a justification to remove a label or lower its classification” option in the settings. I’d suggest that there are two possible reasons to do this – firstly to make users think before they downgrade a label, secondly if you are going to review user behaviours. This will put an obstacle in front of users though and could make user experience poorer.
  • Third, do you want to force users to apply a label to their documents and emails – if you do then you need to choose the “Require users to apply a label to their emails and documents” option. If you don’t have automated labelling capability (which isn’t a feature of M365 E3 or M365 Business Premium) and you are using label encryption to secure access to your documents then you really want this turned on.
  • Fourth, if you use Power BI you can require users to choose a label for content held in Power BI using the “Require users to apply a label to their Power BI Content”. My suspicion is that not many SMBs use Power BI so I’m not going to spend much time on this.
  • Fifth, do you want to specify a default label for documents, and a (different) default label for emails, and a (different) default label for PowerBI? I’d suggest that applying a default label makes things easier for users and is worth doing if you are using mandatory labelling and can choose a suitable default label.
  • Sixth, provide users with a link to a custom help page – within Apps for Enterprise in the sensitivity label drop down there is a “Learn More” button, similarly in AIP Unified Labelling Client there is a “Tell Me More” link. These by default point to a Microsoft page about Sensitivity Labels but can be redirected to a page of your own choice. To my mind this is a good idea – the page can explain what sensitivity labels are and how use them along with detail on which labels to use when.

3. Enabling Users to use sensitivity labels

Users need to be able to create documents and emails to which they can apply sensitivity labels, and they need to be able to open documents and emails that have already had a sensitivity label applied to them. This section outlines the options in this area – there are some choices to be made depending on which features you want to take advantage of and what version of the Microsoft Office suite you are using.

Sensitivity Labels in Windows 10

To provide users a means by which to apply labels to files in Windows you have two options – you can use the built-in functionality within Microsoft Apps for Enterprise/Apps for Business or you can install the Azure Information Protection Unified Labeling Client, AIP UL client for short.

You might be wondering what these two options are and what the difference between them is.

Fundamentally Apps for Enterprise is the Office suite that comes with Microsoft 365 E3 and E5, while Apps for Business is the Office suite that comes with Microsoft 365 Business Premium. For the purposes of this blog post there is no difference between the two products – they both contain Outlook, Word, Excel, PowerPoint and a few other desktop products and they both support native application of sensitivity labels from within the four listed products. You open one of these applications and create a new document or email and select the sensitivity button in the ribbon menu which drops down and allows you to apply a sensitivity label.

AIP UL Client is an installable extension to Windows 10 that integrates into the Office suite and File Manager to allow users to apply labels to documents. It supplements the sensitivity button in Apps for Enterprise or adds a button in earlier versions of Office. It also provides an option of a more visible AIP bar that appears below the ribbon displaying the label options or selected label for the user. It also supports applying sensitivity labels through the Windows File Manager by providing a “Classify and Protect” menu. Broadly AIP UL client is more feature rich than the native built-in client.

How should you choose between the two clients? Really you ought to look through the detailed feature list for the two options and identify which features you need and therefore which solution is most suitable. For me though it really comes down to three things:

  • If you have an earlier version of Office installed and do not want to upgrade to Apps for Enterprise / Business then you need to use AIP UL Client
  • If you want to allow users to apply labels in the Windows File Manager you need to use AIP UL Client
  • If you want to make the experience more obvious to the user then you need to use AIP UL Client.

Sensitivity Labels on Apple Macs

Anyone who knows me will know that I have no Apple devices and no experience using Apple devices (except a very short period of a few months when I had a iPhone for work) and thus I have no experience using sensitivity labels with a Apple Mac desktop or laptop device.

My understanding is that there is a version of Apps for Enterprise / Apps for Business for the Apple ecosystem that includes the same functionality as exists in the Apps for Enterprise Office suite that runs under Windows. But beyond that I can offer no help.

Sensitivity Labels on Android and iOS

Confusingly there is an AIP app for iOS and Android that can be downloaded from iTunes or Google Play and can be published through the company portal. This, however, only allows you to view protected files so in my view unless for some reason you can’t use the mobile office apps ought to be avoided.

Really the best approach is to use the Microsoft Office apps for iOS or Android. I.e. “Microsoft Office: Word, Excel, PowerPoint & More”, “Microsoft Outlook” etc. These all support applying sensitivity labels to documents. Again these can be accessed through iTunes or Google Play and can be published through the company portal.

What next?

As we have outlined above our approach to enabling sensitivity labels for users would be to start out by identifying the risks you are trying to mitigate using sensitivity labels and prioritising them. This process should draw out the number of different labels you require and the configuration of those labels.

From this you can move on to make decisions about the publishing policy – primarily to whom you will initially publish the sensitivity labels, whether you will use mandatory labelling and/or default labelling, and how you will roll out to the broader organisation.

The last step discussed above is concerned with how users will actually apply the labels to documents – what tools they will use to do this.

Our next few blogs will talk through some example organisations and what their sensitivity labels and publishing policy might look like.

Sensitivity labels can be a real benefit to an organisation’s information governance and information security posture. But equally they are complex to implement and there are a lot of design choices to make before you move to a pilot. If you have found this blog useful but feel you need some help with sensitivity labels or more generally the security and compliance of your Microsoft 365 environment please get in touch by emailing us at info@amdhservicesltd.com or give us a call on 01332 322 588.

 

Want to know more about Microsoft 365 Compliance?

Selecting GDPR

How Microsoft 365 meets your GDPR compliance needs

February 23, 2021
Read More →

Protecting your data in Microsoft 365

October 13, 2020
Read More →

Microsoft 365 Compliance Options

September 29, 2020
Read More →

Want to know more?

Why not contact us to arrange a FREE consultation to talk about your ICT needs and how they could best be met?

Book A Meeting