Licensing for Sensitivity Labels

Sensitivity Labels are a part of the Microsoft 365 product set that allows users and organisations to classify and protect their data. But which features you are allowed to use varies depending on which licenses you have allocated to any particular user. This blog post helps you navigate and understand  the features available and what licenses are required to use them in a compliant manner.

Licensed Features of Sensitivity Labels

Sensitivity labels can be used in environments that are licensed with the Microsoft 365 Enterprise E3 or E5 SKUs, or Microsoft 365 Business Premium SKU. The features available differ depending on which license you are using – and even if you are licensed for some features, you might not use them all.

  • Manual Sensitivity Labels – these are labels applied by the user through manually selecting a label in AIP Unified Labelling Client, Apps for Enterprise, Office Online, or one of the mobile apps. Included in M365 E3, E5 and Business Premium.
  • Client-Side Automatic Sensitivity Labels – this is used when something you add to a document or email matches a detection parameter configured in the label definition in the “Auto-labelling for files and emails” section. The label is applied automatically by either Office online (e.g. Word Online) or the desktop client (e.g. AfE word). This is enabled within the label configuration and there are range of matched conditions, including sensitive information types and other parameters of the document or email. You will see this whether or not you are licensed to use it. Included in M365 E5 and M365 E5 Compliance.
  • Service-Side Automatic Sensitivity Labels – this is used for data at rest and data that already exists within M365 prior to the auto-apply policy being applied. It is enabled in the “Auto-labelling” section of the Information protection tab in Compliance Center and supports the same match conditions as the client-side automatic sensitivity labels. If you aren’t licensed for it you probably won’t see it – however just because you do see it, doesn’t mean you’re licensed to use it. Included in M365 E5 and M365 E5 Compliance.
  • Apply Sensitivity Labels in Power BI – to apply, view and protect data in Power BI and when the data in Power BI is exported to Excel, PowerPoint or PDF. Included in M365 E5 and M365 E5 Compliance.
  • Trainable Classifiers – these make use of machine learning to characterise a particular type of document or email in order that a sensitivity label can be applied automatically to other similar documents or emails. Included in M365 E5 and M365 E5 Compliance.
  • AIP UL Client – AIP Unified Labelling Client is an “add-on” to Windows 10 / Office that allows users to apply labels to documents and emails from Word, Excel, PowerPoint and Outlook, along with applying labels to items through File Explorer. Included in M365 E3, E5 and Business Premium. Requires the AIP Plan 1 or AIP Plan 2 which is included in M365 E3, E5 and Business Premium.
  • AIP UL Scanner – this is a tool that can scan an on-premise file server infrastructure and apply labels to the files stored by that infrastructure. What is can do and what it can report is license specific but not hard enforced. Requires the AIP Plan 1 or AIP Plan 2 which is included in M365 E3, E5 and Business Premium.

From a licensing perspective, these features are largely split into ‘“manual” and “automatic”, where manual features require the M365 E3 license or M365 Business Premium, and automatic features require the M365 E5 license or Microsoft 365 E3 / Business Premium plus the Microsoft 365 E5 Compliance Add-on.

Scoping features to only be available for licensed users

To use a feature you must ensure that all users who may utilise that feature are licensed – this means that either the use of the feature must be scoped to only licensed users, all users must be licensed, or you must not use that feature.

So, if you had 1,000 users in your environment, 500 licensed with M365 E3 licenses, 500 licensed with M365 E5 licenses, then you would need to ensure that only those with the M365 E5 licenses were benefiting from your client-side automatic sensitivity label configuration.

This could be achieved using a group in which all staff with the M365 E5 license are included and then using that group to scope the M365 Sensitivity Label Publishing Policy such that the labels containing client side auto labelling features were only published to licensed users.

You might think ‘I already have such a group because I’m using group-based licensing’ but group-based licensing requires the group to be a “Security Group” whilst the M365 Sensitivity Label Publishing Policy will only accept a group of the “Microsoft 365 Group” type.

Let’s say you wanted to apply service-side automatic sensitivity labelling to SharePoint – to be compliant with the licensing you would need to be sure that no user only licensed with M365 E3 had access to a site that was in scope of this policy.

Worse, however, is the fact that some items cannot be scoped – AIP UL Scanner, for example, has no means by which it can understand whether a file to which it will apply a label automatically (if this is configured) is “owned” by a user who has a appropriate license to use the feature.

For this reason my recommendation is to only use features that all users are licensed to use.

How to control the scope of a features usage

When working out the scope in which to use different features in order to ensure you are compliant it’s important to understand how the different elements are scoped:

  • Label – scope here is document and / or email
  • Label Auto-Apply – within the label configuration client-side auto-apply can be scoped based on specific users or groups but only based on Publishing Policy
  • Label Publishing Policy – scope here is users and groups, but only up to 100 users or groups can be specified, or everyone.
  • Auto-Apply Policy – scope is locations including Exchange (choose users / groups), SharePoint sites (choose which sites), OneDrive (choose which accounts), further if you choose to specify which users / sites / accounts then each policy can only scope up to 100 of these or all.

Consider, for example, the organisation we mentioned earlier with its thousand staff. This organisation wants to create a label called “Confidential” to be applied to staff monthly One to One meeting records and Annual Performance Reviews stored in the users OneDrive. It wants this to automatically apply the label at the service-side for users with E5, and for users to manually apply the label to relevant content when the user doesn’t have E5.

To do this it would have to create a label called “Confidential”, and then publish that label to users who have E3 for them to use. For the users with E5 it would create an auto-labelling policy. This cannot be done through using a group to control scope however, as Auto-Apply policies that are targeting OneDrive are scoped using the relevant accounts, up to 100 at a time. So the organisation has to create five auto-apply policies and manually place 100 user accounts into each policy. Now imagine that a user gets uplifted from M365 E3 to M365 E5 – you need to remove that user from one policy, and add them to another… finding them will be a nightmare.

In practice an organisation is unlikely to use service-side auto-labelling in this scenario because of these challenges outlined and the difficulty of telling different users to behave in different ways. Instead, they will publish the label to all users and ask all users to manually apply the label.

A similar scenario exists when attempting to scope auto-apply policies in relation to SharePoint sites.

The above has the effect that while it appears scoping to appropriately licensed users is possible, in practice it is not.

There is a minimum requirement for use of manual sensitivity labels – you must have a business or enterprise version of Microsoft 365. So, for example, your users might be licensed with Microsoft 365 E3 or Microsoft 365 Business Premium – but there are other licenses that qualify you to use manual sensitivity labels too – I strongly recommend checking in the “Microsoft 365 licensing guidance for security & compliance” in the “Information Protection” section or looking in the “Microsoft 365 Comparison table” at the top of this article on the Microsoft website.

Normal 0 false false false EN-GB X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:8.0pt; mso-para-margin-left:0cm; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

What to do with what licensing

In this section I want to summarise my thoughts on which features to use when you have what licenses.

  • If you have M365 Business premium or M365 E3 for all your users:
    • Use manual labelling with mandatory and default labelling configured.
    • You’re not licensed for client-side or service-side auto labelling so don’t configure it.
    • You’re licensed for AIP UL Scanner but only to apply a single label across all your on-premise data.
  • If you have M365 Business premium or M365 E3 for all your users and want to use automatic labelling:
    • Either move fully to M365 E5 or buy the M365 E5 Compliance Add-on
  • If you have M365 E5 for all your users:
    • You’re licensed to use all features discussed in this document including automatic labelling.
  • If you have a mixed environment with some M365 E5 but not all users licensed with M365 E5:
    • Use manual labelling with mandatory and default labelling configured.
    • You’re not licensed for all users for client-side or service-side auto labelling so don’t configure it.
    • You’re licensed for AIP UL Scanner but only to apply a single label across all your on-premise data.

Key Point

The key point of this whole blog is that you should use auto-labelling features of M365 only if you are licensed to use them. If you’re not, but want to use them, make sure you consider the cost/benefit before you buy the licenses. The license uplift cost is not trivial and implementing the features properly is not straightforward.

Where to find more on licensing

In this blog I have covered licensing for M365 Sensitivity Labels at a high level. Licensing is complicated and I don’t profess to be an expert or to think I’ve got it all 100% right. I strongly recommend checking in the “Microsoft 365 licensing guidance for security & compliance” in the “Information Protection” section or looking in the “Microsoft 365 Comparison table” at the top of this article on the Microsoft website to verify the situation in your environment.

Sensitivity labels can be a real benefit to an organisation’s information governance and information security posture. But equally they are complex to implement and there are a lot of design choices to make before you move to a pilot. If you have found this blog useful but feel you need some help with sensitivity labels or more generally the security and compliance of your Microsoft 365 environment please get in touch by emailing us at info@amdhservicesltd.com or give us a call on 01332 322 588.

 

Want to know more about Microsoft 365 Compliance?

Selecting GDPR

How Microsoft 365 meets your GDPR compliance needs

February 23, 2021
Read More →

Protecting your data in Microsoft 365

October 13, 2020
Read More →

Microsoft 365 Compliance Options

September 29, 2020
Read More →

Want to know more?

Why not contact us to arrange a FREE consultation to talk about your ICT needs and how they could best be met?

Book A Meeting