Microsoft 365 Sensitivity labels are a great way to categorise and protect documents.
They allow a business to define different “sensitivity” levels and to associate those levels with visual markings so that others know what type of content a document contains. They can also provide some security around who can actually read and edit a document and through integration with Microsoft 365 Data Loss Prevention, with whom the document can be shared.
For public sector organisations in the UK, sensitivity labels can be used as a tool to implement the controls required by the UKG Protective Marking Scheme.
This blog post is one of a series around using sensitivity labels. This one focuses in particular on what is meant by default labelling, mandatory labelling and recommended labels.
In the example screenshots below I have used the built-in labelling capability of the Office suite rather than the AIP UL Client. The experience is visually slightly different with the AIP UL Client but otherwise identical.
Licensing
Before explaining these features a little more, it’s worth touching on licensing. These features are available depending upon the license allocated to the user, and the maximum (most feature rich) license available in the tenancy as detailed below:
| User License | Maximum License in Tenancy | Feature Availability |
|---|---|---|
|
Microsoft 365 Business Premium Microsoft 365 E3 |
Microsoft 365 Business Premium Microsoft 365 E3 |
Default Labels Mandatory Labels |
|
Microsoft 365 Business Premium Microsoft 365 E3 |
Microsoft 365 E5 |
Default Labels Mandatory Labels Recommended Labels (but not licensed to use) |
| Microsoft 365 E5 | Microsoft 365 E5 |
Default Labels Mandatory Labels Recommended Labels |
Mandatory Labelling
Mandatory labelling is configured in the Sensitivity Label publishing Policy in Compliance Center. When the administrator has created a policy, chosen the labels to publish and who to publish the labels to they are presented with a “Policy settings” screen:
If the tickbox next to “Require users to apply a label to their emails and documents” is ticked then when a user attempts to save a document or send an email they will be forced to choose a label before completing the action.
In practice when sending an email mandatory labelling looks as below:
Notice that the label to be applied is not selected – you must select the label and choose apply before you can send the email.
In practice when saving a word document mandatory labelling looks as below:
Again, notice that the label to be applied is not selected – you must select the label and choose apply before you can send the email. You cannot leave the label dialogue until a label has been selected – “None” is not an acceptable option.
Default Labelling
Default labelling is configured in the Sensitivity Label publishing policy in Compliance Center. When the administrator has created a policy, chosen the labels to publish and who to publish the labels to, and configured the “Policy Settings”, they are asked what default label to apply to documents, emails and Power BI, as shown below for documents.
The default setting is “None” but any of the labels included in the policy can be selected. I have selected the label “Internal Only” as the default label for email and documents in order to demonstrate what this looks like when working on email and documents.
In practice when sending an email default labelling looks as below:
In practice when saving a word document default labelling looks as below:
Note that the fact that the label has been applied is not obvious to the user unless they click the “Sensitivity” button, and occurs not when they send the email or save the document but from the moment the email or document is first created.
Note that even though a label has been pre-selected as default, you can choose to remove this label and apply another label, or no label at all.
Mandatory and Default Labelling
Default labelling is configured independently of mandatory labelling – so you can have default labels without mandatory labelling, or mandatory labelling without default labelling (in both cases as shown above).
It’s also possible to have mandatory labelling and default labelling both enabled.
This would mean that a label must be applied and that without any user interaction a label would be pre-selected. This has the advantage that a label will always be applied but a user does not need to think particularly about which label. However, because the user doesn’t need to think about which label, there is an increased likelihood of applying the wrong label to an email or document.
To configure this in the Sensitivity Label Publishing Policy, you would simply tick the box for mandatory labelling and choose the default label required for email, documents and/or Power BI.
I have ticked mandatory labelling and the default label for both email and documents are set as “Internal Only” in order to demonstrate what this looks when working on email and documents. The below example is from Word…
As you can see, in practice, when creating and sending an email or creating and saving a document when both mandatory and default labelling are enabled, looks no different to creating and sending an email or creating and saving a document with just default labelling enabled.
The only time you would notice a difference is if you attempted to remove or “deselect” the default label at which point you would see the message below:
Recommended Label
To configure Microsoft 365 to recommend a sensitivity label to a user based on the content of the email or document an auto-labelling policy must be configured within the label definition.
This can be done either while initially creating the label or at a later date by editing the label within Compliance Center.
After the administrator has moved through the “Name & description” tab, the “Scope” tab, and the “Files & emails” tab, there are three sub-tabs – “Encryption”, “Content marking” and “Auto-labelling for files and emails”.
On the latter, there is a radio button to enable auto-labelling after which you must define the match conditions, and what action to take in the event of a match. The choices of action are “Recommend that users apply the label” or “Automatically apply the label”.
The difference between these two options is that one silently applies the label, while the other suggests to the user that the label should be applied but leaves the application of the label down to the user’s choice.
In the below example I have configured the label to be recommended if a document contains both a UK National Health Service Number and a UK National Insurance Number, AND it also contains a credit card number and a US bank account number.
Several things are worth pointing out here to avoid this not working:
- A recommended label will not be recommended to the user for application to an email or document unless it has a higher priority than any default label configured.
- Auto-Labelling can be configured (in that the menu options exist in Compliance Center) if you have Microsoft 365 Business Premium, Microsoft 365 E3 or Microsoft 365 E5, but in my testing I found that such a policy only works for the user (only shows the recommendations) if the user is licensed with Microsoft 365 E5.
- Content matches are configured in groups – in the above example there are two sensitive info types within each group. If you select more than one sensitive information type within the same group then by default a match requires “All of these”, to match any one of them you must change this to “Any of these”.
- Content matches are configured in groups – in the above example there are two groups – “UK Sensitive Info Types” and “Bank Information”. If you have more than one group then by default a match against each group is required due to the “AND” statement. To match either group change this from “AND” to “OR”.
It’s also worth noting here that if there are DLP policies that also match the document the user is working on then Office (e.g. Word) can get confused and instead of displaying the policy tip and a button to apply the recommended label it may merely show “Policy Tip: Default Text” which isn’t very helpful. Careful planning is required…
Consequently a better configuration for my auto-labelling would be as shown below:
When a user creates or edits a document Office evaluates the content of the document for matches to the auto-label policy and if a match is found the user will see a Policy Tip as shown below:
As you can see here – two buttons are provided for the user to take action with.
- The first is “Apply Sensitivity” which simply applies the recommended label to the document.
- The second is “Show sensitive content” that highlights where in the document the matched content is found and what the match was and allows you to delete and replace the matched content with the word “removed”.
Since it is only a recommendation it is possible to simply ignore it or click the X on the right to get rid of the message.
Best approach – introduce with care
In a future blog I will write more about introducing sensitivity labels as part of an organisations information governance and protection policy, but for now I simply want to say that used appropriately, and introduced with care, sensitivity labels can be a real benefit to an organisation. Establishing a common baseline level of protection using Default Labelling combined with Mandatory Labelling is a great solution, using Recommended Labels through an auto-labelling policy is great to increase the protection for specific types of content when required.
Building a workable solution using sensitivity labels however is not straightforward and needs to be properly planned prior to users having to interaction with the solution. If you want to talk more about how you might leverage them as part of a broader information governance and protection strategy, please get in touch by emailing us at info@amdhservicesltd.com or give us a call on 01332 322 588.
