Microsoft Information Protection (MIP) covers topics like sensitivity labels and their application (manually or by policy) to protect confidential information stored in Microsoft 365.
According to Microsoft 365 notification MC736438, Microsoft is getting tougher at enforcing the rules for Purview information protection licenses. In a nutshell, if administrators and end users don’t have premium licenses, features like automatic labeling policies or default sensitivity labels for document libraries won’t work. Users can still apply sensitivity labels manually.
The use of Information Protection sublabels is one of the questions for teams implementing sensitivity labels in Microsoft 365 tenants. Some like the granular appearance of sublabels and consider them a valuable guide to assist users to pick the most appropriate label. Others prefer a simple list of sensitivity labels. Both approaches work well. It’s up to you to decide.
If conditional access policies impose MFA for all cloud apps, it gives external users a problem when they use Outlook desktop to read protected email. The issue is because Outlook can’t obtain a use license to decrypt the content because it can’t satisfy the MFA challenge. It’s an example of how two good parts of the Microsoft 365 ecosystem clash.
The need to find SharePoint documents with sensitivity labels might arise during a tenant divestiture to decrypt the documents before the split. As it turns out, searches against the SharePoint InformationProtectionLabelId property is a good way to find the files. After that, the need arises to decrypt the documents, which is where Microsoft Purview eDiscovery (premium) might come in handy.
After discussion in 2022 about potential vulnerabilities for the AES128-EBC cipher used by Microsoft Information Protection (MIP), an August upgrade enables AES256-CBC protection for sensitivity labels and other MIP components. Some care is needed to make sure that Exchange Server and other on-premises solutions work properly with the new cipher, but transition for Microsoft 365 tenants should be seamless.
Planning the introduction of sensitivity labels for meetings means that you pay attention to label scoping and naming. Having too many meeting labels will confuse users and the same will happen if the label display names don’t convey their purpose. This article explains some simple steps to take to make sure that your meeting labels work well.
Outlook users can now apply sensitivity labels for meetings to protect the information contained in the meeting body and attachments. Outlook desktop and OWA clients can apply sensitivity labels to meetings. Outlook Mobile clients can process protected meetings and view the meetings in the calendar, but the protected meeting content (the body) is unavailable because it is encrypted.
Microsoft has announced the retirement of the unified labeling client on April 11, 2024. The client, also known as the AIP add-on for Office, went into maintenance mode on January 1, 2022, so it’s unsurprising that this development should happen. Users get better functionality by using the built-in information protection features in the subscription versions of Office, so there’s no real need to keep the unified labeling client around – apart from migrating users, that is.
The unified audit log contains records generated when users and applications apply sensitivity labels to emails and documents. This article explains how to use PowerShell to retrieve the data and create a report to help tenant administrators understand the usage of sensitivity labels.
Microsoft is rolling out the public preview of the ability to set a default sensitivity label for SharePoint Online document libraries. This is likely to be a premium feature when it is generally available. For now, Office documents are supported, but Microsoft promises to support PDFs in the future.
Some recent announcements will make it much easier to work with PDFs protected with sensitivity labels. Adobe is now bundling the MIP plug-in with the Acrobat installer and has plans to allow users to apply sensitivity labels within Acrobat. But the big news is the change in Office applications to generate protected PDFs when saving, exporting, or sharing protected documents, spreadsheets, and presentations.
Microsoft is introducing new controls for delegate access to encrypted emails accessed via Outlook clients other than Outlook for Windows. The controls are implemented in three new PowerShell cmdlets which can block, validate, and allow delegate access to encrypted messages. It’s nice to see some coherence being introduced for almost all the Outlook clients, even if Outlook for Windows does its own thing.
A new sensitivity label setting is available (in preview) to control site sharing permissions for SharePoint Online sites. The new setting is an advanced setting, meaning that it can only be set using the PowerShell Set-Label cmdlet. It’s a welcome addition to the control sensitivity labels can exert over containers.
Microsoft has a preview of co-authoring support for protected documents edited on iOS and Android devices. It’s possible that you will never need to use the feature, but you’ll be glad that it exists if you do. In other mobile news, the Teams mobile client now includes calendar items in its search results.
Delegates often process Outlook email for others. It’s a feature that works well. That is, until protected email arrives. Delegates shouldn’t be able to read protected email in other peoples’ mailboxes. But some versions of Outlook allow this to happen. If you want to be sure that delegates can’t access protected email, maybe you should consider using a dual-mailbox approach.
SharePoint Online and OneDrive for Business will soon gain the ability to apply default sensitivity labels to document libraries. The feature is currently in preview and requires some complicated PowerShell to configure, but Microsoft is working on the GUI and expects to make the capability generally available later this year.
Office 365 Message Encryption protection is not available for messages sent to dynamic distribution groups. It’s all to do with rights management licensing. However, if you need to protect messages sent to dynamic distribution groups, for instance to make sure that confidential messages are inaccessible to external recipients use a sensitivity label instead and assign the special tenant-wide permission to recipients.
Auto-label retention policies find items in Microsoft 365 locations and apply retention labels to those items. In this article, we explain the steps involved in creating an auto-label retention policy to look for items with sensitivity labels and apply retention labels to those items.
In a surprising December 21 announcement, Microsoft put its Information Protection labeling client into maintenance mode effective January 1, 2022. Making an announcement as the IT industry was closing down for the holiday period is no good way to make certain customers learn about a development, and it’s curious that Microsoft left it until nine days before the client entered maintenance mode to let people know.
A change in how Office apps apply mandatory labeling as dictated by sensitivity label policies means that both new and old documents are processed. New documents have always been dealt with; the change being made ensures that Office apps detect the lack of a label when opening an existing document and will apply mandatory labeling at that point. It’s a change to help customers move on from the unified labeling client.
The Office 365 for IT Pros team will be at the European Collaboration Summit (ECS) in Dusseldorf. Come to listen to Tony talk about sensitivity labels on Tuesday or Paul discuss tenant to tenant migration on Wednesday. ECS is a great community-led event that’s well worth attending if you find yourself in Europe and have the ability to travel to Germany. Don’t forget your mask!
A recent conversation in the Microsoft Information Protection (MIP) community on Yammer about deleted templates led to a discussion about how this might affect users, like those who apply sensitivity labels with encryption to protect documents in SharePoint Online or email in Exchange Online. As it turns out, MIP has a backstop or get out of jail free card, but to understand how it works, you need to understand a little bit about publishing licenses and use licenses. We explain what happens in this article.
A preview for Sensitivity Labels show how they can use Azure AD authentication contexts and conditional access policies to protect SharePoint Online sites. Although you can link conditional access policies to sites with PowerShell, it’s a lot easier to make the connection through sensitivity labels. Any SharePoint Online site which receives a label configured with an authentication context automatically invokes the associated conditional access policy to protect its contents.
New PowerShell commands for sensitivity labels can configure default sharing link settings for SharePoint Online sites. Any site assigned a label configured for default sharing links inherits those settings within 24 hours. Also available is the ability to apply default sharing link settings at a per-document basis.
Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.
OneDrive for Business now stores Teams meeting recordings. You can protect files with sensitivity labels, but does this have any side effects for Teams? As it turns out, it does because the protective wrapper which encrypts the recording breaks the link to Teams. This might not be important if you need to protect a confidential recording and restrict access to a known set of users, but it’s something to consider before applying any labels.
Audit records are a great way to gain an understanding of what happens inside Office 365. We use PowerShell to report actions taken with sensitivity labels such as protecting files and containers. The latest development is the addition of support in the Microsoft 365 apps for enterprise (Office desktop) to log audit events when users interact with sensitivity labels. Unsurprisingly, more events are often logged by the desktop apps than their online equivalents.
The container management settings of sensitivity labels can now manage the external sharing capability of SharePoint Online team sites. The same settings as available in the SharePoint admin center or PowerShell can be applied through a label. Caching means that new settings in a label might not be picked up by SharePoint Online for up to 24 hours.
The latest version of the Edge Chromium browser can read files protected by Office 365 sensitivity labels stored in SharePoint Online and Exchange Online. This might not be the feature that causes you to dump Chrome, but it’s very useful when your tenant uses sensitivity labels.
Power BI support for Office 365 sensitivity labels is now generally available. Inside Power BI, the labels are visual markers. Encryption is applied when Power BI objects are exported. The interesting thing is that the user who exports content doesn’t have the right to change the label.
A recent Teams Live Event hosted by Microsoft’s Information Protection team discussed the automatic assignment of sensitivity labels to SharePoint Online and OneDrive for Business content. A preview is now available and Microsoft hopes to make this functionality available at the end of March 2020. You’ll need Office 365 E5 or Microsoft 365 E5 licenses.
Microsoft retracted the announcement of the deprecation of the classic Azure Information Protection client and label management in the Azure portal. Office 365 sensitivity labels have taken over from AIP clients in most tenants, so the impact of this change is limited. However, if you still need to use an AIP client, you should move to the unified version.
Outlook for iOS and Android now support marking and encryption of email with Office 365 Sensitivity Labels. Sensitivity labels can now be applied through Office ProPlus, OWA, and Outlook mobile. All that really remains to achieve full coverage for sensitivity labels across Office 365 are the Office Online and SharePoint/OneDrive browser interfaces. In other news, Outlook Mobile also supports S/MIME.
Microsoft Cloud App Security (MCAS) can integrate with Azure Information Protection to allow automated policy-driven application of Office 365 sensitivity labels to Office documents and PDFs. You can depend on users to apply labels manually as they create documents, but it’s easy for humans to forget to add protection where a computer won’t. You’ll pay extra for MCAS, but it could be worthwhile.
The process of introducing Office 365 sensitivity labels to a tenant can be long and complicated because of the need to plan how to manage encrypted content. As you go through the process, don’t delete labels if they’ve already been used to protect content. Instead, remove them from the label policies used to publish information to clients. The labels will then remain intact in documents and other files.
Microsoft released an update for the unified labeling version of the Azure Information Protection client needed for Office 365 sensitivity labels, which now boast auto-label support. Solid progress is being made to move sensitivity labels to the point where they are considered to be generally available, probably later this year. In the meantime, pay attention to the premium features like auto-label which require more expensive licenses.
Microsoft announced that the Office 365 E3 and E5 plans will receive new Information Protection licenses. They’re preparing for the introduction of sensitivity labels and the increased use of encryption to protect access to content in Office 365 apps like SharePoint Online, Exchange Online, OneDrive for Business, and Teams. You don’t have to do anything to prepare for the new licenses, but it’s nice to know what they are and how the licenses are used.
Microsoft has released details of an Exchange Online transport rule to encrypt outbound email containing sensitive data types like credit card numbers. The rule works (after fixing the PowerShell), but needs to be reviewed and possibly adjusted to meet the needs of Office 365 tenants.
The Microsoft-Adobe initiative to support Azure Information Protection for PDF files has reached general availability. Things look good and the issues encountered in the preview are removed. You can store protected PDFs inside Office 365, but be prepared to download the files to be able to view them.
The availability of Azure Information Protection and Office 365 sensitivity labels allow tenants to protect important and confidential files. That’s nice, but it’s even better when you know what files are protected. Here’s how to use PowerShell to create a report about those files.