Preparing for Office 365 Sensitivity Labels
Microsoft’s 15 February announcement (MC173614) that they are updating the Office 365 E3, E5, and Advanced Protection and Compliance SKUs to include new Information Protection service plans might have surprised some. After all, Office 365 E3 and E5 tenants are already automatically enabled for rights management and can use the feature to protect email and documents.
What’s happening is that Microsoft is clearing the decks to prepare for the general availability of Office 365 sensitivity labels and the predictable rise in interest about protecting Office 365 content, especially that stored in Exchange Online, SharePoint Online, and OneDrive for Business. It’s also likely that Microsoft will extend the reach of sensitivity labels to other Office 365 apps, including Teams.
Azure Information Protection Licenses
Today, a lacuna exists in licensing terms. Azure Information Protection (AIP) is the technology built on top of rights management. AIP labels can apply protection (encryption) or just mark content (for instance, with a footer). AIP labels can be used to protect content stored inside Office 365, but no integration exists between these labels and Office 365 apps because the predominant use of AIP labels is to mark content stored outside Office 365.
To use AIP labels to protect content, you need an AIP license. The license comes in two forms – standard and premium. The premium license covers automatic labeling, where applications like Word and Excel can apply labels based on content detected in files. Sensitivity labels support automatic labeling (enabled in the latest preview of the AIP client), and I anticipate that this will be a premium feature.
Clarifying Office 365 Licensing
Up to now, it has been assumed that because Office 365 E3 and E5 tenants are automatically enabled for rights management, their existing licenses cover protection applied by sensitivity labels. The new licenses clarify the matter. Although Microsoft’s announcement isn’t clear on the point, it seems logical that Office 365 E3 will include Information Protection for Office 365 – Standard in its list of service plans and Office 365 E5 will include Information Protection for Office 365 – Premium. This approach clarifies the licensing issue and allows for premium features like automatic labeling to be restricted to the higher Office 365 E5 plan.
Because Information Protection is a separate service plan within a SKU (like Yammer or To-Do), you will be able to selectively enable or disable it for users. For instance, you might not want some people to apply sensitivity labels until they receive training and understand how protection works.
You don’t have to do anything to prepare for the change. The new service plans will turn up in March and once they appear in your tenant, you can enable or disable Information Protection for accounts through the Office 365 Admin Center or PowerShell.
For more information about Information Protection, read Chapter 24 of the Office 365 for IT Pros eBook. There’s lots of stuff there about encryption, rights management, templates, and AIP.