Office 365 Sensitivity Labels: Auto-Label and Updated Client

More Progress towards Enabling Sensitivity Labels

Along with announcing its intention to include licenses for Information Protection in Office 365 E3 and E5 plans, Microsoft made further progress to encourage widespread use of Office 365 sensitivity labels by upgrading policies to include some auto-label capabilities and shipping an update for the “unified labeling” preview for the Azure Information Protection (AIP) client.

The biggest barrier for adoption for sensitivity labels today is lack of support in Office apps (desktop, mobile, and online) for the labels. To bridge the gap until General Availability (expected later this year), Microsoft released a different version of the Azure Information Protection client. The “unified labeling” version reads label and policy information from Office 365 (sensitivity labels and policies are found in the Security and Compliance Center) instead of Azure. The unified labeling client has just been updated and can be downloaded here.

Some Work Still to do for Sensitivity Labels

Unified Labeling client installs a Sensitivity button in the Office desktop apps
Sensitivity button in Word

The preview of the unified labeling client (V2.0.747.0 ) only works for Windows workstations. When installed, the unified labeling client adds a Sensitivity button to the Office desktop apps. By comparison, the regular version of the AIP client adds a Protect button. Both buttons serve the same function. They display a list of all the labels available to the user (from all applicable policies) to allow them to select which label to apply to a message or file.

Long term, the Office apps will have native (in-built) support sensitivity labels and you won’t need to deploy any other software to apply labels and have them mark and protect (encrypt) content. The idea is that you should be able to apply labels to Exchange Online messages (with OWA and Outlook) and files stored in SharePoint Online and OneDrive for Business.

I also expect Microsoft to overhaul the the limited (and old) support for rights management in SharePoint Online to make it easier for site owners to apply default labels. Some work also needs to be done to update the SharePoint Online and OneDrive for Business web apps to allow users to apply sensitivity labels, probably in much the same way as they can apply retention labels today.

Once sensitivity labels are fully deployed inside Exchange Online and SharePoint Online, it is reasonable to anticipate that Microsoft to enable support for sensitivity labels to other Office 365 apps.

Because Office 365 sensitivity labels and Azure Information Protection labels share common underpinnings, sensitivity labels can also be applied to files outside Office 365, in which case they act like AIP labels.

Auto-Label Settings for Sensitivity Labels

Office 365 administrators are used to the concept of using auto-label policies to assign retention labels to content discovered by background processes to match conditions set in a policy. Sensitivity labels have their own take on auto-labeling. Briefly:

  • Auto-label conditions are set for a label instead of by policy.
  • Matching is only possible against Office 365 sensitive data types. Auto-label policies for retention labels can also match against keywords.
  • Applications that support sensitivity labels action the label settings when they detect matches. For instance, if you create a Word document and include a credit card number, the match is detected when the document is saved and the (AIP) client executes the auto-label action. In the example below, the action is to apply the label.
Setting auto-label conditions for an Office 365 sensitivity label
Setting auto-label conditions for an Office 365 sensitivity label

This form of auto-labeling has been supported by AIP labels for a couple of years, so its appearance inside Office 365 is evidence of the work going on to create functional equivalence between AIP and sensitivity labels.

Note that auto-label is a premium feature that requires Azure Information Protection P2 licenses. In the world of Office 365, it’s likely that access to this functionality will be controlled by the new Information Protection for Office 365 -Premium licenses in Office 365 E5 or the Advanced Protection and Compliance SKU.

Need more information about Sensitivity Labels and Encryption through rights management in Office 365? Head over to the Office 365 for IT Pros eBook and read Chapter 24!

2 Replies to “Office 365 Sensitivity Labels: Auto-Label and Updated Client”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.