Don’t Delete Office 365 Sensitivity Labels

Posted on by Tony Redmond

Gradual Roll-Out of Office 365 Sensitivity Labels

Azure Information Protection (AIP) labels have been available for several years. Office 365 Sensitivity Labels are gradually replacing AIP labels for the protection of Office 365 content. The process takes time because it involves encryption, so careful planning is necessary. I expect that Office 365 sensitivity labels will become a lot more popular when the Office applications support native protection. In other words, you won’t need to deploy the Azure Information Protection client to workstations if all you need to do is protect content stored inside Office 365 locations (SharePoint Online, OneDrive for Business, Teams, and Exchange).

Two versions of the AIP client are currently available. You need to use the unified labeling version with Office 365 sensitivity labels.

Publication Makes Labels Visible

When Sensitivity Labels are defined in a tenant, they are published to clients through label policies. Applications that understand how to apply protection check for and download policy updates regularly (every four hours in the case of the Office applications). Once a label policy is available, clients can unpack it to discover what labels are available to the signed-in user. Those labels can then be applied using the Sensitivity button in the toolbar. The current version of the AIP client also adds a protection infobar. In Figure 1, you can see the Sensitivity button and the infobar, which tell us that the Extraordinary label is applied to the document.

A Sensitivity Label protects content in a Word document Sensitivity labels
Figure 1: An Office 365 Sensitivity Label protects content in a Word document

Removing a Label

Creating and publishing sensitivity labels is easy. But what happens if you make a mistake and want to remove a label? You could delete the label from Office 365. The deletion removes the label from label policies and clients won’t know that the label exists. This is an acceptable action when the label has not been applied to protect documents, but it’s problematic for protected content. The metadata for the label remains in the document. You know this because if you set another label, you might be asked to provide a justification if the new label has a lower priority. However, because the published policies hold no trace of the label, applications don’t know how to handle the label and the protection on the file reverts to “Not Set” (Figure 2).

A deleted Office 365 Sensitivity Label causes the client to report "Not Set" Sensitivity labels
Figure 2: A deleted Office 365 Sensitivity Label causes the client to report “Not Set”

Remove from Publishing Policies

By comparison, if you remove the label from policies, Office 365 still includes the label information in the policies and clients will still be able to resolve the label. However, users won’t see the label in the list of labels they can apply. This is a much better situation to be in because you can always restore the label to full use if you want or keep it in a visible but disabled state through non-publication.

For more information about Office 365 Sensitivity Labels, read Chapter 24 of the Office 365 for IT Pros eBook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.