OWA Embraces Office 365 Sensitivity Labels

Bit by Bit, Office 365 Sensitivity Labels Reaching Applications

On September 24, I published an article about the support of Office 365 Sensitivity Labels in the Office ProPlus for Windows desktop apps. At the time, I noted that Microsoft still had work to do to add support for sensitivity labels to the Office online apps, including OWA. Microsoft had published Office 365 notification MC191074 to say that Office 365 tenants now with worldwide roll-out complete by the end of October. Well, OWA “manual” support for Office 365 Sensitivity Labels has turned up in my tenant to satisfy roadmap item 44921.

Manual Labeling

Manual support for Office 365 Sensitivity Labels means that OWA users must decide what messages to label and the labels to assign to messages. Automatic labeling is what happens today with Office 365 retention labels when conditions in a policy control what items labels are applied to by a background process. Similar facilities are likely for sensitivity labels in the future.

Apply Sensitivity Labels in the OWA New Message Window

Because OWA runs in online mode, it always uses the current set of sensitivity labels published for a user. This doesn’t mean that a new or updated label is available to OWA immediately a change is made. The Security and Compliance Center must publish the change to all Office 365 workloads and clients. It can therefore take some time before a change is available to OWA.

The Sensitivity button is available as an option in the OWA new message window. After a label is applied to a message, its name is shown in the banner above the message recipients. In Figure 1 we can see that the selected label invokes encryption because of the padlock icon beside the label name. A label that only applies marking or does nothing but act as a visual indicator uses a plain label icon.

OWA applying an Office 365 Sensitivity Label to a new message
Figure 1: Applying an Office 365 Sensitivity Label to a new message

OWA also displays these icons for labelled items in the read message window. Like Outlook, the protection applied to a message also applies to any of its attachments

Labeling Replies

Sensitivity labels can also be applied to replies to messages that aren’t previously labelled. In this case, the Sensitivity option to apply a label is in the […] menu of the reply message window (Figure 2).

OWA applying an Office 365 Sensitivity Label to a reply
Figure 2: Applying an Office 365 Sensitivity Label to a reply

When you assign a sensitivity label to a reply, it does not apply to the previous messages in the thread. However, Exchange automatically assigns the same label to future messages in the thread.

Encrypt-Only and Do Not Forward

The default Office 365 Message Encryption Encrypt-Only and Do Not Forward templates can also be used to protect messages with OWA. Click the […] menu and you’ll find Encrypt in the list of menu choices. Using these templates for protection does not assign a sensitivity label to the protected messages.

Still Work to Do

Now that OWA supports Office 365 Sensitivity Labels, it’s reasonable to expect that the other Office online apps will offer support soon. After that, eyes will turn to the SharePoint Online and OneDrive for Business browser interfaces to see how Microsoft will introduce sensitivity label support there.


For more information about Office 365 Sensitivity Labels and the underlying Azure Information Protection technology, read Chapter 24 of the Office 365 for IT Pros eBook.

10 Replies to “OWA Embraces Office 365 Sensitivity Labels”

  1. It is a very advantageous post for me. I’ve enjoyed reading the post. It is a very supportive and useful post. I would like to visit the post once more of its valuable content. Thanks for sharing this blog.

  2. Anyone have an idea why the Sensitivity labels in OWA are not subject to the AIP settings in the Security & Compliance Center or in the Azure Portal? I have the setting turned on that requires every document and email message to have a default label (we call ours “Business General”), but no default label is being applied to anyone using OWA for users across my organization.

  3. I have come across a strange issue in testing this. I have a default label which is set for internal (tenant) users only. When I send an email with this label applied to another internal user, when that user opens the email in OWA and clicks reply or forward, sometimes they see an option above the reply address to remove encryption. Other times they do not see this. It’s extremely random. I’d like the remove encryption option to be always available, but in my testing so far I’ve been unable to figure out why it sometimes appears and sometimes doesn’t.

    1. This is a custom sensitivity label? Does the same thing happen with one of the two default OME labels (Do Not Forward and Encrypt-Only)? I have never seen this happen and can’t reproduce it, so I would report the problem to Microsoft.

      1. Yes it’s a custom sensitivity label. I can’t recreate the conditions with the Do not Forward label thus far. Will keep playing, and also report to Microsoft as you suggest. Thank you.

  4. Is this now also possible in Word Online & co.? I Cant see it even if im in early update chanel with my tenant.
    Regards

    1. Microsoft has a preview for support of sensitivity labels in the Office Online apps. It works very well. You should see it in general availability soon.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.