Sensitivity Label Support for SharePoint Online and OneDrive for Business
Updated August 15, 2022
Every Microsoft Purview sensitivity label has a priority order to indicate its level of sensitivity. A sensitivity label mismatch occurs when users upload Office documents or PDFs with sensitivity labels to SharePoint Online sites that have lower priority labels. Mismatches also occur when users update Office documents or PDFs stored in SharePoint Online and change the sensitivity label assigned to the files with one that has a higher priority than the label assigned to the site.
Microsoft recently made support for sensitivity labels in SharePoint Online and OneDrive for Business generally available. This is an important step forward because it allows SharePoint to index content protected by encryption applied by sensitivity labels. The indexed content then becomes available to Data Loss Prevention policies, content searches, and so on.
The integration of sensitivity labels with SharePoint Online is optional and must be enabled for a tenant on an opt-in basis, Afterwards, users can apply, remove, or change sensitivity labels to documents using the SharePoint Online and OneDrive for Business browser interface or through the Office Online apps. Sensitivity labels can be applied by users or by assigning default labels in label publishing policies or as a default sensitivity label assigned to a document library.
Audit Events Captured
Events for these actions are captured by SharePoint Online and ingested along with other SharePoint events into the Office 365 audit log. These events are:
- SensitivityLabelApplied: A label is applied to a SharePoint site.
- FileSensitivityLabelApplied: An Office Online app applies a label to an Office document.
- FileSensitivityLabelChanged: An Office Online app changed a label (upgrade or downgrade).
- FileSensitivityLabelRemoved: An Office Online app removed a label from a file.
- DocumentSensitivityMismatchDetected: A mismatch is detected because the sensitivity label applied to a document is higher than the level of sensitivity applied to the site where the document is stored. For instance, the site is labeled “Confidential” and a user uploads a document assigned the “Super Confidential” label to the site.
Currently, no events are captured when users apply sensitivity labels through other interfaces like Outlook or OWA.
Sensitivity Label Mismatch Email Notifications
When a mismatch occurs, SharePoint Online captures an audit record, and sends an Incompatible sensitivity label detected email notification to the person who uploaded the document. The notification contains details of the document which caused the problem and the label assigned to the document and to the site (Figure 1). It’s up to the person who receives the notification to resolve the issue. Given that they uploaded the document, they should know its true sensitivity. If necessary, they can change the sensitivity label assigned to the document and upload it again.
Handling Confidential Material
Even if it leads to a sensitivity label mismatch, it’s entirely possible that it’s OK to store a highly sensitive document in a site labelled with a lower level of sensitivity. Labels created to protect highly sensitive content usually restrict rights to interact with documents to a limited set of users. It might be desirable to not allow some people with access to the site (like guest accounts) to access a document assigned with a highly sensitive label. However, this should be an exception. It’s good practice to only store documents in sites that are accessible to all members of the site unless good reasons exist to restrict access to some documents to a subset of site members. In these situations, it’s best to store the sensitive material in another site with restricted membership such as a site belonging to a private Teams channel.
Mastering the detail of what happens inside Office 365 is important for tenant administrators. Shouldn’t you subscribe to the Office 365 for IT Pros eBook?