Sensitivity Labels Spreading Across Office 365
Sensitivity labels are rapidly spreading across Office 365 workloads. They are now supported by:
- Office desktop applications.
- Office online applications.
- Office mobile applications (Outlook mobile can read protected messages but can’t yet apply a sensitivity label to new messages).
- SharePoint Online and OneDrive for Business.
- Container management for Microsoft 365 Groups, Teams, and SharePoint Online sites (the data inside the container isn’t protected, but settings for the containers are).
New features, like the Content Explorer in the Microsoft 365 Compliance Center, help compliance administrators understand the effectiveness of their labeling strategy. Overall, the signs are that the ecosystem surrounding sensitivity labels is gradually building out.
Gaps still exist. You can’t use sensitivity labels to protect Teams messages (the files stored in SharePoint Online and OneDrive for Business for Teams can be). Nor can you use sensitivity labels with Planner, Stream, or Yammer.
Power BI Support for with Sensitivity Labels
An integration announced at Ignite 2019, and now generally available, supports the application of sensitivity labels to Power BI objects. I suspect that this won’t affect many Office 365 users, but it is the closing of another small gap.
Labels are Visual Labels Inside Power BI
Some points to remember about using sensitivity labels with Power BI include:
- The integration must be enabled for the tenant (Figure 1). You can enable support for all users or just selected groups.
- Users must have Power BI Pro licenses to apply sensitivity labels. Power BI Pro is included in Office 365 E5.
- Labels can be applied to reports, dashboards, datasets, and dataflows by editing item settings (Figure 2). They can’t be applied to template apps.
- Power BI doesn’t support sensitivity labels in the government or sovereign clouds.
- The Do Not Forward label isn’t supported nor are labels with user-defined permissions or those depending on HYOK. In other words, your tenant must use a Microsoft-managed key.
- Sensitivity labels are visible in dashboards and when viewing Power BI objects. However, sensitivity labels with encryption do not encrypt Power BI data. Instead, the encryption applies when Power BI objects are exported as Excel, PowerPoint, or PDF files.
In effect, within Power BI, sensitivity labels are used as visual markers of the sensitive nature of some data. The ability of labels to apply encryption and markings to information only occurs when data moves out of Power BI.
Exports Gets Protection
As mentioned above, protection through rights management-based encryption is applied when Power BI exports an object. Figure 3 shows a report exported from Power BI to PowerPoint. The label is present. The big difference is what the user who exported the object from Power BI can do with the document.
Normally, when someone applies a sensitivity label to an Office document, they are the owner and have full access to the document. For instance, they can decide to change the label and apply a more sensitive or less sensitive label depending on the document’s content. When someone exports a file from Power BI, they can still edit the content, but they cannot change the assigned label because they are not regarded as the document’s owner.
The underlying logic is that Power BI manages permissions and access to the information. If a label is applied in Power BI, it should be managed inside Power BI and if the label should be changed, it can be changed there. It’s an example of how the rights management aspects of sensitivity labels adapts to the needs of an application.
So many changes, so many updates, and all happening all the time within Office 365. Which is why you should subscribe to the Office 365 for IT Pros eBook to make sure that you know when things change.