This situation creates the question of how best to protect confidential videos. Because sensitivity labels control access to files using fine-grained rights management, they are an attractive choice. Stream “classic” doesn’t support the option to protect files in this manner, but the transition of Stream storage to SharePoint Online and OneDrive for Business creates a potential solution. As we’ll discuss, the basic technology works, but some implementation issues generate more friction than you’d like, possibly because Microsoft hasn’t figured out how the components should work together.
Unified Labeling Client and OneDrive
Microsoft touts the ability of SharePoint and OneDrive to store just about any type of file up to 250 GB, which makes it easy to store recordings of even the longest meeting. However, no user interface exists in the browser interface for SharePoint or OneDrive to assign sensitivity labels to files. Office (online, desktop, and mobile) applications can apply sensitivity labels, including encryption if needed. Exchange Online mail flow rules can also assign sensitivity labels to messages. Outside these implementations, writing some PowerShell or Microsoft Graph code or using Microsoft’s unified labeling client are the only ways to assign sensitivity labels to files.
The unified labeling client runs only on Windows workstations. It integrates with File Explorer to add a Classify and protect option to make it simple to add protection to any file which File Explorer can access. Applying protection to PDF files is a popular use case for the unified labeling client.
The OneDrive sync client can synchronize online folders and files to local copies, so it doesn’t take much lateral thinking to put two and two together and conclude it should be possible to assign sensitivity labels to meeting recordings stored in OneDrive. And as it turns out, it’s true. The only downside is that the unified labeling client requires Azure Information Protection P1 licenses. These licenses are part of the Enterprise Mobility and Security suite, but not bundled in any Office 365 plans.
Protecting Meeting Recordings
Figure 1 shows a set of MP4 video files (and a Word document) in the Recordings folder of my OneDrive for Business account. This is the location where Teams stores its meeting recordings. A label already protects one of the recordings (bottom right), as shown by the Azure Information Protection padlock icon. To protect another file, select it, and choose File Explorer’s Classify and protect option.
Figure 1: Classify and protect a Teams meeting recording stored in OneDrive for Business
The unified labeling client launches to allow the user to select the sensitivity label they wish to apply. Some sensitivity labels apply markings to files without encryption, but as the MP4 format doesn’t support headers, footers, and watermarks like those used in Office documents, the only labels offered for selection in Figure 2 are those which encrypt content.
Figure 2: Choosing a sensitivity label for the unified labeling client to apply to a Teams meeting recording
After selecting the label to apply, click Save to allow the client to encrypt the file. On my i7 Surface Book 2, the client took twelve seconds to process the 358 MB recording (for a meeting lasting 46 minutes). The size of the file is in line with the expected storage consumption for Teams recordings.
Downsides
We now have a protected MP4 file. The downsides are:
The link posted in Teams for the recording as part of the meeting resources breaks. The recording is still listed as a resource, but the link points to the original MP4 file which no longer exists because it is replaced by the encrypted file (which has a .pfile extension). Protecting the recording also removes the sharing links for the file, so even if you reverse course and remove the label, Teams can’t access the file.
Because the encryption process creates a new file without sharing links, the owner of the file must share the file with those permitted to view the recording.
The OneDrive MP4 file viewer can’t open the protected file.
The only way to view the protected video recording is through the Azure Information Protection viewer (part of the unified labeling client), meaning that those who want to view the recording must install the unified labeling client. Their account also needs an Azure Information Protection license.
In a nutshell, the unified labeling client treats Teams meeting recordings like any other MP4 file it protects. Encryption breaks any special connection between Teams to OneDrive for Business. The result is a protected recording, but the file owner needs to allow access to those to view the recording.
Maybe Not Completely Ready
Just because you can do something doesn’t mean that you should do something. Although you can protect Teams meeting recordings with sensitivity labels, the downsides indicate that the Microsoft engineering teams involved (Teams, SharePoint, Stream, and Microsoft Information Protection) have not yet worked through the issues to come up with a more seamless implementation. To be fair, Stream is in the middle of its switchover from Azure to SharePoint storage, and Microsoft might work through this point as that process unfolds. Service encryption with customer key is one of the work items listed for the migration to the New Stream, but support for sensitivity labels isn’t mentioned.
Until a more seamless integration is available, it’s reasonable to conclude that using sensitivity labels to protect Teams meeting recordings stored in OneDrive is possible with downsides.
Information protection is an important topic covered by the Office 365 for IT Pros eBook. That’s why we think about and test this kind of stuff. Benefit from our work by subscribing to the book. Its monthly updates keep everyone informed about what’s happening inside Office 365.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
