Office Apps Check for Sensitivity Label When Opening Both New and Old Documents
Message center notification MC305436 (December 15, Microsoft 365 roadmap item 88515) informing tenants that sensitivity labels now apply to modified documents might have puzzled a few. It certainly caused me to think a little before understanding what’s going on, especially after reading Microsoft’s summary: “Coming to public preview, default labeling policies can now be applied to any supported document that a user edits, not just a new document.”
To understand the full context of what’s happening, we need to go back to the past. When Azure Information Protection came along in 2016, users needed to install a separate client, now called the unified labeling client, on Windows workstations to use labels. The client is still in use today, but only to apply labels to files stored outside Microsoft 365.
Microsoft originally developed a separate client because Office applications (online, mobile, and desktop) at the time didn’t understand how to deal with sensitivity labels. The apps couldn’t encrypt or decrypt documents and included no user interface elements to allow users to select labels to apply.
Enlightened Office Apps
Things are different today because the Office apps are “enlightened” (obviously, they were in the dark previously). In other words, they now support Azure Rights Management data protection by including Microsoft Information Protection code to handle sensitivity labels, connect to the service to fetch use licenses, display label information, and apply visual settings (watermarks, headers, and footers). Microsoft documents the current sensitivity label capabilities of Word, Excel, and PowerPoint in this page.
And if you enable support for sensitivity labels in SharePoint Online and OneDrive for Business, the content of protected files becomes available for processing by Microsoft Search, Data Loss Prevention (DLP), and other services. All in all, Microsoft has done a ton of work to build out the infrastructure surrounding sensitivity labels over the last few years. Anyone with an Office 365 or Microsoft 365 license can consume (access) content protected with sensitivity labels, but you need Office 365 E3 or above to apply sensitivity labels to content.
However, some customers invested in the unified labeling client (still only available for Windows) and paid for the necessary Azure Information Protection licenses. To help customers move away from the unified labeling client, Microsoft is steadily increasing the protection features available in Office, and the change reported in MC305436 is part of that effort.
Mandatory Labeling Via Policy
When you edit the settings for a sensitivity label publishing policy, you can choose to require users to apply a sensitivity label to new email and documents (Figure 1). Later in the policy settings, you select the default label to apply.
Because this is an automatic operation, Microsoft requires users to have Office 365 E5 licenses or above (see this guidance on Microsoft Information Protection licensing).
The change due to roll out in mid-January will allow Office to apply sensitivity labels to an unlabeled document when a user opens the file. Until now, Office only applied default labels to new documents, which meant that you could have a bunch of unlabeled but sensitive documents in a SharePoint Online document library that will never receive sensitivity labels unless a user explicitly opens and labels the documents. Now, each time Office opens a document, it checks for a label in the document metadata, and if none is present, Office applies the default label specified in the sensitivity label publishing policy. If a user comes within the scope of multiple publishing policies. Office applies the default label from the highest priority policy.
For more information about the deployment and management of sensitivity labels, see the Information Protection chapter in the Office 365 for IT Pros eBook. Or browse the Office 365 for IT Pros presentation on sensitivity labels at the recent European Collaboration Summit.