Outlook and Teams Meetings Both Benefit from Added Protection
Published in message center update MC513052 (last updated 27 April 2023, Microsoft 365 roadmap item 98924) and finally rolling out over May, Outlook (Mac, Windows, and OWA) can assign sensitivity labels for meetings. That is, if you have Office 365 E5 licenses.
Last October, I speculated that Microsoft’s claim of protection and recaps for Outlook and Teams meetings would be deliver very different functionality. Now we see that protecting meetings is a multi-part story composed of:
Defining and publishing sensitivity labels configured with Teams online meeting settings. Meeting organizers require Teams Premium licenses to use sensitivity labels with Teams online meeting settings.
Defining and publishing Teams meeting templates describing different forms of meetings (internal, external, highly secure) to help users choose the right configuration for their meetings. Microsoft describes a concept of three tiers of protection for Teams meetings.
This article covers the basics of creating and using sensitivity labels with Outlook meetings.
Using Outlook to Assign Sensitivity Labels for Meetings
Sensitivity labels have always been able to protect “normal” email, including attachments. Meeting requests and responses are a different form of emails because they include metadata about a meeting (date and time, location, and attendees) that a recipient can use to create an event in their calendar. Given that people often include a great deal of confidential information in meeting requests, I don’t know why Microsoft did not extend protection to calendar messages until now.
When you apply a sensitivity label with encryption to a meeting, the body (text containing details of the event) and any attachments inherit the rights management protection defined in the label. Other information like the meeting title and participant list is not encrypted. This is like normal messages where encryption protects only the content and attachments of messages.
Figure 1 shows how to assign a sensitivity label to a meeting with OWA. Only the set of sensitivity labels configured to protect meetings appear in the drop-down list for users to select from. You can configure a default sensitivity label to apply to all meetings through the sensitivity label policy that publishes labels to users.
Figure 1: Adding a sensitivity label to a meeting
A protected meeting operates like any other protected email. Outlook wraps the contents of the message and its attachments in a protected rpmsg message. If the receiving client is “enlightened” (it knows how to process protected messages), it can decrypt the message and display it inline. If not, the user receives a link to access the content through the Office 365 Message Encryption (OME) portal. Note that clients can only open protected messages if the recipient has the right to view the content. The rights are set in sensitivity label properties and will stop people who don’t have the right to view content opening the messages. For instance, the “Internal meeting” label might restrict access to users within the tenant. If someone outside the tenant is a meeting participant, they cannot open the message.
Points to Ponder
While working with protected meetings, I noticed a couple of points worth highlighting:
You can insert a Loop component in a meeting request created in OWA. Recipients can edit the content of the Loop component even if the sensitivity label blocks edit access. This is because Loop doesn’t support sensitivity labels yet. Current builds of Outlook desktop (subscription) doesn’t support adding Loop components to meeting requests.
If you assign a restrictive sensitivity label to a meeting, you might stop meeting participants being able to edit attachments. This might be what you want to do, but it’s a change in behavior that users need to understand.
Sensitivity labels determine rights based on email addresses. If someone forwards a protected meeting invitation to someone else, they might not be able to access the content if the rights specified in the label doesn’t have an entry that matches their email address (or domain). One advantage gained is that if people forward meeting invitations without permission outside the organization, the external recipients won’t have access to the meeting content.
Sensitivity Labels for Meetings in Outlook Mobile
Outlook Mobile can open protected messages (decryption occurs on the server) and can process inbound events to include them in the calendar. However, the meeting body is not decrypted (Figure 2), which means that the user knows they have a meeting to attend but can’t see the text explaining what the meeting is about unless they open the meeting with Outlook desktop or OWA. However, the deeplink for the Teams meeting remains usable because it is not encrypted.
Figure 2: A protected meeting viewed through Outlook mobile
In addition, Outlook mobile cannot send protected meetings because the client doesn’t include the encryption technology needed to apply protection.
Don’t Rush to Deploy Sensitivity Labels for Meetings
Introducing protected meetings isn’t something to do on a whim. Like any information protection project, some consideration is needed, especially if sensitivity labels are already deployed. That topic deserves a separate article, which I’ll get to in due course.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}