Table of Contents
Outlook and Teams Meetings Both Benefit from Added Protection
Published in message center update MC513052 (last updated 27 April 2023, Microsoft 365 roadmap item 98924) and finally rolling out over May, Outlook (Mac, Windows, and OWA) can assign sensitivity labels for meetings. That is, if you have Office 365 E5 licenses.
Last October, I speculated that Microsoft’s claim of protection and recaps for Outlook and Teams meetings would be deliver very different functionality. Now we see that protecting meetings is a multi-part story composed of:
- Defining and publishing sensitivity labels configured with the meeting protection setting.
- Defining and publishing sensitivity labels configured with Teams online meeting settings. Meeting organizers require Teams Premium licenses to use sensitivity labels with Teams online meeting settings.
- Defining and publishing Teams meeting templates describing different forms of meetings (internal, external, highly secure) to help users choose the right configuration for their meetings. Microsoft describes a concept of three tiers of protection for Teams meetings.
This article covers the basics of creating and using sensitivity labels with Outlook meetings.
Using Outlook to Assign Sensitivity Labels for Meetings
Sensitivity labels have always been able to protect “normal” email, including attachments. Meeting requests and responses are a different form of emails because they include metadata about a meeting (date and time, location, and attendees) that a recipient can use to create an event in their calendar. Given that people often include a great deal of confidential information in meeting requests, I don’t know why Microsoft did not extend protection to calendar messages until now.
When you apply a sensitivity label with encryption to a meeting, the body (text containing details of the event) and any attachments inherit the rights management protection defined in the label. Other information like the meeting title and participant list is not encrypted. This is like normal messages where encryption protects only the content and attachments of messages.
Figure 1 shows how to assign a sensitivity label to a meeting with OWA. Only the set of sensitivity labels configured to protect meetings appear in the drop-down list for users to select from. You can configure a default sensitivity label to apply to all meetings through the sensitivity label policy that publishes labels to users.
A protected meeting operates like any other protected email. Outlook wraps the contents of the message and its attachments in a protected rpmsg message. If the receiving client is “enlightened” (it knows how to process protected messages), it can decrypt the message and display it inline. If not, the user receives a link to access the content through the Office 365 Message Encryption (OME) portal. Note that clients can only open protected messages if the recipient has the right to view the content. The rights are set in sensitivity label properties and will stop people who don’t have the right to view content opening the messages. For instance, the “Internal meeting” label might restrict access to users within the tenant. If someone outside the tenant is a meeting participant, they cannot open the message.
Points to Ponder
While working with protected meetings, I noticed a couple of points worth highlighting:
- You can insert a Loop component in a meeting request created in OWA. Recipients can edit the content of the Loop component even if the sensitivity label blocks edit access. This is because Loop doesn’t support sensitivity labels yet. Current builds of Outlook desktop (subscription) doesn’t support adding Loop components to meeting requests.
- If you assign a restrictive sensitivity label to a meeting, you might stop meeting participants being able to edit attachments. This might be what you want to do, but it’s a change in behavior that users need to understand.
- Sensitivity labels determine rights based on email addresses. If someone forwards a protected meeting invitation to someone else, they might not be able to access the content if the rights specified in the label doesn’t have an entry that matches their email address (or domain). One advantage gained is that if people forward meeting invitations without permission outside the organization, the external recipients won’t have access to the meeting content.
Sensitivity Labels for Meetings in Outlook Mobile
Outlook Mobile can open protected messages (decryption occurs on the server) and can process inbound events to include them in the calendar. However, the meeting body is not decrypted (Figure 2), which means that the user knows they have a meeting to attend but can’t see the text explaining what the meeting is about unless they open the meeting with Outlook desktop or OWA. However, the deeplink for the Teams meeting remains usable because it is not encrypted.
In addition, Outlook mobile cannot send protected meetings because the client doesn’t include the encryption technology needed to apply protection.
Don’t Rush to Deploy Sensitivity Labels for Meetings
Introducing protected meetings isn’t something to do on a whim. Like any information protection project, some consideration is needed, especially if sensitivity labels are already deployed. That topic deserves a separate article, which I’ll get to in due course.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.