A recent Teams Live Event hosted by Microsoft’s Information Protection team discussed the automatic assignment of sensitivity labels to SharePoint Online and OneDrive for Business content. A preview is now available and Microsoft hopes to make this functionality available at the end of March 2020. You’ll need Office 365 E5 or Microsoft 365 E5 licenses.
Microsoft retracted the announcement of the deprecation of the classic Azure Information Protection client and label management in the Azure portal. Office 365 sensitivity labels have taken over from AIP clients in most tenants, so the impact of this change is limited. However, if you still need to use an AIP client, you should move to the unified version.
Exchange Online transport rules can block outbound email stamped with selected Office 365 Sensitivity Labels to make sure that confidential material doesn’t leave organizations. The transport rule is very easy to construct with the only complication being the need to discover the GUID of the sensitivity label you want to block. Fortunately, PowerShell gives us an easy way to find a label’s GUID.
Outlook for iOS and Android now support marking and encryption of email with Office 365 Sensitivity Labels. Sensitivity labels can now be applied through Office ProPlus, OWA, and Outlook mobile. All that really remains to achieve full coverage for sensitivity labels across Office 365 are the Office Online and SharePoint/OneDrive browser interfaces. In other news, Outlook Mobile also supports S/MIME.
Microsoft Cloud App Security (MCAS) can integrate with Azure Information Protection to allow automated policy-driven application of Office 365 sensitivity labels to Office documents and PDFs. You can depend on users to apply labels manually as they create documents, but it’s easy for humans to forget to add protection where a computer won’t. You’ll pay extra for MCAS, but it could be worthwhile.