The latest version of the Edge Chromium browser can read files protected by Office 365 sensitivity labels stored in SharePoint Online and Exchange Online. This might not be the feature that causes you to dump Chrome, but it’s very useful when your tenant uses sensitivity labels.
When you need to block external access to your most sensitive documents, Office 365 Data Loss Prevention policies and sensitivity labels combine to find and protect the documents. A really simple policy is enough to detect and block external access, and is covered by Office 365 E3 licenses. If you have E5 licenses, you can consider auto-label policies to find and protect sensitive documents at scale.
Power BI support for Office 365 sensitivity labels is now generally available. Inside Power BI, the labels are visual markers. Encryption is applied when Power BI objects are exported. The interesting thing is that the user who exports content doesn’t have the right to change the label.
Now that SharePoint Online supports Office 365 Sensitivity Labels, it’s time to consider how to protect files stored in document libraries. When you compare the two approaches, there’s really only one winner. And there’s no surprise in saying that the winner is Office 365 Sensitivity Labels.
At the Microsoft Ignite 2019 conference, Microsoft described how SharePoint Online will use Office 365 compliance features such as sensitivity labels and information barrier policies to better protect information stored in SharePoint sites. The Office Online apps also gain support for sensitivity labels. The new features will enter a mixture of public and private previews starting November 20.
OWA now supports Office 365 Sensitivity Labels, which means that users can apply labels to mark and/or protect messages with encryption just like they can with Outlook. The update adds to the ways that sensitivity labels can be applied to Office 365 content, with the next step being to achieve the same support for the other online Office apps.
Microsoft Cloud App Security (MCAS) can integrate with Azure Information Protection to allow automated policy-driven application of Office 365 sensitivity labels to Office documents and PDFs. You can depend on users to apply labels manually as they create documents, but it’s easy for humans to forget to add protection where a computer won’t. You’ll pay extra for MCAS, but it could be worthwhile.
Microsoft has announced the deprecation of the PowerShell module for the Azure Active Directory Rights Management service (AADRM). But don’t worry; it’s replaced by the Azure Information Protection (AIPService) module. Deprecation happens in July 2020, so you’ve lots of time to revise any scripts that use AADRM cmdlets.
The process of introducing Office 365 sensitivity labels to a tenant can be long and complicated because of the need to plan how to manage encrypted content. As you go through the process, don’t delete labels if they’ve already been used to protect content. Instead, remove them from the label policies used to publish information to clients. The labels will then remain intact in documents and other files.
Microsoft has released the GA version of the Azure Information Protection client, which reads information about Office 365 sensitivity labels and policies from the Security and Compliance Center. It’s one more step along the path to making it easy for Office 365 tenants to protect their data. Work still has to be done, but at least we can see light at the end of the encryption tunnel.