Sensitivity labels are one element in a range of tools that can be deployed in Microsoft 365 to protect information, as shown in the diagram below.
If you are new to information protection, it is important to understand that Azure Information Protection (AIP) is not the same as the previous and now retired functionality with the same acronym. (See this page ‘Azure Information Protection – also known as‘ for more information)
This post focuses on sensitivity labels created within the Microsoft Information Protection (MIP) framework as well as the way those labels can be applied via the AIP Client.
Creating sensitivity labels
Sensitivity labels are created in the Information Protection section of the Microsoft 365 Compliance admin center. Access to the center is restricted to Global admins, Compliance and Compliance data admins, Records Administrators, and other custom roles. Records Managers should, ideally, be assigned a role to give them access to this center.
Every sensitivity label includes the following elements:
- Name (e.g., CONFIDENTIAL), display name (e.g., CONFIDENTIAL) and description for end-users.
- Scope: Files and emails (i.e., SharePoint/OneDrive and Exchange/Outlook); Groups and sites; Schematized data assets (preview). This post focuses on their application to Files and emails.
- Encryption (to restrict access and actions) and marking (e.g., header and footer in the body of files and emails). Note: If ‘encryption’ is selected, the label name will not appear in the Sensitivity drop down for Office documents. This is believed to be a ‘bug’. See below for more information.
- Protection options for groups and sites, used when that option is selected in point 2 above. Out of scope for this post.
Labels can only be applied after they are published as a policy, either individually or in a group of labels. Label policies include the following elements:
- The selection of label or labels to be applied.
- Users and groups (Options: (a) All, or (b) Selected users, distribution groups, mail-enabled security groups, and Microsoft 365 Groups. ‘All’ will make the labels visible in Outlook and Office documents from the ‘Sensitivity’ option in the menu bar).
- Settings: Check boxes for each: (a) Require justification to remove or lower the classification*; (b) Require users to apply a label (if selected, a default label can be assigned separately on documents and emails); (c) Require users to apply a label to Power BI content; (d) Provide users with a link to a help page.
- Name (e.g., ‘Corporate Information Sensitivity policies’).
*It is not clear where this justification text is stored as it does not seem to be recorded in the version history for the document.
When they are created, sensitivity labels are assigned a unique GUID in the background. These GUIDs are not visible anywhere from the user interface but (along with other details) are stored in the XML structure of emails and documents when the label is applied; this is how the label remains persistent even when it is moved.
The PowerShell commands ‘Get-LabelPolicy’ and, for each label ‘Get-Label -Identity “LABELNAME” | Format-List’ returns details of labels created in the Compliance center, including the GUID and settings for any markings to be applied.
To learn more about how to create and publish sensitivity labels, read this Microsoft article ‘Enable sensitivity labels for Office files in SharePoint and OneDrive‘.
Applying sensitivity labels to emails and Office documents
Once published, information sensitivity labels without encryption applied appear under the ‘Sensitivity’ drop down in new or existing Office online documents. Labels with encryption do appear in the drop down list in new emails in Outlook.
Note that sensitivity labels cannot be applied to non-Office documents stored in SharePoint. This is where AIP comes in, but read on.
The screenshot below shows what the label selection looks like in new or existing Office documents stored in SharePoint libraries.
Note: Labels with encryption applied will not be visible. The assigned label does NOT appear in the body of an online version of an Office document while it is being edited, only when it is viewed or reviewed as shown in the screenshot below.
The screenshot below shows the label selection process in the installed version of Word. Once again, any label with encryption does not appear. The label appears in the body of the document as soon as it is selected. The label will remain with the document including when it is uploaded to SharePoint or even when it is attached to an email.
The screenshot below shows the label selection process in a new email. Once applied, the label appears in the body of the email. It can be added to the subject line by IT.
Once a label has been applied to an Office document in SharePoint, or an Office document with a sensitivity label from the same tenant is uploaded to SharePoint, the ‘Sensitivity’ column displays the label:
It is NOT possible to apply a sensitivity label to non Office documents stored in SharePoint.
Applying labels via the AIP Client
If the AIP Client has been installed on a local machine, the end user can (a) apply the MIP labels to ‘local’ Office documents and, where necessary, (b) apply additional access and other controls to all other digital content.
If an MIP label includes encryption, that label (along with all others) will appear under the ‘Sensitivity’ option on the menu bar in Office documents via the AIP Client. If a label with encryption is selected, it will force the end user add additional access controls.
Alternatively, the end user can select the ‘Show Bar’ option that appears under the sensitivity labels as shown in the example screenshot below.
The end user can then select the relevant label from the bar that appears in the Office document. If the label is selected this will add the markings (if selected) and require the end user to add access controls if encryption has been applied to the label.
The end user may also use the AIP client to apply controls directly to Office and non-Office content. In an Office document, this is achieved from the Info section, Protect Document > Restrict Access.
This opens the Permission dialogue box where the end user can determine who can access the document and also, via ‘More Options’, what other restrictions may be placed on the content such as expiration dates, and blocking printing or copying. .
In non-Office documents, these controls can be applied via the right-click menu option of ‘Classify and protect’, then the options as shown below.
- If an Office document is created on the local machine, and the AIP Client is used to apply an MIP label that does NOT include encryption, that label WILL be visible in the ‘Sensitivity’ Column of a SharePoint library when it is uploaded.
- If an Office document is created on the local machine, and the AIP Client is used to apply an MIP label that includes encryption, that label will NOT be visible in the ‘Sensitivity’ column of a SharePoint library when it is uploaded. This seems to be a bug.
- If a non-Office content is subject to protection using the AIP Client and an MIP label is applied, that label WILL NOT appear in the ‘Sensitivity’ column of a SharePoint library when it is uploaded.
Behind the scenes in XML
As noted earlier, every MIP label is assigned a GUID upon creation. The GUIDs can be seen when the PowerShell command ‘Get-LabelPolicy’ is run and also when the following is run for any individual label ‘Get-Label -Identity “LABELNAME” | Format-List’.
When an MIP label is assigned to an Office document (only), the name of the label, the GUID and other details (such as the placement of markings) is stored in the XML properties of the documents, usually in the ‘custom.xml’ file of the ‘docProps’ folder. The example extract below shows the ‘MSIP_Label’ followed by the GUID and also the label name.
What about encrypted documents
As noted earlier:
- Labels that include encryption do not appear in the drop down list in the ‘Sensitivity’ menu option of Office documents.
- The name of labels that include encryption, added via the AIP Client to Office documents, do not appear in the ‘Sensitivity’ column when the document is uploaded to a SharePoint library.
However, the label GUID and name is still embedded into the XML structure of the document to ensure protection wherever it may be stored. The screenshot below is an extract from the ‘custom.xml’ section of an otherwise encrypted file that has, in this case, been downloaded from a SharePoint site.
In addition to the text above, the ‘visible’ XML also includes the following in clear text:
- The email address of the person who created it in SharePoint.
- The full name and GUID of the tenant.
- The site URL.
- The Document ID.
Information sensitivity labels in Microsoft 365 are one of several Microsoft Information Protection (MIP) tools that can be used to protect emails and Office documents. MIP sensitivity labels that include encryption do not appear in the ‘Sensitivity’ menu option in Office documents either in the online or installed versions. This appears to be a bug.
When applied to Office documents, the name of the sensitivity labels without encryption appears in the ‘Sensitivity’ column of a SharePoint library when Office documents are created in SharePoint or uploaded there.
The AIP Client (not to be confused with older AIP security options) can be used to apply sensitivity labels to Office documents created from the desktop application. When uploaded to SharePoint, the name of labels applied to Office documents that do NOT include encryption will appear in the ‘Sensitivity’ column of the library. The details of the label remain embedded in the XML structure of the document and remain with it (hence, persistence).
The AIP Client shows the name of all labels including those that include encryption. When a label with encryption is selected for Office documents, the user will be required to apply additional access controls. However, the label name will NOT appear in the ‘Sensitivity’ column when it is uploaded to the SharePoint library; despite this, the details are embedded in the document’s XML structure and remain with it (persistence).
Alternatively, end users may use the AIP Client to apply labels and access controls via the ‘Protect Document > Restrict Access’ option in Office documents, or by right-clicking on other digital objects and choosing ‘Classify and protect’. When these objects are uploaded to SharePoint, no label will be visible in the ‘Sensitivity’ column.
Feature image: Photo by Soumil Kumar: https://www.pexels.com/photo/photo-of-person-typing-on-computer-keyboard-735911/