Strengthening data protection in the modern workplace with Microsoft Purview Information Protection

In today's rapidly evolving digital landscape, the protection of sensitive organizational data is critical, especially given the accelerated adoption of AI technology. However, only 22% of organizations feel extremely confident in their ability to keep data secure as they adopt generative AI technologies [1]. Simultaneously, data security teams are tasked with protecting organizational data across a growing set of access points as employees work from a variety of different devices, browsers, and locations. 

Microsoft Purview Information Protection continues to invest in comprehensive protections to safeguard data across modern data estates – including those that have enabled generative AI for their workforce. In this blog, we’ll share notable classification improvements and additions to Information Protection that can help your organization protect sensitive data wherever it lives or travels, extend support for protected documents wherever work happens, and strengthen protections for mission-critical documents. 

Protecting sensitive data wherever it lives or travels across the modern data estate 

Today, we are excited to announce enhanced labeling and document protections for Office files and PDFs in SharePoint for customers with E5 and SharePoint Advanced Management licenses. Previously, SharePoint site owners could apply default sensitivity labels to newly added or created files in a document library. Now, site owners can easily extend sensitivity labels to all documents at rest in a library and protect them through the label if they are downloaded, moved, or copied from SharePoint. This two-fold enhancement, now in public preview, not only streamlines labeling for all currently-unlabeled and unprotected documents at rest but also ensures that protections travel with the documents if they leave the original SharePoint site. 

Figure 1: SharePoint site owners can now extend sensitivity labels and their associated protections to all currently-unlabeled or unprotected documents at rest through the Library settings.

After selecting the option to “Extend protections on unencrypted files when they’re downloaded, copied, or moved" in the library settings, site owners will now see the specified label applied to all previously-unlabeled files or files with labels that were not configured to apply encryption. These labels also extend to files that are synchronized with OneDrive.

Based on the label’s user-defined permissions, only those who have access rights to the online copy of the file can decrypt and access the file when downloaded. If a user's permissions to the original SharePoint library are revoked, their access to any documents within that library – even when downloaded locally – are also revoked. This keeps documents protected as they leave SharePoint, such as for collaboration purposes or due to attempted exfiltration. This feature is also supported by the Information Protection SDK. It is worth noting that this capability only supports labels with user-defined permissions at this time.

Additional labeling & SDK improvements in Microsoft Purview Information Protection 

In addition to the enhanced labeling capability for SharePoint document libraries detailed above, we are pleased to share improvements to our auto labeling capacity for OneDrive and SharePoint. Purview Information Protection now supports auto-labeling of up to 100k files per day, up from the previous 25k file limit. This improvement is generally available.  

Additionally, auto-labeling simulation mode now features the ability to view the sensitivity label currently applied to a file, and the ability to filter based on label. These improvements to auto-labeling simulation mode will become available in public preview in the coming weeks. Learn more about auto-labeling simulation mode here. 

Extending label-based protections to Teams, Copilot Studio, and Fabric

To further enable consistent, streamlined sensitivity labeling of your important business data, we are announcing label inheritance for Teams meetings based on the sensitivity of files shared in the meeting in public preview. This capability, which will be available in the coming weeks, facilitates secure collaboration across your organization by ensuring that if labeled files are referenced in a Teams meeting, the highest sensitivity label will be applied holistically to the meeting, its artifacts, and the files that were shared within. For example, if a Teams meeting is initiated with a “General” sensitivity label, and a collaborator in the meeting shares a document labeled “Highly Confidential” in the meeting chat, the label of the meeting will be upgraded to “Highly Confidential.”

Figure 2: Teams meetings can now be updated in sensitivity level based on the sensitivity label of files shared in the meeting chat. This is configurable through the label policy settings.

Microsoft Purview is also supporting ways to protect sensitive data in custom AI applications built through Copilot Studio. In May, we announced that developers using Copilot Studio can turn on the Purview integration to extend our best-of-suite data security controls to their custom apps – this includes the ability to limit access to sensitive data to only authorized users, and for AI-generated outputs to inherit and cite the sensitivity label of referenced files. To learn more about new Purview data security & governance controls for apps built in Copilot Studio, visit the blog. 

Last month, we announced that we were extending the ability to apply labels and restrict access to content based on sensitivity label to Fabric data, helping admins discover, classify, and protect sensitive information. With this expanded sensitivity label support, admins could use sensitivity labels to manage who has access to Fabric items. For example, a security admin could restrict access to data items with a “financial data” sensitivity label to users except for those in the finance department. These data protection and auto labeling policies are now available in public preview for Fabric, Azure SQL, and Azure Data Lake Storage (ADLS), ensuring that your business-critical data is protected even beyond Microsoft 365. 

Figure 3: Extend Microsoft Purview Information Protection sensitivity labels to your Fabric data

In the spirit of expanding Information Protection support across services and platforms, we’re also happy to share that the Information Protection SDK on .NET is now generally available on all supported Ubuntu LTS versions. 

Extending support for protected documents wherever work happens 

With the goal of securing sensitive data without hindering user productivity, we’d like to share three additional enhancements to Information Protection that make it easier for users to access protected documents: 

• Broader support for protected PDFs on mobile devices: We recognize that in today’s digital world, work doesn’t just happen on a corporate desktop – employees can access organizational data from anywhere in the world, on a broad variety of devices. To better enable secure access to this data, we are excited to share expanded support for documents encrypted and protected by Information Protection on mobile devices: 

  • 1-click support on Outlook mobile application: Now generally available on iOS and Android. In the Outlook app, we are also making it easier for authorized users to decrypt and view protected PDFs with just one click, without the need for additional tools or steps.
  • OneDrive mobile application: Now generally available on iOS and in coming weeks on Android.
  • Microsoft 365 mobile application: Now generally available on iOS and Android.

• Broader support for protected PDFs on web: As the global workforce spends more of its time working directly in browsers, we must also expand our support for protected documents on the web. We're happy to share that starting today, OneDrive and SharePoint Online users can now view protected PDFs directly from any browser – including Chrome, Firefox, and Safari – without the need to switch to desktop applications for rendering and decryption. This makes it easier for users to access and consume protected PDFs without disruption. These improvements augment support for Information Protection-defined usage rights restrictions that already exist in the Microsoft Edge browser, such as screen capture restrictions on Office files.

Strengthening document protections with dynamic watermarking 

Figure 4: Example of dynamic watermarks rendering on a Word document

Earlier this year, we announced dynamic watermarking in preview, which equips information protection admins with more robust document protections through sensitivity labels. This capability is available in public preview for all Information Protection customers with Information Protection Plan 2 (included in E5). When an admin enables the dynamic watermarking setting for a protected sensitivity label, files with that sensitivity label will render with dynamic watermarks when opened in Word, Excel, and PowerPoint. This deters collaborators or users who have access to the document from sharing its contents broadly, preventing sensitive data leakage and enabling easier attribution of leaks.

Noteworthy classification updates to optical character recognition and named entity SITs

Optical character recognition (OCR) enables Microsoft Purview to scan images for sensitive information. Examples include screenshots of sensitive documents, scanned forms, and pictures of proprietary data like Personal IDs or credit cards. OCR is billed to customers based on the number of images scanned

In September of this year, we announced the availability of the OCR Cost estimator in public preview. The OCR cost estimator minimizes uncertainty due to lack of visibility or predictability into the total images you may incur costs for. It also breaks down a clear estimate by location for Exchange, Teams, SharePoint, OneDrive, and endpoints. 

Figure 5: Turn on OCR Cost Estimator from the Purview settings.

Once you select “Try for free,” you will have 30 days to run estimates through the OCR cost estimator and configure settings based on the needs and budget of your organization. It can be run without setting up an Azure subscription, making it accessible to all organizations. 

Figure 6: Cost estimation report for OCR by location.

We are also delighted to announce a significant expansion in named entity sensitive information types (SITs). Named entity SITs play a crucial role in identifying and protecting sensitive data within documents such as person names, physical addresses, and health-related data. This is essential for ensuring compliance with various regulations and safeguarding privacy even across geographic regions. Recent improvements include: 

• Expanded support for the detection of disease names to 26 additional languages. This enhancement enables more comprehensive protection of health-related information across a broader range of linguistic contexts.
• Expanded support for physical address detections to 7 additional countries: China, South Korea, Taiwan, Greenland, Russia, Ukraine, and South Africa.

Get started

You can try Microsoft Purview Information Protection and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial! 

• Interactive guide: aka.ms/InfoProtectionInteractiveGuide 
• Mechanics video on how to automatically classify and protect documents and data
• Mechanics video on AI-powered data classification

And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Information Protection. An active NDA is required. Click here to join.  

We look forward to your feedback.

[1] 2024 Data Security Index Report | Microsoft Security