At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling, and protection not only in Office apps, but also in other popular productivity services where information resides (e.g., OneDrive, SharePoint Online, and Exchange Online).
Sensitivity labels are central to Microsoft Information Protection. You can apply a sensitivity label to important documents and associate it with protection policies and actions like encryption and visual marking. You can also be assured that the protection will persist with the document throughout its life-cycle. You can also associate device and privacy policies to sensitivity labels and apply sensitivity labels to sites, teams, and Office 365 groups.
You can start using sensitivity labels by allowing users to manually classify emails and documents by applying these labels based on their assessment of the content and their interpretation of the organizational guidelines. However, users can sometimes forget to apply labels or apply them inaccurately, especially in these stressful times, so you need a method that will scale with the vast amount of data you have.
To help you achieve that scale, we are announcing public preview of automatic classification with sensitivity labels for documents stored on OneDrive and SharePoint Online, and for emails in transit in Exchange Online. The public preview will begin rolling out this week. As with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based on organizational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like OneDrive, SharePoint Online, and Exchange Online. These policies can automatically label files at rest and emails in transit based on the rules you've set.
Figure 1. Three different policy modes for auto-classification policies
In the SharePoint and OneDrive document library experience, as shown in the screenshot below, users can see files that are labelled by their admin’s auto classification policy by hovering over the Sensitivity column. This ensures users are made aware of how the file got labeled - either automatically or manually.
Figure 2. Document library experience in SharePoint showing files automatically labeled
Before publishing an auto-classification policy, you will want to test how well your new policy works across your data environment. There are three main reasons for this:
- There is no guarantee that a well-developed auto-classification policy performs as expected. This is due to the unexpected variability in your environment
- Even if you are experienced in policy creation, you can inadvertently trigger false positive or false negative matches
- Deploying an incorrectly defined classification policy can result in a high number of help desk calls and incidents
To address this, we are also announcing the public preview of a capability called ‘Policy Simulator’ to assist you in validating and fine-tuning your auto-classification policies. Policy Simulator is designed to:
- Enable you to understand the impact of the policy and fine tune it for best accuracy and scalability
- Provide insights on the estimated length of time to deploy a policy at scale
- Add guardrails to prevent deployment of ineffective or bad policies and help minimize incident management costs
With Policy Simulator, you can validate and gain confidence in your policies prior to enforcement. You can publish your policies in successively broader scopes, thereby mitigating the risk of inadvertent consequences.
Figure 3. Overview of auto-classification policy simulator results
Auto-classification with sensitivity labels along with policy simulator are powerful capabilities that enable organizations to automatically designate eligible Excel, PowerPoint, Word files, and emails as sensitive in a scalable way.
To learn more about these new capabilities, including how they compares to auto-classification in Office apps for files in use, see our online documentation, "Apply a sensitivity label to content automatically".
We are excited to roll out these capabilities and help you in your information protection journey.