Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

New labeling capabilities in Office apps helps you protect sensitive information

Adam Jung's avatar
Adam Jung
Icon for Microsoft rankMicrosoft
Jan 28, 2019

At the last Microsoft Ignite conference we announced several capabilities to help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent approach to discovering, classifying, labeling and protecting sensitive data. Today we’re announcing the general availability of sensitivity labeling built natively into Office apps on Mac, iOS and Android.  

 

Apps now supporting end-user driven sensitivity labeling includes:

  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

With these new capabilities, users can easily apply sensitivity labels to documents and emails – based on the labels defined by your organization. The experience is built directly into Office apps, with no need for any special plugins or add-ons. It looks and feels like the familiar Office experience, which makes it easy for workers to use.  

 

Applying sensitivity labels not only helps you protect company confidential information, but also plays an important role in addressing compliance obligations, such as GDPR. Suppose that someone in the HR department is working on an Excel file that contains personal information, such as employee mailing addresses. Knowing that this information should be protected and kept private, the worker can select a “Confidential-PII” sensitivity label while in Excel, and the label applies the appropriate protection settings as configured by the organization.

 

Simple and consistent experience for end-users

The screenshots below illustrate the end-user experience in Office apps on Mac. The Sensitivity drop-down menu makes it easy to view the available labels and select the appropriate option. The experience is similar across Word, PowerPoint, Excel and Outlook.

 

Apply sensitivity labels in Office apps on Mac – encryption, rights restrictions and visual markings can be applied, based on your label policy.

For Office mobile apps, the same set of sensitivity labels are available to users. No matter which device or platform they are working on, there is a consistent experience.

 

Easily apply same sensitivity labels in Office mobile apps on iOS…

 

…and in Office mobile apps on Android.

Once a sensitivity label is applied to a document or email, the label persists with the file, even if it travels to other locations, such as other devices, apps or cloud services. Your organization has the flexibility to customize its policy to apply different actions based on which label is selected, including encryption, restricting access to the file or applying visual markings to the document (such as headers/footers or a watermark indicating the file is confidential or contains sensitive information).

An email labeled “Highly Confidential” in Outlook for Mac get encrypted, and headers & footers are applied.

Administrators can also require users to provide a justification if they downgrade a previously applied sensitivity label – for example, changing a label from “Confidential” to “General”. This can be useful in keeping users accountable and maintaining an audit trail. You can also specify if a default label should be applied to new documents and emails. For example, you can set a “General Business” label to be applied by default, and then end-users can apply a different label based on the content they are authoring.

End-users can be prompted to provide a justification when downgrading a sensitivity label.

Sensitivity labels in documents and emails can also be understood by other apps and services. For example, if a “Highly Confidential” document resides on a Windows device, Windows Information Protection and Windows Defender ATP can work together to block the copying or sharing of content from that document to other locations on the device, such as personal email accounts or social accounts. Our growing ecosystem of partners using the Microsoft Information Protection SDK can also understand sensitivity labels and extend information protection to their own apps and services. 

 

Getting started and next steps

To use these new labeling experiences, you must first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center. Once configured, the labels become available in supported Office applications. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Security & Compliance Center, and then the labels can be used by the updated Office apps. You can find more information on migration steps here.

 

To learn more about sensitivity labels in Office apps, review the documentation, which provides more information on supported apps and version numbers. Office 365 customers have access to the updated apps now, as of the January update.   

 

We’re excited to release these new capabilities to help you better protect your sensitive information. In the coming months we’ll expand sensitivity labels to additional Office apps and platforms, including Outlook for iOS and Android, Outlook on the web, Office apps on Windows and Office Online apps . Please check the Microsoft 365 roadmap for the latest information.

 

We also look forward to hearing your feedback; you can also engage with us and the community on Yammer or Twitter and provide additional feedback on UserVoice.

Updated May 11, 2021
Version 5.0
  • Chris Smith Here is a quick update to your question:

     

    1. In near future MIP sensitivity labels will apply to Containers {O365 groups, SharePoint site, Team}

    2. When the label is applied to container it will not cascade to each and every document under the Container

        Note: A container has all types of files where as MIP label applies to office file types and PDF

    3. What action/policies are applicable for containers?

       a. Privacy: Public vs Private

       b. Ability to allow/disallow adding guests to groups

       c. Ability to allow/disallow access and download from unmanaged devices {needs AAD P1 license}

  • ShaneOss's avatar
    ShaneOss
    Brass Contributor

    How do you change the font or make text bold in content marking for a sensitivity label? Thanks.

  • SvdMeulen's avatar
    SvdMeulen
    Copper Contributor
    Are security labels not working on Outlook for Mac? can someone verifiy So i was planning to implement this in our organization, using the new unified labelling client. Made a nice presentation to show this to management, and during the presentation, I send a restricted e-mail to one of my colleagues, containing: do not copy, forward, print etc. the default mail specific AIP label option with 'apply do not forward' (I published the default label from the admin portal) My colleague uses a Macbook, with a recent office for Mac. 16.22.1(190220) and no AIP or Unified labelling client. At first he was prompted for credentials as expected, but when he got access to the mail, he could copy text from the mail and forward the mail. Restrictions were visible on the mac, but also showed that everything was allowed. When forwarding to someone else with a windows machine, restrictions were applied as advertised, and the receiver could only reply. As i remember RMS from 2008r2 the restrictions are set on the client application. So i'm guessing this is a bug and a serious security risk for companies which use this in production.
  • Skyuk's avatar
    Skyuk
    Copper Contributor

    With the new SKU Azure Information Protection for Office 365 (included in O356 E3 and E5) is this a new name for Azure RMS? or will it also allow the ability to create and apply sensitivity labels. Its not very clear

     

    https://azure.microsoft.com/en-us/pricing/details/information-protection/

     

    If this new SKU does allow you to create sensitivity labels, can they be created in AIP (in the azure portal) or are you restricted to S&C, will these labels work in Office Pro Plus 

  • yoe_r's avatar
    yoe_r
    Copper Contributor

    is there any update regarding to Skyuk question?

     

    May we know is there any timeline, when it will work for outlook mobile app?

  • MartinZoller's avatar
    MartinZoller
    Brass Contributor

    Adam JungIs there any update on this article? We plan to migrate from AIP to UL, but mobile apps "is a must have" and I wonder when labeling capabilities for Outlook Mobile are also available?

     

    Thanks in advance!

     

    BR
    Martin