Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, it’s still possible for users to take pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting cannot be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document.
We’re excited to announce dynamic watermarking, a new feature for sensitivity labels in Word, Excel, and PowerPoint, which will both deter users from leaking sensitive information and attribute leaks if they do occur. This feature is rolling out to a public preview, with full general availability planned for later in 2024.
When an admin enables the dynamic watermarking setting for a protected sensitivity label, files with that sensitivity label will render with dynamic watermarks when opened in Word, Excel, and PowerPoint.
Figure 1: Example of dynamic watermarking
These dynamic watermarks contain the UPN (email address) associated with the account being used to open the file, allowing for leaks to be tracked back to specific users. Users will be able to view, edit, and collaborate on their files as usual, but the watermarks will always be visible on top of their file content.
All users, except for the file’s owner, will only be able to open the file on Office clients that support dynamic watermarking. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files.
Visit the Microsoft 365 Insiders blog to learn more about the end-user experience.
When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption.
Figure 2: When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption.
You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell, which includes additional options for configuring the watermarks to contain an admin-defined string. Learn more about configuring sensitivity labels for dynamic watermarking here.
Microsoft
