Home
Microsoft

Consistent labeling and protection policies coming to Office 365 and Azure Information Protection

Companies across all different industries and regulatory environments need to protect their sensitive data and make sure it doesn’t get into the wrong hands. More than ever, data moves across locations, devices, apps, cloud services and on-premises environments. While data mobility has helped end-user productivity, it has also made protecting important data more challenging.  

  

Information protection capabilities in Microsoft 365 help you identify, classify, protect and monitor your sensitive data. We just announced several updates and enhancements that can help you achieve your security and compliance goals. As part of the announcement, we will be previewing a consistent labeling and protection model that will be used across Office 365 and Azure Information Protection.

 

The upcoming experience means that the same default labels can be used in both Office 365 and Azure Information Protection, and the labels you create in either of these services will automatically be synchronized across the other service – no need to create labels in two different places! For example, if you create a label in the Office 365 Security and Compliance Center for “Confidential – Personal Data”, this label will also appear in the Azure Information Protection admin portal. The consistent labeling model also helps ensure that over time, labels are recognized and understood across our information protection solutions – including Azure Information Protection, Office 365 Advanced Data Governance, Office 365 Data Loss Prevention, and Microsoft Cloud App Security.

  

At the same time, we will also be previewing a more consistent protection model. This means that there will be a common set of protection actions that can be applied based on your label policy – including encrypting labeled content and applying visual markings to content (for example, watermarks, headers, footers). As part of the preview, within the Office 365 Security & Compliance center you will be able to configure both the label and protection actions in a single setup flow – create a label, apply protection settings based on the label, or even apply data retention settings. This will streamline the admin experience and brings more consistency to the policy and protection actions that can be configured within Office 365 and Azure Information Protection.

 

SCC labeling 1.png

Example 1: Preview of the new label configuration experience in the Office 365 Security & Compliance Center. You can create a new label and then add protection or retention settings – in just a few simple steps.   

 

SCC labeling 2.png

Example 2: Protection actions can include adding encryption.

 

SCC labeling 3.png

Example 3: Retention actions can include how long to keep content and when to delete it.  

 

SCC labeling 4.png

Example 4: You can also add visual markings to labeled content, such as a watermark, header or footer.

 

The consistent labeling and protection model will also make it easier for end-users to apply the appropriate sensitivity labels and protections while working on documents or sending emails. We are building labeling capabilities natively into the core Office apps – including Word, PowerPoint, Excel, and Outlook, and soon there will be no need to download or install any additional plug-ins. For example, if an end-user is working on a document that contains personal data, such as an employee ID number, they can easily select the appropriate label, such as “Confidential”, right within the app. We will start with a preview of the native labeling experience on Office apps for Mac and plan to extend similar native labeling capabilities to Office apps running on other platforms in the future (e.g. iOS, Android and Windows).

 

Also coming soon: Additional built-in sensitive information types to help detect and protect personal data

We currently have over 80 out-of-the-box sensitive information types that can be used to detect and classify your data. This includes several of the most common personal information data types, such as credit card numbers, national ID numbers and passport numbers. We will continue to add additional sensitive information types and plan to provide a GDPR template to help detect and classify personal data relevant to GDPR. While many of the existing sensitive information types are relevant to the GDPR, the upcoming GDPR template will help consolidate these into a single set and will also include several new personal data types (for example, addresses, telephone numbers, medical information). This will make it easier to configure the identification, classification and protection of GDPR related personal data. We’ll share more information on the availability of the upcoming GDPR sensitive information template as the details become available. In the meantime, you can get started with the existing sensitive information types or even create your own custom sensitive information types.

 

We’re excited to start previewing these new labeling and protection experiences with customers. You can register at the signup site if you are interested in participating in the preview. In the meantime, watch this short overview video to see some of the new capabilities in action. 

35 Comments

Finally! Been waiting to get my hands on this ever since we first saw it :)

This is awesome. Was waiting for this for a while now.

Thanks for this update great news!

" We will start with a preview of the native labeling experience on Office apps for Mac "

Really odd to see Microsoft as an Apple shop :)

Frequent Contributor

Is it possible to have two labels applied to the same document, for example:

- Confidential

- Financial Records - 7 years

Or does this new model only allow the combination:

- Confidential Financial Records - 7 years

If two labels cannot be applied, this will mean a potential expansion of combined labels, for example:

- General Financial Records - 7 years

- Confidential Financial Records - 7 years

- Highly Confidential Financial Records - 7 years

Regular Contributor

Do we also need to join the private preview to get the native labeling experience on Office apps for Mac? Or will it be released to the Insider ring?

 

Great already found my own answer...

New Contributor

What is the timeframe for this being available?

Microsoft

@Andrew Warland we are working through some of the specifics of the labeling model, but we plan to support parent/child label hierarchies, such that you could define a parent label such as "Confidential" and then have several child labels associated with this, such as "Finance", "HR", etc. This may address what you are looking for. 

Microsoft

@Ray Reyes we are currently in limited preview of the labeling experience and will let the community know when we expand the preview (when we either expand the limited preview or go to a full public preview). 

Frequent Contributor

@Adam Jung, I can see why, but I think you have misunderstood my point.

A records retention policy is unrelated to an information security policy. That is, the retention time for a record is rarely, if ever, governed by its sensitivity, but by compliance/legislative and business requirements to keep records.

A hierarchical model of information security classifications may make sense for some organisations but that is not what I mean.

What I mean is that both information security policies and retention policies will appear in the same listing under Classifications - Labels, and this could mean a VERY long listing for some organisations.

My question was, can you apply two separate labels to the same content, e.g., 'Confidential' (an information security restriction policy) and 'Financial Records - 7 years' (a records retention policy)?

If it's not possible to apply more than one label, then how do you manage labels for confidential financial records that have to be kept for only 3 years, versus confidential financial records that must be kept for 7 years? As far as I can see, you would have to combine both.

Mixing records retention policies and information security policies in one listing will make for a VERY long listing, even more so if we cannot apply more than one policy.

Regular Visitor

I can't wait till you implement also Telephone Regular Expression Pattern for Austrian cellphone numbers :)

Microsoft

@Andrew Warland thanks for clarifying. That requirement makes sense. Yes, we are looking at enabling two sets of labels - one for the purpose of applying sensitivity/protection, and the other for the purpose of retention. Then, if the customer wants to, they could have two labels applied to the same content (sensitivity/protection label and a retention label). We are still scoping which apps/locations will support multiple labels (e.g. within OneDrive for Business, SharePoint Online, Outlook, Office applications, etc.), so if you have any input on the most important apps that should support multiple labels, that would be useful.

Microsoft

@Reinhard Wimmer while Austrian cellphone numbers may not be part of our out-of-box sensitive information types, you could also consider creating your own custom sensitive information type. Customers often use this for data types that are unique to their organization (such as employee ID numbers, medical record numbers, etc.), but could be used for a variety of purposes. More information here: https://support.office.com/en-us/article/Create-a-custom-sensitive-information-type-82c382a5-b6db-44...

Occasional Contributor

@Adam Jung: I fully support the requirement of multiple labels as described by @Andrew Warland. Regarding the question which apps should support multiple labels: The concept of protection labels needs to be available in all apps, whereas retention labels are predominantly required wherever content is kept and retained in a managed way for longer periods of time: that's clearly SharePoint Online domain.

The key question however seems to be what will be the user interface to set labels? Today the user sets a protection label while editing the document within the Office app, that's a well accepted concept. We actually like the user experience of the labeling bar from the AIP client integrated into the Office apps.

Retention labels however are set through the SharePoint UI without actually opening the document, just like a metadata field. This concept is less accepted, that's why we'd prefer to inherit a retention label from a folders/library default label such that users don't have to be bothered too much.

If you unify the label experience for administrators, I was wondering how will the unified USER experience going to be like? This is really key for the overall acceptance of our protection and governance efforts. One thing is for sure: users just don't like to bothered with this stuff, that's why the user experience has to be excellent or we might fail.

Frequent Contributor

Thanks @Adam Jung.

 

Your comment 'if you have any input on the most important apps that should support multiple labels' requires a multi-layered response that could differ between countries, jurisdictions and organisation type (especially government vs private sector), and even within different government levels.

 

The following is my view, based on working in the Australian legal context in a private sector organisation, with a long professional background in government at both the federal (where security classifications are critical) and local levels (where security classifications are rare), and in the private sector working with a range of records retention schedules. 

 

Can you confirm one thing - Will only the protection policies synchronise back to the Azure Information Protection (AIP) space, or will AIP also include retention policies?

 

Assuming they will work independently after being created (so a user can choose from either option), it would be really good if we can list these separately in the Security and Compliance > Classification area as well. Otherwise, the key three or four protection policies will get mixed in with a potentially very long list of retention policies.


In terms of which apps require multiple labels, I think all the Office apps (Word, Excel, PowerPoint) as well as new emails should display both labels when a new item is created.

 

Users would have the option to apply either a protection label or a retention label, subject to the next points.

 

Retention policies can be applied by a user but I agree with Harald Rau that this is not normally something that users would apply at the document level - see below.

 

Protection labels may be automatically applied to some new (and potentially received) documents and emails, based on the content. Where this happens, the user *may* (in certain circumstances) have the option to remove it (this would be defined in the label settings).

 

If a protection or retention policy is not applied by the user or automatically, it may 'inherit' either policy from the location where it is 'saved' or stored. For example, a specific protection and/or retention policy may be assigned to:

 

  • An Outlook folder or Office 365 Group mailbox
  • A SharePoint site (including O365 Group-based sites)
  • A SharePoint library in the site

We use Office 365 Groups for our projects; this would mean that we could apply the same retention period to both the project's O365 Group mailbox as well as its linked SharePoint site.

 

In all cases, I think the higher protection or longer retention applies if a lower protection or shorter retention policy was applied by the user.

For example:

 

  • A Confidential document saved to a Highly Confidential folder, site or library, is covered by the higher policy. (Some might disagree with this but it will end up the same as applying unique permissions to individual documents, which can get very complicated). 
  • A document without any retention period is automatically assigned the default retention period assigned to the library (or site).

And, of course, retention policies don't apply as long as there is an eDiscovery case, but re-start when the legal hold is lifted.

 

Those who work in different jurisdictions may have a different viewpoint.

Microsoft

@Andrew Warland thanks for this information. I'm going to share this with some other folks on the engineering team for review. We might reach out with a direct message to continue the conversation, additional feedback, etc. Thanks! 

New Contributor

Great news, when are we going to see this consolidation? And  how do we prepare for it?

For the moment I still have two sets of functionality: 

- The AIP / Azure RMS is widely applicable, but protected documents are hidden from Office365 search and so on. AIP uses labels for sensitivity and does not do retention. The AIP client allows classification AND protection.

- The Office 365 DLP is only applied to data in Office365 and my AIP labels are not visible for use in Office365 DLP policies. Office 365 labels are for retention, and there are policies for DLP

When Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. Data Loss Prevention (DLP) policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).

 

The two sets of standard data protection templates seem to be different in Azure and Office365. So where do I start? AIP because I can handle legacy file servers and so on? Or Office365 because that is where the new stuff is going? 

 

I found this link about SharePoint and AIP but is it not really clear to me how it works https://docs.microsoft.com/en-us/microsoft-365/enterprise/protect-files-with-aip. 

 

Is there some kind of link if the name of the AIP label is Highly Confidential? 

 

 

 

 

 

 

 

Frequent Contributor

Is there a limit to the number of labels for a tenant?

New Contributor

I like the idea of using Security and Compliance Center to manage the labels, but I think there is a misperception that Data Classification/Protection is directly associated with Retention and Deletion Policies for documents. Combining the functionality into a single "Label" adds complexity and makes it more difficult to manage. Just because a document is "Confidential" and needs to be protected, does not mean that it always has a specific Retention policy.

 

In the real world Retention Policies for business documents are independent of Data Protection requirements, and if you have 4 Data Classifications and 10 different Retention Policies across your organization, this will require 40 Labels, and if different levels of Data Protection are required for each Classification, the complexity increases.

 

Like I said, having a common location to manage the different "Labels" is great, but I think additional use case studies are needed before combining them into a single entity.

Regular Visitor
Any update on when this will go to general availability. I've been watching the Mechanics Series and looking for follow these steps, however my E5 license doesn't seem to be able to bring up these features quite yet, I still see the: - Name your Label - Label Settings - Review Your Settings We're missing the: - Protection Settings - Retention Settings - Advanced Options Settings - Conditions for Auto Labeling Is there another way to get to these tabs, or some setting I can change to get here. I am set up for First Release. Otherwise, any expectation of roll out? Thanks, Ted
Microsoft

@Ted Green these capabilities are currently in limited preview. We don't yet have a definitive timeline for a public preview and general availability rollout, but hopefully a more expanded public preview will be available within a couple of months. We'll update with a new post when that happens.

Senior Member

@Adam Jung Any update on when the preview will be expanded or when you plan for GA? Also any additional licensing requirements?

Microsoft

We are targeting expanding the preview to a broader public preview within the next month or so. We'll provide more details here when that happens.

Senior Member

Thanks! And what (if any) licensing constraints will this have?

Microsoft

We don't have any changes or additional details to share on licensing at this time. We expect it to be fairly consistent with the current model in that when labeling content in Office 365, you need Office 365 E3 for manual labeling and Office 365 E5 for automated labeling. And for other locations, Azure Information Protection P1 for manual labeling and Azure Information Protection P2 for automated labeling. Again, more details to be shared as this gets closer to general availability. 

Regular Visitor

We too are facing the same issues regarding the need for separate labelling of sensitivity/protection versus retention as described by @Andrew Warland.  In our case, the number of combined sensitivity/protection and retention (and record flag) combinations is in the hundreds.    The currently proposed single label assignment scheme does not work for us. @Adam Jung please let us know the status of this.

Microsoft

@William Wilson yes we've received consistent feedback on separating retention vs. sensitive labels, and that's the direction we're heading.

Occasional Contributor

Hello,

 

any update we can use the Consistent labeling with AIP for DLP ? and also using SharePoint doc with AIP instead of IRM ?

 

how to enroll in preview program ?

 

Thanks,

Yousef

Occasional Visitor

@Adam Jung, any possibility of being included in the early preview program?  We are currently assessing options and looking to determine whether to continue/enhance our Office 365 presence or look to alternatives that will provide appropriate records (documents) classification and governance (retention) within the next 6 weeks.  The Microsoft direction looks very promising, but unknown timeframes and capabilities when coupled with New York DFS hard timelines may require we explore alternatives.

Regular Visitor
I attended the O365 Meetup Group in Redmond last week, and I got the impression from one of the Microsoft speakers that this feature was coming "this year." The video of this working has been on the mechanics site for months now. Sorry, that's not great information, but its the latest I've heard.
Microsoft

The limited preview is not currently taking additional customers. The exact timing for a broader public preview and general availability is not locked, but we are still targeting general availability later this year. 

Senior Member

Any updates around dates on this at all. Keen to have this option available as will greatly help and clean up the overall setup 

thanks

Julian 

Regular Visitor

Any update on timeline surrounding this? We are just getting into AIP right now and I'd love to avoid setting it all up now only to have to migrate it in a month.

Established Member

Any update on timeline ? We are waiting for the protection option to implement data classification (retention less interesting to us but only option available today)

 

Microsoft

There was a blog on the general available of this - please check this out: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-the-availability-o...