Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Sensitivity label

Copper Contributor

We have setup Sensitivity label on SharePoint. Label policy allow users View content, Copy, and extract content. If a user copy and pastes the content to a new document, we want the user not be able to send this new document outside the organization. Is there a way to control the newly created document?  

4 Replies

Hello, @kpsingh69 

 

Thank you for posting your question!

 

To get a little more info to best help with this, can you help by answering the below?

 

  • Is there only one label deployed to users at this time?
  • Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
  • Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
Thank you for your response!
Is there only one label deployed to users at this time?
We have a SharePoint Library and there is only one label set for all the documents in this library.
Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
We are able to setup a DLP policy if the document still has the label. The issue is that if the user copies/extracts the content to a new word file, the user can send this information out of the organization.
Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
Select set of users

@kpsingh69 

 

So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?

 

The way you're going to best achieve this is by assigning this label as the default label through a policy, meaning any new document will automatically have that label applied the moment the file is created. This will make sure any content copied from the labeled file into the new document also has the label applied. However, this introduces issues where the default label is enforcing encryption. If you're just getting started with labels, you may want to consider something like the below configuration of labels and DLP. This is a sample table I keep handy when first working through label configurations to establish a baseline of security. The default label does not enforce encryption, meaning the wrong use cannot lock the file's encryption rights by applying a default label that enforces encryption, and DLP will keep that default label from leaving the organization.

 

Internal access should be more controlled based on where the file is stored and the settings configured on that storage location. When external access is needed, you then leverage the labels that protect the file to ensure only the right people can access the content, with the right level of permissions.

 

 

 

Name

Description

Example

Scope

Visual Marking

Encryption

Public

Data that is approved for public consumption

Marketing announcements, general public updates

Items (File, Email)

None

None

General

Business data that is not intended for public consumption - can be shared with external partners if necessary

Customer conversations that do not include sensitive info, Org chart, internal standards, internal communication

Items (File, Email)

 

 

General \ Unrestricted

Not intended for public consumption but can be shared with external partners if necessary

 

Items (File, Email)

None

None

General \ All Employees

If external access is needed should change to "General \ Unrestricted"

 

Items (File, Email)

None

None

Confidential

Sensitive information that can cause harm to the company if shared with unauthorized people

Contracts, security reports, sales account data

Items (File, Email)

 

 

Confidential \ Unrestricted

Confidential data that is not encrypted

 

Items (File, Email)

Footer - Confidential

None

Confidential \ All Employees

Confidential data that requires protection - full internal access - Data owners may track and revoke

 

Items (File, Email)

Footer - Confidential

All users and groups - Co-author

Confidential \ Trusted People

Confidential data that requires protection - Set to explicitly trusted people by owner - trusted users may re-share the content

 

Items (File, Email)

Footer - Confidential

Let users assign permissions:

- Outlook - Encrypt only

- Prompt users in Word, Excel, and PowerPoint

Highly Confidential

Very sensitive business data that would cause harm to the company if shared with unauthorized people

Employee / customer information, passwords, source code, unreleased financial reports

Items (File, Email)

 

 

Highly Confidential \ All Employees

All employees have full rights, data owners may track and revoke

 

Items (File, Email)

Footer - Highly Confidential

Watermark - HIGHLY CONFIDENTIAL

All users and groups - Co-author

Highly Confidential \ Specific People

Viewable only by specific people with specific access levels -  assigned by the owner

 

Items (File, Email)

Footer - Highly Confidential

Watermark - HIGHLY CONFIDENTIAL

Let users assign permissions:

- Outlook - Do Not Forward

- Prompt users in Word, Excel, and PowerPoint

 

Default Label Policy

 

Name

Labels to assign

Default Label

Justification?

Require a label

Numeric Default Label Policy - All Employees

All

General \ All Employees

Yes, require a justification to lower the classification or remove the label

No

 
 
DLP
 
miller34mike_0-1686671537450.png

 

 

So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?
The Label is getting applied to all new and existing files in the library
Thank you very much for your guidance! Let me try this.