Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing general availability of sensitivity labels with protection in SharePoint and OneDrive
Published May 04 2020 11:42 AM 37.1K Views
Microsoft

Microsoft runs on trust. With the growing digital data in your organizations and sophistication of online threats, it’s increasingly important to have intelligent security and simplified governance tools to safeguard your corporate data.

 

At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling, and protection not only in Office apps, but also in Microsoft 365 productivity services like OneDrive, SharePoint, Teams, and Exchange Online.

 

Sensitivity labels are central to how your business-critical data is protected using Microsoft Information Protection (MIP). You create a sensitivity label and associate protection policies like encryption and visual marking, then your end users simply label their important documents and emails. You can also be assured that the protection will persist with the file throughout its life cycle.

 

Today, we are excited to announce general availability of sensitivity labels with protection for Office files in SharePoint and OneDrive. This is one more step to providing you comprehensive protection across documents and emails in Microsoft 365 services.

 

Now your users can apply sensitivity labels, with protection policies, not just in Office apps on Windows, Mac, iOS and Android but also in Office on the web. Users will see sensitivity as an option on the ribbon of the Office on the web, and as the applied label name on the status bar.

 

PowerPointFileWithSensitivityLabelConfidentialApplied.png

 

Figure 1. Manual classification using sensitivity labels shown in PowerPoint web app when used in a browser

 

In addition, for files labeled and protected with encryption and stored in SharePoint and OneDrive, the following capabilities will empower your end users:

  • Coauthoring using Office web apps
  • Searching for content within these documents
  • Protection using encryption will persist even after the file is downloaded

 

For security and compliance administrators, Office 365 Data Loss Prevention (DLP) and eDiscovery will also work. Office 365 eDiscovery now supports full-text search for these label encrypted files. Office 365 Data Loss Prevention (DLP) policies cover content in these label encrypted files.

 

Getting Started

 

ComplianceCenterEnableFeature.png

 

Figure 2. The compliance center has new option to turn on this feature

 

As a Microsoft 365 customer, you can turn on this feature in the Microsoft 365 compliance center as shown above. To learn more about this feature, please read our feature documentation.

 

Let us know what you think, we are always open to feedback via UserVoice and continued dialog in the Security & Compliance community and SharePoint community in the Microsoft Tech Community.

 

If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.

 

Lastly, as you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site. We’re here to help in any way we can.

 

FAQs

 

  1. What is the license requirement for using this feature?

Refer to the Information Protection section in Microsoft 365 security & compliance licensing guidance.

 

  1. I use AIP/RMS today, how can I take advantage of this new feature in SharePoint and OneDrive services?

Migrate to unified labeling solution using instructions here, then you can advantage of this feature. Learn more in our feature documentation.

 

  1. Is this feature supported in Files tab experience in Teams?

Yes, it is. Learn more in our feature documentation.

 

Thank you!

 

Sesha Mani, Principal Group Product Manager, Microsoft

 

 

 

 

 

 

 

 

 

 

11 Comments
Copper Contributor

This is huge news - I've been waiting for this since I saw the Microsoft Unified Labelling session at Ignite 2018!

Just activiated the feature in my dev tenant, and I have one question: it seems to me that it still isn't possible to create DLP policies based on sensitivity labels, is it? I remember this feature was announced some while ago, too.

Brass Contributor

What the timeline for policy enforcement? We have the AIP unified labeling client on the desktop with policy such as justification on label downgrade, mandatory label on save etc.

Copper Contributor

Is there a capability to manually classify a Team or a Sharepoint site and that would also classify all the files underneath?

 

I know there's automatic classification capabilities available which can classify files based on sensitive information type, but that works only based on content of particular file.

Brass Contributor

@Marko Lauren I would recommend to integrate Cloud App Security and the AIP Platform. This will allow you to create a file policy and select the required Document Library to set a label to all files. in there. To integrate AIP (works with Unified Labels) you can follow my post.

Copper Contributor

Hi @alschneiter , file policy using MCAS actually classifies and protects the files in SPO at rest, which ruins the collaboration use cases within O365. This new sensitivity labeling does it a bit differently and supports collaboration scenarios (co-authoring, etc..). 

Brass Contributor

Hi @Marko Lauren , Thanks for the hint. This is correct. Then indeed I would also like to get an answer of your question above :smile:.

Microsoft

Hello @Marko Lauren  and @alschneiter , thank you both for the question on classifying/labeling a site will classify/label all the files underneath. We are looking into this capability as our roadmap item and will share more info as we progress on that capability. 

 

As you mentioned, we do have auto classification capability based on rules based on sensitive info types. You can learn more here: https://aka.ms/SPOAutoClassification.

Brass Contributor

This is a welcome step forward. We have been piloting this and one capability still lacking is the support for custom permissions in those sensitivity labels. This has led to a disparate labeling experience between desktop and web. When do you intend to make it consistent?

Copper Contributor

Hello @Sesha ,
does this feature support Windows Explorer functionality "Classify and Protect" offered by AIP UL Client in SharePoint/ OneDrive?

 

Client

  • OneDrive (V2020 (Build 19.222.1110.0011))
  • AIP UL Client (V 2.6.111.0)

 

Thanks for your feedback and support.

Bronze Contributor

I wish expand this ability to code projects like Visual Basic, C# and in general in Visual Studio , so it also supports confidentiality and labelling and RMS support too.

I heard request where people really love these features but they are hope to see support for them in Visual Studio and of course labeling and protection would be different and there would be different use cases compare to what we see for normal documents since they are codes. 

Iron Contributor

Is it possible to "auto-label" all documents, but not the emails? I try do classify all documents as confidential, but the emails  not... 

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: