Sensitivity Labels without assigned permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-671238%22%20slang%3D%22en-US%22%3ESensitivity%20Labels%20without%20assigned%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-671238%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20together%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20configuring%20AIP%20Labels%20in%20Azure%20Information%20Protection%2C%20it%20has%20been%20possible%20to%26nbsp%3B%3CSPAN%3Edon't%20select%20any%20users%20and%20select%26nbsp%3B%3C%2FSPAN%3EOK%3CSPAN%3E%26nbsp%3Bon%20this%20blade%2C%20followed%20by%26nbsp%3B%3C%2FSPAN%3ESave%3CSPAN%3E%26nbsp%3Bon%20the%26nbsp%3B%3C%2FSPAN%3ELabel%3CSPAN%3E%26nbsp%3Bblade.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20label%20is%20configured%20to%20apply%20protection%20such%20that%20only%20the%20person%20who%20applies%20the%20label%20can%20open%20the%20document%20or%20email%20with%20no%20restrictions%2C%20which%20is%20a%20use%20case%20at%20a%20customer.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20configuring%20a%20sensitivity%20(universal)%20label%20in%20the%20Security%20%26amp%3B%20Compliane%20Admin%20Center%2C%20this%20seems%20to%20be%20not%20possible.%20As%20soon%20as%20you%20choose%20%22Encryption%22%2C%20you%20kind%20of%20have%20to%20assign%20at%20least%20one%20permission%20to%20be%20able%20to%20save%20the%20label.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20therefore%20the%20above%20%22Use%20Case%22%20not%20possible%20anymore%20with%20Sensitivity%20Labels%3F%20Or%20do%20I%20miss%20something%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-671238%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAIP%20Unified%20labels%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensitivity%20Labels%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689218%22%20slang%3D%22en-US%22%3ERe%3A%20Sensitivity%20Labels%20without%20assigned%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689218%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241024%22%20target%3D%22_blank%22%3E%40Patrick%20Steiner%3C%2FA%3E%26nbsp%3BIn%20the%20short%20term%2C%20once%20User%20Defined%20Protection%20is%20available%20in%20Unified%20Labeling%20a%20user%20should%20be%20able%20to%20select%20a%20label%20with%20that%20option%20and%20then%20choose%20the%20%22Only%20me%22%20option%20in%20the%20permissions%20dialog.%20This%20is%20being%20worked%20on.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20slightly%20different%20form%20a%20label%20with%20admin%20defined%20permissions%20that%20only%20grants%20permissions%20to%20the%20owner%2C%20since%20it%20requires%20two%20more%20clicks%20for%20the%20user%2C%20but%20it%20achieves%20the%20same%20result.%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241024%22%20target%3D%22_blank%22%3E%40Patrick%20Steiner%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EHi%20together%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20configuring%20AIP%20Labels%20in%20Azure%20Information%20Protection%2C%20it%20has%20been%20possible%20to%26nbsp%3B%3CSPAN%3Edon't%20select%20any%20users%20and%20select%26nbsp%3B%3C%2FSPAN%3EOK%3CSPAN%3E%26nbsp%3Bon%20this%20blade%2C%20followed%20by%26nbsp%3B%3C%2FSPAN%3ESave%3CSPAN%3E%26nbsp%3Bon%20the%26nbsp%3B%3C%2FSPAN%3ELabel%3CSPAN%3E%26nbsp%3Bblade.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20label%20is%20configured%20to%20apply%20protection%20such%20that%20only%20the%20person%20who%20applies%20the%20label%20can%20open%20the%20document%20or%20email%20with%20no%20restrictions%2C%20which%20is%20a%20use%20case%20at%20a%20customer.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWhen%20configuring%20a%20sensitivity%20(universal)%20label%20in%20the%20Security%20%26amp%3B%20Compliane%20Admin%20Center%2C%20this%20seems%20to%20be%20not%20possible.%20As%20soon%20as%20you%20choose%20%22Encryption%22%2C%20you%20kind%20of%20have%20to%20assign%20at%20least%20one%20permission%20to%20be%20able%20to%20save%20the%20label.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIs%20therefore%20the%20above%20%22Use%20Case%22%20not%20possible%20anymore%20with%20Sensitivity%20Labels%3F%20Or%20do%20I%20miss%20something%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721683%22%20slang%3D%22en-US%22%3ERe%3A%20Sensitivity%20Labels%20without%20assigned%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721683%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90352%22%20target%3D%22_blank%22%3E%40Enrique%20Saggese%3C%2FA%3E%20Thank%20you%20for%20your%20Response.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20that%20context%2C%20one%20Mouse%20Click%20-%20or%20in%20this%20case%2C%20one%20additional%20menu%20might%20mean%20%22the%20world%22%20for%20some%20end-users%20concerning%20usability%20and%20adoption%20to%20really%20use%20the%20label...%3CBR%20%2F%3E%3CBR%20%2F%3E...additionally%20it%20looks%20like%2C%20that%20a%20label%20configured%20in%20Azure%20Information%20Protection%20(without%20Permission%20configured)%20and%20synced%20as%20an%20%22Unified%20Label%22%20works%20as%20expected%20on%20a%20workstation%20with%20AIP%20Univeral%20Labeling%20Client%20installed.%20So%20the%20question%20is%2C%20why%20should%20it%20not%20be%20possible%20to%20create%20such%20a%20label%20in%20the%20Security%20%26amp%3B%20Compliane%20Admin%20Center%20directly%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768173%22%20slang%3D%22en-US%22%3ERe%3A%20Sensitivity%20Labels%20without%20assigned%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241024%22%20target%3D%22_blank%22%3E%40Patrick%20Steiner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20understand%20any%20inconsistency%20is%20a%20nuisance%2C%20but%20these%20are%20two%20different%20UIs%20built%20by%20different%20product%20teams%20(the%20UL%20management%20interface%20is%20part%20of%20Office%20365%2C%20not%20AIP%20itself)%2C%20and%20the%20UL%20UI%20has%20additional%20scenarios%20to%20consider%2C%20so%20it%20is%20understandable%20that%20there%20are%20and%20there%20will%20always%20be%20differences.%20That%20said%2C%20there's%20no%20specific%20reason%20why%20the%20UL%20UI%20would%20not%20have%20this%20same%20ability%2C%20so%20feel%20free%20to%20file%20a%20bug%20or%20a%20DCR%20against%20the%20Office%20365%20SCC%20portal%20to%20request%20that%20they%20add%20the%20ability%20to%20create%20a%20policy%20with%20protection%20but%20no%20rights%20assigned%20(other%20than%20to%20the%20owner).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi together

 

When configuring AIP Labels in Azure Information Protection, it has been possible to don't select any users and select OK on this blade, followed by Save on the Label blade.

The label is configured to apply protection such that only the person who applies the label can open the document or email with no restrictions, which is a use case at a customer.

 

When configuring a sensitivity (universal) label in the Security & Compliane Admin Center, this seems to be not possible. As soon as you choose "Encryption", you kind of have to assign at least one permission to be able to save the label.

 

Is therefore the above "Use Case" not possible anymore with Sensitivity Labels? Or do I miss something?

3 Replies

@Patrick Steiner In the short term, once User Defined Protection is available in Unified Labeling a user should be able to select a label with that option and then choose the "Only me" option in the permissions dialog. This is being worked on. 

This is slightly different form a label with admin defined permissions that only grants permissions to the owner, since it requires two more clicks for the user, but it achieves the same result. 


@Patrick Steiner wrote:

Hi together

 

When configuring AIP Labels in Azure Information Protection, it has been possible to don't select any users and select OK on this blade, followed by Save on the Label blade.

The label is configured to apply protection such that only the person who applies the label can open the document or email with no restrictions, which is a use case at a customer.

 

When configuring a sensitivity (universal) label in the Security & Compliane Admin Center, this seems to be not possible. As soon as you choose "Encryption", you kind of have to assign at least one permission to be able to save the label.

 

Is therefore the above "Use Case" not possible anymore with Sensitivity Labels? Or do I miss something?


 

@Enrique Saggese Thank you for your Response.

In that context, one Mouse Click - or in this case, one additional menu might mean "the world" for some end-users concerning usability and adoption to really use the label...

...additionally it looks like, that a label configured in Azure Information Protection (without Permission configured) and synced as an "Unified Label" works as expected on a workstation with AIP Univeral Labeling Client installed. So the question is, why should it not be possible to create such a label in the Security & Compliane Admin Center directly?

@Patrick Steiner 

I understand any inconsistency is a nuisance, but these are two different UIs built by different product teams (the UL management interface is part of Office 365, not AIP itself), and the UL UI has additional scenarios to consider, so it is understandable that there are and there will always be differences. That said, there's no specific reason why the UL UI would not have this same ability, so feel free to file a bug or a DCR against the Office 365 SCC portal to request that they add the ability to create a policy with protection but no rights assigned (other than to the owner).