Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates

Published Mar 02 2021 06:00 AM 12.7K Views

Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates in Microsoft 365 Apps


Microsoft Information Protection (MIP) is an intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and help prevent data loss across Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook) and services (e.g., Teams, SharePoint, and Exchange).


We are very excited to share the following new MIP capabilities for Microsoft 365 applications:  

  • Co-authoring and AutoSave on Microsoft Information Protection-encrypted documents
  • Client-based automatic and recommended labeling on Mac
  • Mandatory labeling requiring users to apply a label to their email and documents
  • Availability of audit label activities in Activity Explorer
  • Native support for variables and per-app content marking


Microsoft 365 Apps have built-in support for sensitivity labels on the Windows, Mac, iOS, Android, and web platforms. Sensitivity labels can be used in these applications without deploying the Azure Information Protection Client. The updates we are announcing today bring the Microsoft 365 Apps’ built-in labeling client one step closer to feature parity with the Azure Information Protection client, and they allow administrators to deploy advanced capabilities easily and securely as part of the Microsoft 365 deployment.


Co-authoring and AutoSave on Microsoft Information Protection-encrypted documents

In the past, encrypted documents could only be edited by one user at a time while co-authors were locked out. AutoSave would be disabled, and these documents couldn’t be opened in Word, Excel, or PowerPoint on the web.



Figure 1: AutoSave disabled for encrypted files



Figure 2: File in Use dialog when someone else had an encrypted document opened


In 2019, we took the first step to lift these limitations when we added support for sensitivity labeling in OneDrive and SharePoint. This made it possible for labeled and encrypted documents to be opened, edited, and AutoSaved in Word, Excel, PowerPoint on the web for the first time. Multiple users could even edit these documents together if all co-authors used the web apps to do so. However, these files would still be locked for editing by others if opened by desktop or mobile applications.


Today, we’re excited to take a big step further and extend co-authoring and AutoSave support beyond the web and into the Microsoft 365 apps on the desktop (on Windows and Mac) – now available in preview! With this new unique capability, multiple people can now be co-authors on a Word, Excel, or PowerPoint document simultaneously, frictionlessly, with auto-save, while maintaining the sensitivity labeling and document protections, across the web and desktop applications! Customers no longer have to choose between encrypting their sensitive documents and collaborating on them. As enhanced levels of remote work are likely here to stay, this capability will significantly enhance organizations’ ability to keep their sensitive content protected while enabling user products.

Figure 2: Co-authoring experience when protected document is opened in two different Microsoft 365 apps for Windows and MacFigure 2: Co-authoring experience when protected document is opened in two different Microsoft 365 apps for Windows and Mac


Read more about how to enable this functionality in our official documentation


Client-based automatic and recommended labeling on Mac

Client-based automatic and recommended labeling in Microsoft 365 Apps allows administrators to configure rules to detect sensitive content as users work with documents and emails. When sensitive content is detected, the Microsoft 365 Apps show a policy tip informing the user that the configured sensitivity label was automatically applied, or give the user the recommendation to apply the configured label, based on the administrator configuration.




Figure 3: Recommended labeling in Word application for MacOS


This capability has been available in Microsoft 365 Apps on the web, on Windows in the Current Channel (version 2006+), and Monthly Enterprise Channel (version 2009+), and now we’re excited to announce its availability on the Mac (version 16.44+) too!


If you are using Microsoft 365 Apps for Mac or wish to deploy this capability in your organization, review the documentation to configure automatic labeling as part of your deployed sensitivity label configuration. You can also review the end-user experience in this documentation: How Office automatically applies or recommends sensitivity labels.


Mandatory labeling requiring users to apply a label to their email and documents

Common feature customers use with the Azure Information Protection client is the ability to require users to apply a label to their emails and documents (“mandatory labeling”). This helps that all documents and emails that are created or edited by users subject to this policy will be labeled. Some organizations choose to disable default labeling as part of the label policy, which encourages every user to think through and determine the appropriate sensitivity label from the company’s classification taxonomy to apply to each document or email they create.



Figure 4: User is required to apply the label in Word


We are excited to announce that this capability is now available, built-in within Microsoft 365 apps (Word, Excel, PowerPoint & Outlook) for Windows via the Current Channel (version 2102+), Mac (version 16.43+), iOS (version 4.xx), and Android (version 16..13628+). Support in the web applications is already available in Outlook Web App and will be available in Word, Excel, and PowerPoint on the web in the coming weeks as well.


Some organizations need the ability to configure this labeling policy differently for email workflows in Outlook applications. For example, you may require that users apply labels in documents, but not in emails, or you may want Outlook to apply a different default label to email messages than documents. These configurations were possible in the Azure Information Protection client, and we are now bringing support for these configurations to the Microsoft 365 Apps’ built-in labeling client as well. Specifically, Outlook on all platforms will begin to respect the Set a different default label for Outlook and Exempt Outlook messages from mandatory labeling settings in the coming weeks.

To configure your company label policy to require users to apply a label to their email and documents, please review the official documentation.


Availability of audit label activities in Activity Explorer

Another feature that is commonly used in the Azure Information Protection Client is the central reporting of label activities. This was captured as part of Azure Information Protection Analytics in the Azure portal and, now available in the M365 Compliance Portal as well as part of Activity Explorer.

We are now introducing that label activities are also audited when they take place in the various Microsoft 365 apps across all platforms, and this data is available to administrators in the Microsoft 365 Compliance portal as part of Activity Explorer. The capability is available in Microsoft 365 apps for Windows via Current Channel (version 2011+), Mac (version 16.43+), and the latest versions of the Word, Excel, and PowerPoint applications on iOS, Android, and web.


These audit logs include label activities such as when the label was applied, changed, removed, and more. The Activity Explorer already includes logs made available from Endpoint DLP, Cloud DLP, service-based auto-labeling, and the Azure Information Protection client.



Figure 5: Microsoft 365 apps label activity in the Activity Explorer


To use these auditing capabilities, you need to ensure that the Microsoft 365 audit log is enabled (as documented), a version of Microsoft 365 apps that support auditing is deployed and a Microsoft Information Protection license that supports accessing Activity Explorer is owned. No further configuration or configuring log storage (e.g. with Azure Log Analytics) is required.

Read all about it in the official for Microsoft 365 apps and Activity Explorer documentation as well.


Native support for variables and per-app content marking

Content marking is one of the basic functionalities that administrators enable with their sensitivity labels. We understand that content marking can’t always be static, pre-defined text, and sometimes it needs to be different between applications that have different use cases (for example, documents vs. presentations vs. email messages). Administrators require the flexibility to configure advanced capabilities with applied content markings that will fit the company requirements and use cases.

While Azure Information Protection Client supports such controls, other native Microsoft 365 apps didn’t support the same and introduced inconsistent behavior….until now!


We are now excited to announce that native labeling in Microsoft 365 apps respect and honor the advanced content marking configurations such as variables and per-application content marking directives.



Figure 6: Header configured with variables. Footer is configured with different marking per app

This capability is already available as part of Word, Excel, and PowerPoint apps for Windows via Current Channel and Monthly Enterprise Channel (version 2010+), Mac (version 16.42+), iOS (version 2.42+), and Android (version 16.0.13328+) and is coming soon to web apps and Outlook clients across all platforms.


Read all about how to configure variables and per-app content markings as part of your sensitivity label configurations in the official documentation.



The Microsoft Information Protection platform now includes several updates for Microsoft 365 apps across all platforms (Windows, MacOS, iOS, Android, and web) offering consistent behavior and empowers admins with the required flexibility to achieve common use cases as part of sensitivity labels deployment.


Today, more than ever, it’s time to leverage the existing Microsoft 365 deployment to take advantage of built-in labeling with this rich set of capabilities across all platforms.


Read more about Microsoft Information Protection and the Microsoft 365 capabilities using these resources:

To learn more about other new Microsoft Information Protection capabilities we announced today, please click here.


Mike Paer, Principal Program Manager, Microsoft Office 365

Nir Hendler, Senior Program Manager, Microsoft 365 Engineering

Version history
Last update:
‎May 11 2021 01:59 PM
Updated by: