Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Best practice basics for Labels and DLPs to protect company data

Iron Contributor

Hello experts,


I've been doing some research and testing recently on Information protection and DLP as I would like to deploy it in our organization soon. I am very new into this and found lots of useful information, but still can't answer some very basics for this topic. Would be great to get some advise from ppl that has been using it already. Below are few points that I'm a bit confused and trying to find some clarification. We use exchange online and SharePoint as primary way to exchange information with our external partners. We are licensed with M365 E3 + M365 E5 Security 


  1. I will create 3-5 labels (based on my testing) and would like to have all documents labelled. For that reason, I would like to use a "default" label feature and have data labelled with that label (Internal) accessible only for internal users. Now, I could achieve it with configuring "Access Control" and allow "All users and groups in your organization" option. This is fine however I've found MS recommendation that default label should not be encrypting data. How can I then achieve that? I've seen advise to remove encryption for that label - but there is no option to remove encryption when configuring "Access Control" for specific users. Or should I just use that label to mark data and do not perform any action? and use DLP to block all emails/documents with Internal label to be shared outside organization?
    • one of the disadvantage I've noticed during testing was that "auto-save" for documents is disabled with encrypted label. I've found that enabling "co-authoring" on tenant should solve that - so I've enabled it and will be testing tomorrow.
  2. What is the best way to restrict access between departments within an organization? Should I use Label/Sublabel (e.g. Internal\Legal) approach, or utilize DLP somehow for it? What is the recommended way?
  3. I have configured "Confidential" label with "assign permission now" and used "All users and groups in your organization" option, and I cannot select this label in Outlook 365 (when I made it a default label, the email was selected, but when changed to another one and then tried to change back to Confidential, it did not work)
  4. I have configured "Restricted" label with "Let user assign permission..." and it works fine for documents (I get a pop up windows to provide allowed users). How this works with emails? Are "allowed users" taken directly from email recipients? As I do not get extra pop up window so I believe it works that way?
  5. we are a small company with quite a few external partners - and I would need to prevent emails for to be sent to by human error. Should I use labels access control for it? Or have kind of "external" label and use DLP to check for that label and maybe a subject that needs to mention abc and recipeint is to allow email externally?


These are few very basic questions that I was not able to find answer last few days... First two are a general ones, 3 and 4 are ones that I noticed during my testing.


Any advise on this would be great.



12 Replies
Have you looked into Information Barriers to prevent access between departments? I haven't used it, but it sounds relevant to this scenario.

I believe you are right about not using encryption for your default labels. DLP will be able to catch cases of items being shared externally in email or SharePoint.

In email, if you use a sensitivity label that applies encryption, the email sender and recipients will be able to decrypt. I believe this also explains why you can't use a label that has permissions already assigned.

thanks for the info .... Will have a look at Information Barriers...

about email - let me explain a bit more - When I create a new email, there is no label assigned. Now, I can assign public (it just label data, no encryption etc) and restricted (this one has access control that user should specify) etc. However, when I want to assign "Confidential" that is configured with "assign permission now" and permission is granted to "all user in organization only", this confidential label is not assigned to emails - it will not change from no label to confidential (outlook 365 app). So if I by mistake send email that should be labelled with confidential to external user, he will not be able to open it. ....Strange is that when I switch to New Outlook, I can assign confidential label to email with no issues....


Hi Sumo83, 


Bit of a post - but I will give my best advise on this.



Using access control does not encrypt your data, so that is not an issue for you, unless I misunderstood your question here. Using access control will limit the access to the document based on the permissions on the label.


Yes, I would use DLP to prevent the labeled data from being shared outside your org. 

Also co-author is required for "auto save" to be enabled, this also allows for collaboration as well on the item.



I would use access control for that. Imagine project labels that only allow specific users / groups to access the data. 


There is also the option for information barrier, but that comes with the cost of not being able to communicate or collab at all. Meaning no teams communication or anything is allowed. So for that reason I would go with access control 



Did you remember to publish the label as well? 



For permissions in outlook, it concerns the permissions "Do not forward" - "Encrypt only" options, where this is the permissions that is available for the user, creator of the mail, to manage




Yes, I would create a DLP policy that would manage this. Create a DLP policy, only select exchange and then start it out from this and built it. Something like this could work for you, in this picture I assume that you are 


Of course you can tie this to a label as well if you want to, but this should catch all, its very basic and leaves room for some changes.







so from what I can see - information barriers are quite restrictive, I can block access completely between departments (emails, teams, etc) which is not wat I want to do. My scenario would be more like: I have a LEGAL and HR department that are exchanging data that only these two departments can have access to. However, both departments can share some data with other departments.... This, as I understand, would not be possible with Information Barriers - as there is Allow / Block option only.

I was thinking about the two approaches below

1 - creating labels/sublabels like: Internal\LEGAL&HR in “Access Control” → and add those groups to have access to data labelled with it

2 - Or create an “Internal\LEGAL&HR” label and then DLPs with conditions to check label and groups and allow only if its for LEGAL and HR

not sure which would be more suitable... or recommended to use in my scenario :\ ... Or what issues will I face if I select any of those two

Still cant find an answer on question - can I remove encryption if I select "Control Access" for a label and want to specify groups? Some older info mention it can be removed - and from what I saw some videos, there was an ENCRYPT option before... But now I just can't find how to use that access restrictions without automatically encrypting the data when I use ""assign permission now""
Addressing your points in order.
1. You can use mail rules to block emails going out with certain labels on: - Also as you mentioned DLP rules can be used to remove external shares from labelled files.
2. You could have a label for that department. For example "Legal" and restrict access to only that department via a dynamic group. Be careful not to get too many labels using this approach. Try for 3-5 core labels as you mention then one or two at the most for each department (scoped only to that department). If you want to share them with others then have a "sharing" (sub) label that allows the users to define who gets the label. You could enforce any nuances with mail rules and DLP.
3. How soon after publishing these did you try in Outlook Online? They can take up to seven days to apply fully, some functionality may come before others.
4. Exactly that, the recipients get the required permissions (do not forward or encrypt only).
5. Ensuring labelling is appropriate for each partner should work. If the labels are encrypted for one partner and somebody accidentally emails them elsewhere, the recipient isn't going to be able to open them. Again, be careful of too many labels. There could be some mileage in configuring mail rules to say if this label (ABC company label) goes to "XYZ company" then block it.

@Terry Hugill 


thank you for the details... Its started to be more clear for me about how to achieve what I need...

FYI - blocking external sharing, I've created internal label with no restriction and I block to get it send outside via DLP, which seems to works fine.


Will consider about "internal/departmets" and "external/partners" sharing approach to avoid tons of labels :) .. For now, I believe a label with combination of DLP (checking for sending group and recipient) could work, but need to do more testing.


I have maybe one more question - is there any difference between when encryption is placed with a Label and when encryption is placed by DLP? From what I've found, there may be some "compatibility" issues with macOS or other OS - as our external partners have mix of devices, wondering whether any of those two options would be preferred.? 

Hi @JesperRaarup 

Not sure how I missed your post :) ... Thanks for your input.... All info will help me to point me the right direction.

Just one thing about the Point 1 - Enabling "Access Control" and encryption - As I can read on MS official site, it should indeed enable encryption if "Access Control" is used and "Configure access control setting" is selected - see the picture below. So I understand it that - if I use/enable this option - for example for "Confidential" label that would restrict access for groups that I select, it will also automatically encrypt the content (document, email, etc).. 


So as I understand - if I want to restrict access using within the Label configuration (Access control), it will restrict it to the users/groups etc that I specify, but will also encrypt it automatically?




would like to add one more thing - I have tried to configure a DLP that will check for CONFIDENTIAL label as condition & "is sent outside organization" ... no action configured.... and enabled user notification. I would expect that when adding an external email address to "To:" in email, the message will pop up before it is sent.... However, nothing is happening. Is that maybe an E5 license requirement?

Also, is there a way to create a user tip massage that would require to click kind of "CONFIRM" button before an email is sent? I'm looking to have a label that can be sent externally, but users must confirm it so that they are 100% aware they are sending these sensitive data outside the company....

PS: I have M365 E3 + M365 E5 Security addon
I guess I saw it in the past... but can't find any good info now....

@sumo83 it sounds like you need the option captured in the image. Make sure you check this out to understand the requirements. 17_00_42-Clipboard.png

thanks for pointing me into this. One of the very 1st - "Oversharing popup is an E5 feature.".... So will not work for me as I'm E3 only for now....
Fair enough. You can use tooltips then, just nothing to confirm.
I have one more question - I've selected a group of users that will be testing the configured labels, and I have noticed that the labels are not visible at all to other users.

That means, a label is applied by a user in testing group (lets say INTERNAL label) and another user that is not part of the testing group does not have an idea about the label applied. When he sents a document labelled as "INTERNAL", it is blocked and will receive a notification email (this is done through DLP).... Wondering, is this a standard behaviour? OR do I miss something here? .... If it is standard behaviour, than it looks like I can't just test labels with group of users without informing all about the ongoing testing... I expected that users that are not part of testing group will at least see the label applied to documents/emails.... which they are not....