Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
New labeling capabilities in Office apps helps you protect sensitive information
Published Jan 28 2019 12:30 PM 44.2K Views
Microsoft

At the last Microsoft Ignite conference we announced several capabilities to help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent approach to discovering, classifying, labeling and protecting sensitive data. Today we’re announcing the general availability of sensitivity labeling built natively into Office apps on Mac, iOS and Android.  

 

Apps now supporting end-user driven sensitivity labeling includes:

  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

With these new capabilities, users can easily apply sensitivity labels to documents and emails – based on the labels defined by your organization. The experience is built directly into Office apps, with no need for any special plugins or add-ons. It looks and feels like the familiar Office experience, which makes it easy for workers to use.  

 

Applying sensitivity labels not only helps you protect company confidential information, but also plays an important role in addressing compliance obligations, such as GDPR. Suppose that someone in the HR department is working on an Excel file that contains personal information, such as employee mailing addresses. Knowing that this information should be protected and kept private, the worker can select a “Confidential-PII” sensitivity label while in Excel, and the label applies the appropriate protection settings as configured by the organization.

 

Simple and consistent experience for end-users

The screenshots below illustrate the end-user experience in Office apps on Mac. The Sensitivity drop-down menu makes it easy to view the available labels and select the appropriate option. The experience is similar across Word, PowerPoint, Excel and Outlook.

 

Apply sensitivity labels in Office apps on Mac – encryption, rights restrictions and visual markings can be applied, based on your label policy.Apply sensitivity labels in Office apps on Mac – encryption, rights restrictions and visual markings can be applied, based on your label policy.

For Office mobile apps, the same set of sensitivity labels are available to users. No matter which device or platform they are working on, there is a consistent experience.

 

Easily apply same sensitivity labels in Office mobile apps on iOS…Easily apply same sensitivity labels in Office mobile apps on iOS…

 

…and in Office mobile apps on Android.…and in Office mobile apps on Android.

Once a sensitivity label is applied to a document or email, the label persists with the file, even if it travels to other locations, such as other devices, apps or cloud services. Your organization has the flexibility to customize its policy to apply different actions based on which label is selected, including encryption, restricting access to the file or applying visual markings to the document (such as headers/footers or a watermark indicating the file is confidential or contains sensitive information).

An email labeled “Highly Confidential” in Outlook for Mac get encrypted, and headers & footers are applied.An email labeled “Highly Confidential” in Outlook for Mac get encrypted, and headers & footers are applied.

Administrators can also require users to provide a justification if they downgrade a previously applied sensitivity label – for example, changing a label from “Confidential” to “General”. This can be useful in keeping users accountable and maintaining an audit trail. You can also specify if a default label should be applied to new documents and emails. For example, you can set a “General Business” label to be applied by default, and then end-users can apply a different label based on the content they are authoring.

End-users can be prompted to provide a justification when downgrading a sensitivity label.End-users can be prompted to provide a justification when downgrading a sensitivity label.

Sensitivity labels in documents and emails can also be understood by other apps and services. For example, if a “Highly Confidential” document resides on a Windows device, Windows Information Protection and Windows Defender ATP can work together to block the copying or sharing of content from that document to other locations on the device, such as personal email accounts or social accounts. Our growing ecosystem of partners using the Microsoft Information Protection SDK can also understand sensitivity labels and extend information protection to their own apps and services. 

 

Getting started and next steps

To use these new labeling experiences, you must first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center. Once configured, the labels become available in supported Office applications. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Security & Compliance Center, and then the labels can be used by the updated Office apps. You can find more information on migration steps here.

 

To learn more about sensitivity labels in Office apps, review the documentation, which provides more information on supported apps and version numbers. Office 365 customers have access to the updated apps now, as of the January update.   

 

We’re excited to release these new capabilities to help you better protect your sensitive information. In the coming months we’ll expand sensitivity labels to additional Office apps and platforms, including Outlook for iOS and Android, Outlook on the web, Office apps on Windows and Office Online apps . Please check the Microsoft 365 roadmap for the latest information.

 

We also look forward to hearing your feedback; you can also engage with us and the community on Yammer or Twitter and provide additional feedback on UserVoice.

17 Comments
Silver Contributor

I have last time tried AIP in Office 365 ProPlus (Windows) maybe a year or so ago. At that point i had to install AIP addone to Office to get labels and it was very buggy (apps loading longer, visual glitches in Outlook). I wonder if it is already included with base Office setup, like it is now in iOS/Mac/Android versions or do we have to install add-ons still?

Steel Contributor

You still require the AIP client for Windows Office apps - for now.

Microsoft

Hi Oleg -- we do not yet support the equivalent native manual sensitivity labeling functionality in the Office 365 ProPlus apps on Windows, so for now, the Azure Information Protection (AIP) add-in still needs to be installed to enable this functionality there. But we are making good progress building and testing that functionality, and we'll be sure to announce when it becomes available.

Are you also think on a kind of "autoupdate" for both the AIP client and the AIP Add-in in Office? I don't see any information here about SharePoint Online integration and specifically how the label applied can be surface as document metadata in a document library: any updates here?

Steel Contributor

Hi Juan - The labels are defined in the S&C centre and are then available to SharePoint document libraries etc - if your policy targets them. You can apply a default label to a document library in Settings of that library, or include the Label column in a view wherein you can choose one of your defined labels on a document by document basis. 

 

Mmmm...you can do that with the retention labels, but no with the sensitivity ones....I'm talking here about the sensitiviy labels and how to integrate then with out any trick (there were some for AIP labels) in SPO document libraries, so when you apply a label in a word document and save it in SPO, a column in the SPO document library is also updated

Steel Contributor

Ah - got you

 

Microsoft

I'm talking here about the sensitiviy labels and how to integrate then with out any trick (there were some for AIP labels) in SPO document libraries, so when you apply a label in a word document and save it in SPO, a column in the SPO document library is also updated

A “Sensitivity” column is being added to SPO document libraries, but this is not available yet in production (and we don’t have an ETA to share quite yet). But it’s in the works!

Steel Contributor

Thanks @Mike Paer  - what about classifying an office 365 group or Microsoft Team (and associated Sharepoint documents) with a given classification. Can that be setup so by default any new document saved in that location inherits the sensitivity label there, and persists? I've seen documentation about applying a sensitivity label to a Microsoft Team, but doesn't seem to be 100% there.  Is this how it's supposed to work, when it does roll out to production? 

 

Something like described here, only these classifications are on AzureAD and/or O365 Groups, so I'm not sure these are actually integrated yet. https://docs.microsoft.com/en-us/office365/enterprise/manage-office-365-groups-with-powershell  Will the Microsoft Teams (and Sharepoint) be tied to these unified sensitivity labels from the Security & Compliance Center? 

 

I think what I'm looking for is basically a combination of this article of the tools (office on ios/mac/android and soon ProPlus for Windows), the above article and this discussion: https://techcommunity.microsoft.com/t5/Microsoft-Teams/How-to-use-Microsoft-Teams-classification/m-p...

@Juan Carlos González Martín  do you have any information on this? I saw you as a contributor to the disucssion on that Microsoft Teams classification thread mentioned above. Thanks all, exciting that this is almost there and ProPlus components are coming soon too!

@Chris Smith Here is a quick update to your question:

 

1. In near future MIP sensitivity labels will apply to Containers {O365 groups, SharePoint site, Team}

2. When the label is applied to container it will not cascade to each and every document under the Container

    Note: A container has all types of files where as MIP label applies to office file types and PDF

3. What action/policies are applicable for containers?

   a. Privacy: Public vs Private

   b. Ability to allow/disallow adding guests to groups

   c. Ability to allow/disallow access and download from unmanaged devices {needs AAD P1 license}

Brass Contributor

How do you change the font or make text bold in content marking for a sensitivity label? Thanks.

Microsoft

@ShaneOss: today, you can only configure font size, font color, and text alignment in the content marking settings within the Security & Compliance Center:

Content marking options in Security & Compliance CenterContent marking options in Security & Compliance Center

Copper Contributor
Are security labels not working on Outlook for Mac? can someone verifiy So i was planning to implement this in our organization, using the new unified labelling client. Made a nice presentation to show this to management, and during the presentation, I send a restricted e-mail to one of my colleagues, containing: do not copy, forward, print etc. the default mail specific AIP label option with 'apply do not forward' (I published the default label from the admin portal) My colleague uses a Macbook, with a recent office for Mac. 16.22.1(190220) and no AIP or Unified labelling client. At first he was prompted for credentials as expected, but when he got access to the mail, he could copy text from the mail and forward the mail. Restrictions were visible on the mac, but also showed that everything was allowed. When forwarding to someone else with a windows machine, restrictions were applied as advertised, and the receiver could only reply. As i remember RMS from 2008r2 the restrictions are set on the client application. So i'm guessing this is a bug and a serious security risk for companies which use this in production.
Copper Contributor

With the new SKU Azure Information Protection for Office 365 (included in O356 E3 and E5) is this a new name for Azure RMS? or will it also allow the ability to create and apply sensitivity labels. Its not very clear

 

https://azure.microsoft.com/en-us/pricing/details/information-protection/

 

If this new SKU does allow you to create sensitivity labels, can they be created in AIP (in the azure portal) or are you restricted to S&C, will these labels work in Office Pro Plus 

Copper Contributor

is there any update regarding to @Luke Smith question?

 

May we know is there any timeline, when it will work for outlook mobile app?

Brass Contributor

@Adam JungIs there any update on this article? We plan to migrate from AIP to UL, but mobile apps "is a must have" and I wonder when labeling capabilities for Outlook Mobile are also available?

 

Thanks in advance!

 

BR
Martin

Microsoft

@yoe_r & @MartinZoller - information about what sensitivity labeling functionality is available in which apps/platforms is now available in this documentation: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: