Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Sensitivity labeling now built into Office apps for Windows to help protect sensitive information
Published Sep 10 2019 01:39 PM 41.1K Views
Microsoft

Microsoft Information Protection solutions help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent and comprehensive approach to discovering, classifying, labeling and protecting sensitive data.

 

Earlier this year we released built-in sensitivity labeling in Office apps for Mac, iOS and Android. These capabilities enable users to easily apply sensitivity labels to documents and emails – based on the policies defined by your organization. The built-in labeling experiences are integrated directly into Office apps – there’s no need for any special plugins or add-ons.

 

We’re expanding to additional Office apps, and now sensitivity labeling is available in Office apps for Windows. With this release, end-user driven sensitivity labeling is now available in:

  • New! Office for Windows: Word, PowerPoint, Excel & Outlook
  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

The labeling experience in Office apps for Windows is similar to the labeling experience on other platforms – making it easy and familiar for your end-users. Once you define and configure your sensitivity labels and policies, the same labels are published out and made available across the supported Office apps.

 

The screenshots below show examples of the end-user experience in Office apps for Windows. Users select the Sensitivity drop-down menu to view the available labels and select the appropriate label. The experience is similar across Word, PowerPoint, Excel and Outlook.

Apply sensitivity labels in Office apps for Windows – your label policy will apply the configured protection actions, such as encryption, rights restrictions or visual markings.Apply sensitivity labels in Office apps for Windows – your label policy will apply the configured protection actions, such as encryption, rights restrictions or visual markings.

 

Applying sensitivity labels in Outlook for Windows is a similar experience.Applying sensitivity labels in Outlook for Windows is a similar experience.

 

An email labeled “Highly Confidential” in Outlook for Windows get encrypted, and headers & footers are applied.An email labeled “Highly Confidential” in Outlook for Windows get encrypted, and headers & footers are applied.

Getting started

Similar to publishing labels for use in other Office apps, you need to first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center or the Microsoft 365 Compliance center. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Microsoft 365 Compliance center, and then the labels can be used by the supported Office apps. You can find more information on migration steps here.

 

You can also learn more about sensitivity labels in our documentation, and additional details on supported Office apps is including in this article. Sensitivity labeling in Office apps for Windows is rolling out now to customers who have Office 365 E3 or E5 (built-in sensitivity labeling is supported on the Office 365 Pro Plus version of Office), and the rollout is expected to be completed by the end of September or October, 2019.     

    

We’re excited to expand sensitivity labeling to Office for Windows, enabling more comprehensive protection of sensitive information across your environment. We plan to release sensitivity labeling in the Office apps for the Web and Outlook mobile soon. Please check the Microsoft 365 roadmap for the latest information.

14 Comments
Brass Contributor

Hi @Adam Jung - a few questions here please...

  1. I notice that you have your user name appear under in the Sensitivity client - this is shown as MeganB in bold, how do you get that to appear? Is that a setting or available in the AIP (UL) client by default in the next release? Would be interested to have it
  2. "Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)" - does this mean that if you have authenticator on your device (...iOS) for me), and the Word app - that is all you need? That is, the AIP Viewer app is not required as MIP is now built in natively to the Word, Excel, etc iOS app to render the encrypted/confidential file?

Details on the above would be appreciated - cheers

Microsoft

Hi @Joe McGiven Corban, including @Mike Paer who can hopefully help clarify. 

Microsoft

Hi @Joe McGiven Corban:

  1. The Sensitivity menu built-in to the Office for Windows applications always has the signed-in user's email address shown at the top of the menu. Because the Office for Windows applications support multiple accounts being signed in simultaneously, showing the email address in the menu helps clarify which organization's sensitivity labels are being shown. I don't believe the Azure Information Protection Unified Labeling client has this or plans to add it.
  2. Yes - the Sensitivity option is built-in to Word, Excel, and PowerPoint on iOS and Android. If you are signed in with your account that has Microsoft Information Protection unified labels set up, you should see the Sensitivity option in the app. You can read more about this in the Office documentation. These apps are capable of opening and protecting encrypted/confidential Office documents without the need for the AIP Viewer app.
Bronze Contributor

What will happen if there is an existing UL client installed on the machine? Will it show 2 'sensitivity' options or will one auto disable?

Microsoft

@Thijs Lecomte The Azure Information Protection unified labeling client can't run at the same time as the built-in labeling experience. More info at the bottom of this article. Scroll down to:

Will the built-in Sensitivity feature run alongside the Azure Information Protection client in Office for Windows?

No. The built-in Sensitivity feature is turned off if the Azure Information Protection client is loaded in Office for Windows. If you have the Azure Information Protection client installed, but you want to use the built-in Sensitivity feature instead, you can:

Steel Contributor

@Thijs Lecomte I believe UL client takes priority. I've just tested it on my devices and I needed to disable AIP add-in in Office desktop apps, (one by one... unfortunately, or you can do it via policies of course) and after reopening, the sensitivity button showed up again but now it's located after "Dictate". Android labels are showing up properly, Office web apps don't work yet :( I've noticed that in desktop apps the policy tips are not showing? Or is it only me?

Steel Contributor

Fantastic news, highly anticipated change, hopefully soon it will come out of the beta stage and we could use it in all Office apps on all platforms without to use any clients or agents. I'm an agentless admin, I don't do clients, agents, things that need to be installed via GPO or sitting in the tray and crashing or need to be signed in to work properly.

Brass Contributor

I've created several Sensitivity Labels and marked them as requiring justification to send to untrusted domains.

Now I want to define the domains which ARE trusted and so bypass the justification prompt using Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookJustifyTrustedDomains=" ..."}

 

Does this option imply subdomains are also trusted? In other words would -

 

Set-LabelPolicy -Identity "Global" -AdvancedSettings @{OutlookJustifyTrustedDomains="contoso.com"}

 

mean that emails to sales.contoso.com, finance.contoso.com etc. would NOT generate a justification prompt?

Copper Contributor

For me the sensitivity part is missing from all desktop applications. It show up online though, but not on desktop (windows). Any ideas what might cause this? I tried installing O365 again, but that did not do the trick.

Copper Contributor

I don't see a version listed in the article. What Office version was this where we can see the Sensitivity button? 1910 or thereabouts?

Microsoft

@JeffJubach yes, 1910 was the first version to introduce the Sensitivity button in the Office applications on Windows. This document explains the minimum versions for each sensitivity labeling capability on each platform.

Copper Contributor

@Mike Paer thanks so much For the quick response! That’s exactly the info I needed. :)

Brass Contributor

What is exactly applied from existing labels? I mean, we are underway to implement the UL client and have some labels and policies defined and assigned to a few pilot user groups. Now other people are in the process of the Office upgrade (version 2002 or newer) and find the new labels, although they are not member of any of the pilot groups for our information protection pilot. Hence, I wasn't expecting them to see any labels.

Also, what is the MS strategy/roadmap. Should we focus on the built-in client, or stay with the UL client? To me the UL client is more feature rich, especially when using powershell to manage labels and policies. And we already moved from AIP to UL client, should we now prepare for another switch? Seems like this project will never end, because we can't keep up with the changes...

Copper Contributor

I use sensitivity labels on a number of set of documents and run into a number of issues.

 

  • I just had a document with custom sensitivity protections to 187 users.  After about 160 I got an error message that the rms sizedefinitions was too large and no suggestion how to fix.  I'm guessing this relates to the number of users but I have had another label with 200 users.  (Diagnostic information: {Version:17.00.7971.004,Environment:CUSPROD,DeploymentId:326b150198174bdf98ef8cad64c99971,InstanceId:WebRole_IN_5,SID:4e9c8e21-5052-41b0-831e-c007982cc9bf,CID:1955a250-e9e1-4bd3-a740-8599ecd21fce} Time: Tue, 15 Feb 2022 18:50:58 GMT)
  • I have old sensitivity labels that are no longer in use.  It sounds like if I delete the label, the document is unprotected.  Is there a way to archive them so that the list is shorter?
  • When adding a number of users authorized for a label, is there a way to bulk load?

Overall, the labels have worked but have been clunky.  The older format/interface under Azure was easier, I thought, to create a label & add users, but more cumbersome to publish labels.  

 

Any help on those questions would be greatly appreciated.  Particularly, I am stuck on the RMS error and can't complete the label. 

 

Thank you!

 

Version history
Last update:
‎May 11 2021 01:55 PM
Updated by: