Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Sep 16, 2024

Sensitivity Labels not working as expected

Hi experts,

 

I've been playing with sensitivity labels recently and I'm in testing phase currently having few ppl testing it for me before I officially deploy to all. However, it looks like there are few things that do not work as expected and I'm not sure why. Hope I can find some help here.

 

Here is what I have configured and what is the experience during our testing

  1. Email should inherit sensitivity label form attachment
    • I have label for documents set as required , and email is set to no default label and selected "inherit" label from attachment
    • I have "Confidential\View Only" label that has allowed only "View rights / Reply / Reply all" allowed permission.
    • Testing experience: For emails, when I attach a document with this label assigned, there is no restriction at all and I can forward, download, etc... and the recipient can forward with no issues. Looks like inheritance of label from attachments to email is not working at all. When I (as a recipient) download the attachment, I see that the document has restricted permissions (can't print, save, etc) so it looks it is working on the document level.
  2. "Confidential\Internal" label should be blocked
    • I can share with external users via SharePoint ...and can even open it as external user with no issues at all.. Label access control nor DLP prevents this!!! Is there something I miss here? Not sure if important - I have "MS Entra for Sharepoint enabled"
    • DLP is configured to check Sharepoint, Emails, OneDrive for "Confidential\Internal" for "content shared outside the organization" and  "sensitivity label Confidential\Internal" and BLOCK it
    • DLP works fine for emails with attachments labelled with this label, and it is blocked as expected
  3. Confidential\Internal is blocked in the outlook when trying to send email
    • when I am sending an attachment with Confidential\Internal document in Outlook (New Outlook), I see a note about external users that needs to be removed. When trying to send anyway, it is blocked and I get a message below. Which is great

       

    • however, another two testers do not get this experience and their email is blocked with DLP (mentioned above) only - which is nice, but the experience I get is much better as users can correct recipients instantly (FYI - I am using NEW Outlook - need to check later this week with the testers if they are on Old or NEW one)
 
Its a bit of text, and I apologize... Wanted to describe is as best as I can 🙂 ... and hopefully help anyone else facing the same...
 
Would be grateful for your help.... As the testing is super time consuming due to the fact that any change I make to sensitivity label and policy, I prefer to wait recommended 24 hrs to see if it had any effect....
 
 
Update:
forgot to ask, why I see some "built-in" labels when creating emails? When I go to "More Options", in new email, I can see the below:

When I go through New Email > Options > Sensitivity - I can see the labels I configured

information protection and governance
microsoft purview
  • sumo83's avatar
    sumo83
    Iron Contributor
    Sep 16, 2024

    I have done some further testing with the results below:

     

    Point 1:

    • when I add the "Confidential\View Only" label to email, it works fine
    • when attached a file with "Confidential\Internal"... it is blocked fine. 
    • when I attach a file with the "Confidential\View Only" label assigned, it doesn't seem to inherit the label. The email is received unencrypted and can forward with no issue.
    • l've noticed also something else
      • for Old (Classic) Outlook, when email inherits label form attachment, the label for the email message is set automatically to match attachment. So I can see what label was assigned to the email
      • for New Outlook and Outlook Online, the label for the message is not applied - or is it not visible at least even if inherited - and the email looks like there is no sensitivity label applied (it has the "?" label visible which means no label)

    Point 2:

    • still can't figure it out

    Point 3:

    • works fine for New Outlook and Outlook online
    • DLP kicks in for Old outlook as it will not be prevented in outlook itself comparing to the New Outlook
       
    • sumo83's avatar
      sumo83
      Iron Contributor
      Sep 19, 2024
      further testing:

      point 1 and 3 - works fine on old outlook. New Outlook doesnt seem to inherit labels. Not sure if this is bug or why.

      point 2 - still trying to figure out
      • sumo83's avatar
        sumo83
        Iron Contributor
        Sep 20, 2024
        ok... so I'm closing Point 2 as realized there is probably no reason why an email that contains a link to document in sharepoint -that has sensitivity label applied- should be blocked. The external sharing is managed on sharepoint directly (file/folder level) so all fine here....

        The only issue I cant figure out is - why email in NEW outlook does not inherit label from attachment.

        Any idea?.. is that a bug? Getting a bit frustrated on this as I need to deploy to all within 2 weeks 😕
  • Gudjon_Vidar's avatar
    Gudjon_Vidar
    Copper Contributor
    Sep 27, 2024
    I had some problems with Rights Management and encryption on "Highly confidential", perhaps that is the issue ?
    • sumo83's avatar
      sumo83
      Iron Contributor
      Sep 27, 2024

      Gudjon_Vidar 

       

      well.. I already found answers, looks like:

       

      1 - Email should inherit sensitivity label form attachment

      • this doesnt work for NEW Outlook nor OUTLOOK Online. Got confirmation from MS tech support that this functionality is just not there

      2- Confidential\Internal" label should be blocked

      • after further thinking, I dont see a reason why outlook (DLP) should block a link that points to sharepoint document. The documents sharing is managed on sharepoint level. So if I do not mark the email with label, the link itself does not provide info about sensitivity label applied on the document. At least, thats how I understand it now.... I could be wrong though 🙂. What is important for me -> when I attach document with INTERNAL label, the email is blocked by DLP... so I'm happy here..

      3 - Confidential\Internal is blocked in the outlook when trying to send email

      • this is just a different user experience for OLD and NEW outlook. I like the NEW one here... as its kind like an E5 feature for old outlook.

       

      Anyway, I'm finishing testing phase and will deploy to all in 2 weeks from now... so hope all will be smooth 🙂

       

      Thank you all for trying to help!

    • sumo83's avatar
      sumo83
      Iron Contributor
      Oct 07, 2024
      Hi...

      been testing my labels that place an encryption to the documents (confidential data) and wondering whether you had to face the same issue?

      When I share "confidential" labelled document to external user with google workplace, they are not able to open the document at all. Emails work fine via OTP, but documents not. From what I've read on MS sites, this is a known limitation as the app opening encrypted document needs to be able to work with them - which google docs apparently does not.

      I am looking for some advice on how to deal with these situations....

Resources