Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

‎Sensitivity Labels Office Web‎

Copper Contributor

I’m doing the first configurations to use sensitivity labels. I already have labels and policies, created and published using Office 365 Security & Compliance, and is working when i use Office on-premises. But in a first approach, i want to use on Office web (online), and is not working. The icon and respective labels doesn’t show up, and I thinks is related about a definition what i have in my tenant: EnableAIPIntegration = false

My questions are: I don’t know why is disable, because in new Tenant its comes enable by default. What is the impact for the user or other apps like SharePoint, Teams, Onedrive, or even what problems could appear if i enable this feature.

 

Any sugestion?

 

Thanks for your help.

6 Replies

@NunoMSilva Can you check this status in AIP?

 

JanBakker330_0-1608234954462.png

 

Hello,

Apart from turning on the unified Labels in the AIP portal you will need to use PowerShell. You will need to enable WINRM if your device is managed by Intune probably also. Refer here.

https://portal.azure.com.mcas.ms/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlad...

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view...

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-l...

I was than able to fully enable Sensitivity labels across everything.
All mine are working as of this morning. By the way the last two links are very important

Good luck

Hi,
I think my problem it'sdifferent. On office web, i don't have the "icon" to put the labels. And i know, if i run the command "Set-SPOTenant -EnableAIPIntegration $True" the icon show ups with respective labels. My question is, i dont know why is disabel, and wich the impact in my tenant.

Thanks for your help and time.

@JanBakkerOrphaned 

 

Hi,
Its enable.
Thanks for your time.

best response confirmed by NunoMSilva (Copper Contributor)
Solution

@NunoMSilva It is not enabled by default, because this would have an impact on all customers using AIP. The impact is described here.

 

After you enable sensitivity labels for Office files in SharePoint and OneDrive, for new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Key Encryption:(

  • For Word, Excel, and PowerPoint files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file.

  • When users download or access these files from SharePoint or OneDrive, the sensitivity label and any encryption settings from the label are enforced and remain with the file, wherever it is stored. Ensure you provide user guidance to use only labels to protect documents. For more information, see Information Rights Management (IRM) options and sensitivity labels.

  • When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least view rights to those files. For example, they can open the files outside SharePoint. If they don't have this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents.

  • Use Office on the web (Word, Excel, PowerPoint) to open and edit Office files that have sensitivity labels that apply encryption. The permissions that were assigned with the encryption are enforced. You can also use auto-labeling for these documents.

  • External users can access documents that are labeled with encryption by using guest accounts. For more information, see Support for external users and labeled content.

  • Office 365 eDiscovery supports full-text search for these files and Data Loss Prevention (DLP) policies support content in these files.

@JanBakkerOrphaned 

I created a test Tenant, and i realized the definition is disabled by default. However to use Sensitivity labels i had to enable the configuration.
Thanks for your time and help.

1 best response

Accepted Solutions
best response confirmed by NunoMSilva (Copper Contributor)
Solution

@NunoMSilva It is not enabled by default, because this would have an impact on all customers using AIP. The impact is described here.

 

After you enable sensitivity labels for Office files in SharePoint and OneDrive, for new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Key Encryption:(

  • For Word, Excel, and PowerPoint files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file.

  • When users download or access these files from SharePoint or OneDrive, the sensitivity label and any encryption settings from the label are enforced and remain with the file, wherever it is stored. Ensure you provide user guidance to use only labels to protect documents. For more information, see Information Rights Management (IRM) options and sensitivity labels.

  • When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least view rights to those files. For example, they can open the files outside SharePoint. If they don't have this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents.

  • Use Office on the web (Word, Excel, PowerPoint) to open and edit Office files that have sensitivity labels that apply encryption. The permissions that were assigned with the encryption are enforced. You can also use auto-labeling for these documents.

  • External users can access documents that are labeled with encryption by using guest accounts. For more information, see Support for external users and labeled content.

  • Office 365 eDiscovery supports full-text search for these files and Data Loss Prevention (DLP) policies support content in these files.

View solution in original post