General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites

Thank you. 

"To see which apps and services support this capability, read this documentation page". - The link is broken and receiving "forbidden"

Mohan,

Try: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view...

@Mohan Seenippandian  - the link is updated now, it is here, thank you for pointing that out.

@Sesha  I m in the middle of implementation au-labeling for SharePoint and Onedrive in our organization.  The following are the requirements. 

1. Documents must be classified automatically when a user uploads a document to the SharePoint site- Can do with Auto-labeling , already test 
2. Content marking - any document classified must stamp with watermarks, as my understanding, we cannot do with auto-labeling. Any way to achieve this?  or even why when a user downloads the auto-classified document to the computer the user cannot see watermarks that we have defined under labels? is this because auto labeling not opening the document when its stamp with the label? 
3. To overcome the 2nd issue I have tried with word templates, but then auto-labeling doesn't work with .doctx, will you be able to share a reference for all document types that support by the auto-labeling. Seems to be pdf also not supporting.

Thanks. 

Thanks for the great description, this will be very useful for sites / teams handling confidential data. 

For restricting access to unmanaged devices using sensitivity label, does this require this feature to be enabled at the SPO access control level? Or it can be controlled at individual site, group or team level now?

Do you need a corresponding Session Control Conditional Access policy (Application enforced restrictions) for the unmanaged device settings to work?  

@Amit_Dobhal and @Chris_Clark_Netrix - Thank you for your compliment. For unmanaged device access policy, yes, this needs to be enabled at the SPO Access Control level to be permissive i.e. Full Access, which will automatically create a conditional access policy in AAD. Then, you can control at the individual site level by using this Sensitivity Label.

Refer to this documentation for the further instructions on enabling unmanaged device policy in SharePoint: https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices.

@Nip17 - thank you for your questions. On content marking, yes it is the current behavior that auto classified documents won't have content marking. We will take this feedback into consideration for future versions of the auto classification feature. For file types supported in auto labeling and additional details about this auto classification with sensitivity labels feature, please refer to this article: 

https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view...

@Sesha 

Can you please tell me the license requirement for Auto- labeling.  On the last Microsoft session, I have attend mentioned only a couple of M/O E5 license and all other users required only M/O E3. 

What Microsoft has mentioned is this auto-classification is an engine within admin control, would not necessarily end-user license

Can please help me urgently.

Thanks. 

We have a customer (lawyer office) concerned about employee downloading files from TEAMS and OneDrive and uploading it to their personal email address (@Yahoo, @gmail and etc).

Is there a way to restrict that labeled files to be used only on corporate computers??? Like and encryption where even the user copying to home he cannot be handle it.

Any help is appreciated.

@Deleted 

I have heard that Microsoft are looking to split content and container MIP labeling to mitigate this issue. Any ideas on timelines or any other advice we can use in the short term

Yes you will be able to select the scope when you are creating the label as shown below. Can expect to see this  before end of this year I guess. As always @Sanjoyan Mustafi  has done a brilliant session yesterday about this , sorry I can't find the link to the session. 

It is possible to combine the labels sets and reduce to three :

1. Public - add footer to content plus block external access in Teams.  Why do you want to stop external access on Public label?  Normally Public label will allow external access. I hope you mean public - all internal staff except guest, if so you can as below

2. Private/Internal - add footer and encrypt content plus block external access in Teams - yes you can as below 

3. Private/External- add footer and encrypt content plus allow external guest access in Teams - yes you can as below 

If I create these label I will create as follow

1. Public - allow all staff + guest ( Public - anoyone in the organisation + Let O365 group owner to add gues in to the group)

2. Internal - allow all staff  ( Public - anoyone in the organisation )

3. Confidential - Allow  only dedicated staff ( Private- only members can access the site )

If you really want something like dedicated staff + dedicated guest , I would recomend to go with a sub label.

Hope didnt misunderstand your question 

Thanks. 

@Renato Pereira 

Could you please explain a bit your business requirement, not the solution?

If your requirement is to stop unauthorised access your data

1. Use unified labelling (AIP) to make sure only authorised person can use the data
2. Use DLP to prevent users from sharing confidential data with unapproved stakeholders or third-party
3. If you want to stop accessing data from untrusted locations, then use conditional access policy.

If you really want to stop staff uploading documents into yahoo or google and then they download into their personal computer later date to use the data, then assuming the user is not allowed to access O365 org data beyond the org n/w- if yes

solution – use AIP this will prompt to authenticate when the user opens the document and use conditional access policy to stop accessing data beyond your org n/w

Please check AIP +DLP + conditional aces policy for unmanaged devices and untrusted locations. If possible MCASB will give you a greater monitoring and control capability.

Thanks.

Hi @Nip17,

the customer concern is:

* Some employees uses laptop and some a PC;

* for both cases users should be able to handle .DOCX files on their daily basis routine.

If we use Exchange MAILFLOW RULES, we can detect some 'strange behavior' like users sending files as attachment to their personal e-mail address (@gmail.com, @hotmail.com, @yahoo.com and etc) and then quarentine or just block and etc. Sometimes users just create a new e-mail on the MS Outlook windows app and then add those files as attachment but do not send - just 'save and hold'; during the night at home they can access his accounts via https://outlook.office.com and then download the files.

I know that we can access https://compliance.microsoft.com/datalossprevention and create a new policy/rule for some file share, but the problem is if they upload/attach that files to their personal e-mail address using the web browser (gmail website for example). Since their credentials is still valid, they can save locally at their home computer, open the file for edit and etc. But and about the copy saved on the local 'downloads' folder??? How to ensure that thoses files will be deleted after work??? Is there a way to limit user 'logon/authentication' for non business hours?

How to limit upload using webbrower? As I know the only way is to use antivirus with DLP rules or even PROXY/FW with DLP.

If these employes has access to 'datastore' like pendrive or even his mobile phone with USB cable, how to prevent they to copy files? As I know we must block USB datastore using Antivirus.

Is there a way to limit on what 'device' they can manage those files? If we use encrypt solution, only allowed devices (with install key/certificate) can be able to open/handle those files.

Few months ago I created a support ticket with MS O365 team about how to limit OneDrive app to be unable to sync personal accounts because we found some guys copying from OneDrive CORP account disk folder to OneDrive PERSONAL account disk folder - they sent instructions about GPO and .ADMX files for that, but since that customer doesn´t have local AD, we asked for more options and they send REG KEYS to be used for that situation.

>>> As you can see, 'begginers' employees can copy data based on senior employee effort!!!

* We also have a similar situation about protect corporate data, where a customer has CAD project files to protect (Autodesk Powermill and Machine Strategist files).

##############################################

If someone reading this needs, about OneDrive app blocking sync personal account, I´ll share information:

##############################################

• For environments with local AD: https://docs.microsoft.com/en-us/onedrive/use-group-policy
• For environments without AD:

1. Download the OneDrive Deployment Package (http://go.microsoft.com/fwlink/p/?LinkId=717805)
2. Win > Run "%systemroot%\policyDefinitions" , drag & drop OneDrive.admx to this location.

Go to "%systemroot%\policyDefinitions\en-us" and put OneDrive.adml

1. Press Win & R key,  Run GPEDIT.MSC
2. Click User Configuration > Administrative Templates > OneDrive > Prevent Users from synchronizing personal OneDrive account.
3. Set it to Enabled.

Once it is completed, users can't sync personal OneDrive. For those users who have synced personal OneDrive previously, unlink personal OneDrive, they will not see the OneDrive-personal icon on File Explorer either.

Hi @Nip17 ,

I don't know why my reply was lost.

With 'conditional' access, can we limit user accounts to be used only on corp devices? The main concern is users using account on non protected devices and also sync corp data.

How to protect and avoid users to be able to upload documents to gmail/hotmail websites?

@Renato Pereira 

Yes you can use conditional access policy to check IP address as well as the device is managed or not. 

How to protect and avoid users to be able to upload documents to Gmail/Hotmail websites? 

as I have mentioned previously I dont think you need to worry that much on this if your documents are protected with AIP. When they email in to them self and try to open the document form unmanaged device the CAP will kicked in and blocking the access. Furthermore if you are using Intune you can use MAM and MDM to protect your applications such as Teams, SharePoint etc. You can define stop copy content from Teams to unmanaged applications such as note pad, etc.

Hi @Nip17, tks for quick reply.

The concern is also with files not from Office where users can upload online to MegaUpload, Dropbox and etc.

Can Intune handle this DLP on upload process or should we use AV solution for that?

---

.3DM for Rhino;

.IGS for Rhino exported to Machine Strategist; 
.MCO ou .MSA for Machine Strategist or .PRG exported to CNC format).

---

@Renato Pereira 

Please check Microsoft new feature endpoint DLP. 

https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-public-preview-of-microsoft...