News

Sensitivity Labels Go Live for SharePoint and OneDrive Users

• By Kurt Mackie
• 05/06/2020

Microsoft announced on Monday that the ability to apply "sensitivity labels" to Office documents using the Microsoft Information Protection service is now at the "general availability" stage when labeling files stored in SharePoint and OneDrive.

With sensitivity labels, users of Office applications (such as Excel, PowerPoint and Word) have access to a so-called "Sensitivity" option that appears in the application's Home tab on the ribbon menu. It lets users apply classifications to documents using a drop-down list. Alternatively, classifications can be automatically assigned to documents.

Users of Microsoft 365 E3/A3 plans can use sensitivity labels, but getting the benefit to automatically classify documents appears to require Microsoft 365 E5/A5 licensing, per this Information Protection licensing guidance document. The fine print is shown in this chart (PDF download).

The classification applied using sensitivity labels follows the document and displays in the document's status bar. It will persist when users download files, search for content in a file or share documents using the Office Web Apps co-authoring feature, according to Microsoft's announcement.

Sensitivity labels can also be used to enforce document encryption or add watermarks to documents (such as adding the word "Confidential" to the body of the document or in the headers and footers), according to a Microsoft sensitivity labels document.

For classifying non-Office applications, there's the Microsoft Cloud App Security service, which lets organizations "detect, classify, label, and protect content in third-party apps and services, such as SalesForce, Box, or DropBox, even if the third-party app or service does not read or support sensitivity labels," according to the sensitivity labels document.

The use of sensitivity labels with the Microsoft Information Protection service represents Microsoft's latest direction. There's also an Azure Information Protection service, accessed from the Azure Portal, that's been used to apply labels on documents, but it's getting deprecated on March 31, 2021, according to the sensitivity labels document.

The metadata used by the Azure Information Protection service is compatible with the metadata used with the Microsoft Information Protection service, so documents don't need to get labeled a second time when switching services. It seems that the Azure Information Protection service is getting deprecated because it's not a cross-platform solution.

Here's Microsoft's explanation:

If you are using Azure Information Protection labels because your tenant isn't yet on the unified labeling platform, we recommend that you avoid creating sensitivity labels until you activate unified labeling. In this scenario, the labels you see in the Azure portal are Azure Information Protection labels rather than sensitivity labels. These labels can be used by the Azure Information Protection client (classic) on Windows computers, but can't be used by devices running macOS, iOS, or Android. To resolve this, migrate these labels to sensitivity labels.

Sensitivity labels were first introduced at the private preview stage almost a year ago, but now they are deemed by Microsoft as being ready for use in production environments.

However, sensitivity labels aren't yet available for so-called "national cloud" users, including U.S. government users, per the sensitivity labels document. There was no note on when they'd be available for these government users. Microsoft did indicate in a document that "we expect unified labeling will be available to Office 365 U.S. Government Community (GCC) services in the second half of 2020."