Previously I provided information on sensitivity labels within Microsoft 365. Recently Microsoft updated sensitivity labels to give them scope. Sensitivity labels can be applied to files and emails, but they can also be applied to SharePoint sites and Microsoft 365 groups. A sensitivity label can be created for both aspects of Microsoft 365 at the same time, but for this post and the next, I will be focusing on a single sensitivity label type. In this post, I’ll discuss and demonstrate creating a sensitivity label for files and emails. If you are looking to create a label that applies to both you can utilize the information in this post and the post “Creating a Sensitivity Label for Sites and Groups”. In the following steps, I am going to enable all of the options available for the sensitivity label. They do not all have to be enabled. Determine your needs and select the options accordingly.
Creating a Sensitivity Label for Files and Emails
- Starting from the Admin console click on Compliance (alternatively: go to https://compliance.microsoft.com/homepage)
- Click on Show All and then Information Protection
- Click on Create label.
- Give the label a name and a meaningful description. The description provided acts like a tooltip for users. Click Next.
- Remove the checkmark beside the Groups & sites scope option so only Files & emails remain selected. Click Next
- Place a checkmark beside “Encrypt files and emails” as well as “Mark the content of files”. Click Next.
Important: “Selecting Encrypt files and emails” will allow any users with access to the sensitivity label to further control access to the content. It is possible for a user to lock information owners out of content so ensure proper training is provided if this option is enabled.
- Next select “Configure encryption settings”
Note: The option “Remove encryption if file is encrypted” can be selected instead. If this option is enabled, any encryption applied to content within the same tenant will be removed by this sensitivity label. However, the user that has this label made available to them must have the necessary rights within the tenant to do so. Required rights include:
- Export and Full Control within Rights Management
- Rights Management Issuer or Rights Management owner role within the tenant
- Super User within the tenant
- Next select either “Assign permissions now” or “Let users assign permissions when they apply the label. Place check marks within the boxes for “In Outlook, enforce restrictions equivalent to the Do Not Forward option” and “In Word, PowerPoint, and Excel, prompt users to specify permissions” to provide sensitivity protection controls when the label is applied within the apps.
Alternatively, the option to configure the permissions within the label itself can be selected (“Assign permissions now”). A leading practice is to use a security group to control access at this point. If not, to update access to a file that has the label applied will require the label be removed and re-applied to content after the label has been updated. Security groups can be updated dynamically without requiring the label to be updated.
- Enable the content marking option and select “Add a watermark”, “Add a header”, and/or “Add a footer”. Configure each that is selected.
- Next can optionally enable auto-labeling. This option will either encourage users (through a pop-up) to label all of the content (that isn’t already labeled) they edit or email. It can also be configured to apply the label automatically without a prompt:
Important: If you have configured your label to encrypt content be very careful with this option. As if it is set to automatically apply to all content users your content can very quickly become encrypted and many users will likely be unable to access their documents.
- Click “Next” on the “Define protection settings for groups and sites” page (will cover this in another post).
- Review your settings and click “Create label” when satisfied.
Next we’ll cover sensitivity labels for sites.
Thanks for reading!