In my previous post, I discussed configuring site sensitivity using Microsoft 365 MIP (Microsoft Information Protection) labels. In this follow-up, I’ll discuss site sensitivity label alerts, what is there automatically and what you need to configure.
Site Sensitivity Alerts for Content in a Sensitivity Labeled Site
Site sensitivity labels will not update any content that is added to the site. Labels and label policies can handle any default labeling that is configured for your site. Site sensitivity label alerts are both an automatic feature and a configurable component of information protection within Microsoft 365. In my last post, I created a new label called Internal Use Only. This label was placed in the center of the label distribution.
Remember the position in the list defines the level of sensitivity of your content. The same goes for site sensitivity labels. This is why the planning of both content and site labels is so important. Looking at the screenshot above, we can see that Public and Internal Use is considered a lower (or identical) sensitivity as our site sensitivity label. Confidential – CC and below will be more sensitive. When a file is uploaded, and it is more sensitive than the site, it is saved within an alert is generated. This alert is sent to the uploading user. It alerts them the file they uploaded (provides the name of the file) is too sensitive to the site and provides some suggestions to rectify the problem.
IMPORTANT: Even if the user is a guest of the tenant, they will receive a notification.
This alert is important as it lets users know they have placed content in a site that may not have necessary protections in place. For example, an organization may have content that is never to be released externally. It is labeled, Confidential – Internal Only. That file is uploaded to a site labeled “External” with the placement of the site label higher (less sensitive) than Confidential – Internal Only. Placing the Confidential – Internal Only into the site puts the content at risk because it is not blocked from sharing externally as the content itself requires. It also does not lock down external access. The email notification to the uploading user can notify them of this mistake.
Previously, using the classic audit log, administrators could configure notifications to be sent to other admins or interested parties when a document was uploaded that exceeded the site’s sensitivity. However, this option was removed when the classic audit log search replaced the modern, unified label search. Microsoft allows administrators to view this situation, known as “Detected document sensitivity mismatch”, but the ability to create an alert from the audit log is no longer there. Additionally, it is not possible to create it from the alert policy manager. I feel this is a huge miss by Microsoft.
It is possible to both create alerts and, in fact, block the upload of content that has a higher sensitivity via Microsoft Cloud App Security. I’ll cover this in a future post soon.
Thanks for reading!!