SharePoint Library IRM Protection and Office 365 Sensitivity Labels

Old Approach Should be Replaced by Sensitivity Labels

With support for Office 365 sensitivity labels is available in SharePoint Online and the Office Online apps (in preview, expected to be generally available very soon), it’s a good opportunity to consider how you should protect SharePoint Online content in the future. The choice is to continue by applying Information Rights Management (IRM)-based protection to document libraries so that documents are encrypted when downloaded or to go all in with sensitivity labels.

IRM-based protection requires a tenant to enable rights management for SharePoint Online before libraries can be protected. Once this is done, you can go to the Information Rights Management section of library settings and configure protection (Figure 1).

Setting up IRM protection for a SharePoint Online document library
Figure 1: Setting up IRM protection for a SharePoint Online document library

After IRM is enabled for a library, any PDF or Office document file will be encrypted when downloaded. The encryption uses rights management to ensure that only people with access to the library can open the downloaded files.

Only One Go-Forward Option

Office 365 sensitivity labels are the preferred way to protect content stored in SharePoint Online and OneDrive for Business. They are more flexible and powerful than the traditional approach of protecting SharePoint libraries with IRM. The advantages of sensitivity labels include:

  • Support for labels in a wide range of clients including desktop, browser, and mobile apps. Figure 2 shows how to apply a sensitivity label to a document through Word Online.
  • Labels can apply visual markings to content in addition to protection.
  • Because rights management underpins labels, granular control is available to determine who can do what with a file.
  • Labels become part of the metadata of files and messages and protection travels with content as it moves between libraries or in and out of Office 365.
  • Labels can be applied to email and documents automatically (by label policy, Data Loss Prevention policies or transport rules) or manually (by users).
  • Labels can be used to assign classifications to Office 365 Groups, Teams, and SharePoint containers.
  • Documents protected by sensitivity labels support advanced features like co-authoring (with Office online apps).
  • SharePoint Online populates a sensitivity column to show the label applied to files (the column is not available in OneDrive for Business).
  • Documents and messages protected by sensitivity labels are indexed by Office 365. This means that protected content can be found by Office 365 content searches and eDiscovery.

Some of these features are still in preview, like the support in SharePoint Online, but they are coming and will be generally available very soon.

 Office 365 Sensitivity Labels applied to a document in Word Online
Figure 2: Office 365 Sensitivity Labels applied to a document in Word Online

The benefit of traditional SharePoint “protection on download” is that encryption is automatically applied when files are downloaded from a library, meaning that users don’t have to think about applying a label to documents. Only people with access to the library can access the files.

The long-term strategy for any Office 365 tenant should be to phase out the traditional SharePoint IRM-based protection and replace it with Office 365 sensitivity labels as soon as business requirements and user training allows.


Confused about encryption and rights management in Office 365? Look no further than Chapter 24 of the Office 365 for IT Pros eBook. It’s all explained there.

2 Replies to “SharePoint Library IRM Protection and Office 365 Sensitivity Labels”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.