Table of Contents
Bit by Bit, Office 365 Sensitivity Labels Reaching Applications
On September 24, I published an article about the support of Office 365 Sensitivity Labels in the Office ProPlus for Windows desktop apps. At the time, I noted that Microsoft still had work to do to add support for sensitivity labels to the Office online apps, including OWA. Microsoft had published Office 365 notification MC191074 to say that Office 365 tenants now with worldwide roll-out complete by the end of October. Well, OWA “manual” support for Office 365 Sensitivity Labels has turned up in my tenant to satisfy roadmap item 44921.
Manual Labeling
Manual support for Office 365 Sensitivity Labels means that OWA users must decide what messages to label and the labels to assign to messages. Automatic labeling is what happens today with Office 365 retention labels when conditions in a policy control what items labels are applied to by a background process. Similar facilities are likely for sensitivity labels in the future.
Apply Sensitivity Labels in the OWA New Message Window
Because OWA runs in online mode, it always uses the current set of sensitivity labels published for a user. This doesn’t mean that a new or updated label is available to OWA immediately a change is made. The Security and Compliance Center must publish the change to all Office 365 workloads and clients. It can therefore take some time before a change is available to OWA.
The Sensitivity button is available as an option in the OWA new message window. After a label is applied to a message, its name is shown in the banner above the message recipients. In Figure 1 we can see that the selected label invokes encryption because of the padlock icon beside the label name. A label that only applies marking or does nothing but act as a visual indicator uses a plain label icon.

OWA also displays these icons for labelled items in the read message window. Like Outlook, the protection applied to a message also applies to any of its attachments
Labeling Replies
Sensitivity labels can also be applied to replies to messages that aren’t previously labelled. In this case, the Sensitivity option to apply a label is in the […] menu of the reply message window (Figure 2).

When you assign a sensitivity label to a reply, it does not apply to the previous messages in the thread. However, Exchange automatically assigns the same label to future messages in the thread.
Encrypt-Only and Do Not Forward
The default Office 365 Message Encryption Encrypt-Only and Do Not Forward templates can also be used to protect messages with OWA. Click the […] menu and you’ll find Encrypt in the list of menu choices. Using these templates for protection does not assign a sensitivity label to the protected messages.
Still Work to Do
Now that OWA supports Office 365 Sensitivity Labels, it’s reasonable to expect that the other Office online apps will offer support soon. After that, eyes will turn to the SharePoint Online and OneDrive for Business browser interfaces to see how Microsoft will introduce sensitivity label support there.
For more information about Office 365 Sensitivity Labels and the underlying Azure Information Protection technology, read Chapter 24 of the Office 365 for IT Pros eBook.
much awaited
It is a very advantageous post for me. I’ve enjoyed reading the post. It is a very supportive and useful post. I would like to visit the post once more of its valuable content. Thanks for sharing this blog.
Anyone have an idea why the Sensitivity labels in OWA are not subject to the AIP settings in the Security & Compliance Center or in the Azure Portal? I have the setting turned on that requires every document and email message to have a default label (we call ours “Business General”), but no default label is being applied to anyone using OWA for users across my organization.
Do you have the AIP client deployed? I think you need the client deployed to get the default label applied.
I have come across a strange issue in testing this. I have a default label which is set for internal (tenant) users only. When I send an email with this label applied to another internal user, when that user opens the email in OWA and clicks reply or forward, sometimes they see an option above the reply address to remove encryption. Other times they do not see this. It’s extremely random. I’d like the remove encryption option to be always available, but in my testing so far I’ve been unable to figure out why it sometimes appears and sometimes doesn’t.
This is a custom sensitivity label? Does the same thing happen with one of the two default OME labels (Do Not Forward and Encrypt-Only)? I have never seen this happen and can’t reproduce it, so I would report the problem to Microsoft.
Yes it’s a custom sensitivity label. I can’t recreate the conditions with the Do not Forward label thus far. Will keep playing, and also report to Microsoft as you suggest. Thank you.
Is this now also possible in Word Online & co.? I Cant see it even if im in early update chanel with my tenant.
Regards
Microsoft has a preview for support of sensitivity labels in the Office Online apps. It works very well. You should see it in general availability soon.
Hi I know this is an old thread but hoping its still being viewed. I in the process of rolling this out but have issues with OWA.
If send an email with a sensitivity label set as “In Outlook, enforce one of the following restrictions – Do Not Forward”
I get the below message in OWA when the message is received
_________________________________________________________________________________________________________
This message is protected with Microsoft Information Protection. You can open it using Microsoft Outlook, which is available for iOS, Android, Windows, and Mac OS. Get Outlook for your device here: https://aka.ms/protectedmessage.
Microsoft Information Protection allows you to ensure your emails can’t be copied or forwarded without your permission. Learn more at https://microsoft.com/rms.
_________________________________________________________________________________________________________
It allows me to apply the label in OWA but when the recipient receives it the recipient can forward in outlook.
I cant seem to get it to work in owa.
It’s really hard to know without access to your tenant to see exactly how everything is configured. For example, what rights are assigned to the recipient in the label? If rights are present for anyone in your tenant that allow them to forward email, they’ll be able to.
Thanks Tony, I have selected Publish to users and groups I have selected the 2 test accounts, a@company.com and b@company.com from this the user accounts can view the labels and apply them but then the above happens. Please see below screen shots from the label
https://paste.pics/c1931c832bf0568d3ed3fe32f4e78ce6
https://paste.pics/9bb55e21348c6115e0871facbd8f99de
https://paste.pics/78de21705487347931c1574c1a969000
https://paste.pics/03eae35d6535d1e75c86f33ca801b46f
https://paste.pics/c100153331324c0d7b141542ef135372
and the below from the Label policies
https://paste.pics/8139a207f496d80cc59cd70b055fd24f
https://paste.pics/b5e632b7bee0d3059cfa2b6e598f3630
https://paste.pics/a5385eba9cb671bf3f5264069126f551
The rest are default
You don’t show what rights are assigned by the label. Without that information, no one can say what will happen when someone receives a labelled item.
i guess create some groups need to apply here. https://paste.pics/35d5831068892133625ee0021ba45545
I thought it would work by setting the label that no matter who it was receiving the protected email the wouldn’t be able to forward it.
for example I wanted to send a sensitive email to a staff member that they couldn’t forward on i would set the label and send it, removing the forward option for them. but if they wanted to create an email and send they could do the same and the recipient would be unable to forward