The Question of Information Protection Sublabels

The use of Information Protection sublabels is one of the questions for teams implementing sensitivity labels in Microsoft 365 tenants. Some like the granular appearance of sublabels and consider them a valuable guide to assist users to pick the most appropriate label. Others prefer a simple list of sensitivity labels. Both approaches work well. It’s up to you to decide.

Microsoft Details Compliance Support for Microsoft 365 Copilot

Microsoft has described the compliance support from Purview solutions for data generated by Microsoft 365 Copilot prompts and responses. There’s nothing earthshattering in terms of what Microsoft is doing, but it’s good that audit events and compliance records will be gathered and that sensitivity labels will block Copilot access to confidential data.

How to Limit the Creation of New Teams to Private Access

An interesting discussion in the Microsoft Technical Community about limiting the teams privacy mode to private for new teams caused me to try out the principles. The idea works, with caveats, and I wonder if anyone will use it in production. It’s an interesting technique for using container management sensitivity labels that I’d never thought about before, so here it is.

SharePoint Administrators Can’t Update Sensitivity Labels for Document Libraries

For whatever reason, SharePoint Online doesn’t allow administrators to control the settings of document libraries. In particular, default sensitivity labels. It seems crazy that other Microsoft 365 workloads allow administrators to manage the settings of things like mailboxes, groups, plans, and teams, but SharePoint Online holds steadfast to not allowing administrators go deeper than a site. It would be nice to see consistency around administrator access across all workloads.

Find Out Where Users Get Sensitivity Labels From

A question about finding out which sensitivity label policy makes a label available to a user requires some PowerShell to figure out the answer with some human-friendly results. The outcome is a script that analyzes sensitivity label policies to find where a user gets their labels from. It’s another example of how useful PowerShell can be.

Microsoft Information Protection Upgrades to Enhanced Encryption Algorithm

After discussion in 2022 about potential vulnerabilities for the AES128-EBC cipher used by Microsoft Information Protection (MIP), an August upgrade enables AES256-CBC protection for sensitivity labels and other MIP components. Some care is needed to make sure that Exchange Server and other on-premises solutions work properly with the new cipher, but transition for Microsoft 365 tenants should be seamless.

Planning Sensitivity Labels for Meetings

Planning the introduction of sensitivity labels for meetings means that you pay attention to label scoping and naming. Having too many meeting labels will confuse users and the same will happen if the label display names don’t convey their purpose. This article explains some simple steps to take to make sure that your meeting labels work well.

Teams Meeting Templates: Helping to Organize Better Meetings

Teams Premium is now generally available. Not all its features are online yet, but Teams meeting templates are, so we tested them to see if they help users to organize better meetings. After playing around with templates, including the optional use of sensitivity labels to control template settings, we conclude that this is a nice feature to have but maybe not one that will influence the buying decision for Teams Premium.

Analyzing the Use of Sensitivity Labels without the Activity Explorer

The unified audit log contains records generated when users and applications apply sensitivity labels to emails and documents. This article explains how to use PowerShell to retrieve the data and create a report to help tenant administrators understand the usage of sensitivity labels.

Outlook and Teams Premium Both Claim Sensitivity Label and Meeting Recap Features

The new Teams Premium product ($10/.user/month) and Outlook both claim that they will support sensitivity labels and a meeting recap. That’s confusing, especially if Outlook delivers the features at no cost. However, when you look into the matter a little deeper, it’s obvious that what Teams Premium will deliver is very different to what you can expect to see in Outlook. All of which proves why it’s important to read announcements carefully and put them into context with what you already know about how products work.

Analyzing Document Label Mismatch Audit Records

Document label mismatches happen when users create, upload, or update Office documents in SharePoint sites and give the documents a higher-priority sensitivity label than the one assigned to the site. When this happens, SharePoint Online creates a DocumentSensitivityMismatchDetected audit event. Unhappily, that event doesn’t tell us who caused the mismatch, but some work with PowerShell reveals all.

The Odd Azure AD Selected Visibility is Not Allowed Problem

Like all apps, the Azure AD Admin center has its own quirks and inconsistencies. In this article, we cover issues creating groups when the admin center doesn’t apply sensitivity label container management settings properly, and group-based license management, which only works if the group’s security enabled property is set correctly.

How to Create Mailbox Exclusions for Microsoft 365 Sensitivity Label Policies

The GUI of the Microsoft Purview compliance center doesn’t support the exclusion of selected mailboxes when the special All target is used. However, you can use PowerShell to add mailbox exclusions to sensitivity label policies, including adding the members of a group as exclusions.

How Working with Protected PDFs in Microsoft 365 is Becoming Easier

Some recent announcements will make it much easier to work with PDFs protected with sensitivity labels. Adobe is now bundling the MIP plug-in with the Acrobat installer and has plans to allow users to apply sensitivity labels within Acrobat. But the big news is the change in Office applications to generate protected PDFs when saving, exporting, or sharing protected documents, spreadsheets, and presentations.

Mobile Co-Authoring for Protected Documents

Microsoft has a preview of co-authoring support for protected documents edited on iOS and Android devices. It’s possible that you will never need to use the feature, but you’ll be glad that it exists if you do. In other mobile news, the Teams mobile client now includes calendar items in its search results.

Microsoft 365 Data Loss Prevention and Encrypted Message Type Exceptions

Microsoft 365 Data Loss Prevention (DLP) policies have wide-ranging capabilities when it comes to rules and exceptions. One exception covers the various types of encrypted email that can pass through the Exchange Online transport pipeline. As it happens, three message types are supported, but who could have guessed that permission controlled means rights management?

Keeping Confidential Outlook Email Private

Outlook logo

Delegates often process Outlook email for others. It’s a feature that works well. That is, until protected email arrives. Delegates shouldn’t be able to read protected email in other peoples’ mailboxes. But some versions of Outlook allow this to happen. If you want to be sure that delegates can’t access protected email, maybe you should consider using a dual-mailbox approach.

How Default Sensitivity Labels Work with SharePoint Online Document Libraries

SharePoint Online and OneDrive for Business will soon gain the ability to apply default sensitivity labels to document libraries. The feature is currently in preview and requires some complicated PowerShell to configure, but Microsoft is working on the GUI and expects to make the capability generally available later this year.

How to Protect Messages Sent to Dynamic Distribution Lists

Office 365 Message Encryption protection is not available for messages sent to dynamic distribution groups. It’s all to do with rights management licensing. However, if you need to protect messages sent to dynamic distribution groups, for instance to make sure that confidential messages are inaccessible to external recipients use a sensitivity label instead and assign the special tenant-wide permission to recipients.

How to Create an Auto-Label Retention Policy Based on Sensitivity Labels

Auto-label retention policies find items in Microsoft 365 locations and apply retention labels to those items. In this article, we explain the steps involved in creating an auto-label retention policy to look for items with sensitivity labels and apply retention labels to those items.

Microsoft Moves Unified Labeling Client into Maintenance Mode

In a surprising December 21 announcement, Microsoft put its Information Protection labeling client into maintenance mode effective January 1, 2022. Making an announcement as the IT industry was closing down for the holiday period is no good way to make certain customers learn about a development, and it’s curious that Microsoft left it until nine days before the client entered maintenance mode to let people know.

Microsoft Closes Gap to Enable Mandatory Labeling of Existing Documents

A change in how Office apps apply mandatory labeling as dictated by sensitivity label policies means that both new and old documents are processed. New documents have always been dealt with; the change being made ensures that Office apps detect the lack of a label when opening an existing document and will apply mandatory labeling at that point. It’s a change to help customers move on from the unified labeling client.

Meet Office 365 for IT Pros at the European Collaboration Summit 2021

The Office 365 for IT Pros team will be at the European Collaboration Summit (ECS) in Dusseldorf. Come to listen to Tony talk about sensitivity labels on Tuesday or Paul discuss tenant to tenant migration on Wednesday. ECS is a great community-led event that’s well worth attending if you find yourself in Europe and have the ability to travel to Germany. Don’t forget your mask!

Synchronizing Sensitivity Labels to Update SharePoint Online Sites

The SharePoint Online admin center displays an insight card for the number of unlabeled sites in the tenant. For some reason, many of the labels assigned to Microsoft 365 Groups and Teams had not reached SharePoint. Some PowerShell does the job to fetch the sensitivity label information from Exchange Online and update sites with the missing label information.

Some Microsoft 365 Features Highlighted at Fall Ignite 2021 You Can Use Now

To help you recover from the blizzard of Microsoft 365 information released at Fall Ignite 2021, here are some notes about features and functionality you might have missed. Like any list created by a conference (virtual) attendee, it reflects my interests and what I was looking for. Feel free to disagree on the importance of any or all of the topics discussed here… and suggest some of your own in the comments.

SharePoint Admin Center Absorbs OneDrive for Business Management

Microsoft has simplified Microsoft 365 administration by moving controls from the OneDrive for Business admin center into the SharePoint Online admin center. It’s a good step because the two workloads are really two sides of the same file and document management function within Microsoft 365. With many apps moving storage of their data to OneDrive for Business, its role is becoming increasingly important. Even so, OneDrive doesn’t deserve a dedicated management portal.

An Insight Into Microsoft Information Protection, Licenses, and Certificates

A recent conversation in the Microsoft Information Protection (MIP) community on Yammer about deleted templates led to a discussion about how this might affect users, like those who apply sensitivity labels with encryption to protect documents in SharePoint Online or email in Exchange Online. As it turns out, MIP has a backstop or get out of jail free card, but to understand how it works, you need to understand a little bit about publishing licenses and use licenses. We explain what happens in this article.

SharePoint Online Document Library UI Refreshed for Teams Private Channels

Microsoft is changing the SharePoint document library UI for sites used by Teams private channels to make sensitivity labels read-only and move a link into the command bar. That doesn’t sound so important, but it’s part of the preparation for the introduction of Teams Connect, aka Shared channels. It’s just a pity that the text of message center notification MC261534 was so confusing when it first appeared.

How to Use Authentication Contexts with Microsoft 365 Sensitivity Labels

A preview for Sensitivity Labels show how they can use Azure AD authentication contexts and conditional access policies to protect SharePoint Online sites. Although you can link conditional access policies to sites with PowerShell, it’s a lot easier to make the connection through sensitivity labels. Any SharePoint Online site which receives a label configured with an authentication context automatically invokes the associated conditional access policy to protect its contents.

Control Default Sharing Link Settings for Sites and Documents with Sensitivity Labels

New PowerShell commands for sensitivity labels can configure default sharing link settings for SharePoint Online sites. Any site assigned a label configured for default sharing links inherits those settings within 24 hours. Also available is the ability to apply default sharing link settings at a per-document basis.

Understand Licensing for Microsoft 365 Information Protection and Governance

Licensing is everyone’s favorite topic. Combine it with information protection and governance and peoples’ eyes glaze over. Even so, it’s important to know what information protection and compliance features need which licenses as you don’t want to get into a position where something stops working because Microsoft enables some code to enforce licensing requirements. This post covers the basics of licensing and how Microsoft differentiates between manual processing and automated processing when deciding if a feature needs a standard or premium license.

How Sensitivity Labels Control the External Sharing Capability of SharePoint Online Sites

The latest update for sensitivity labels allows them to control the external sharing capability of SharePoint Online sites. It’s a powerful example of policy-based management in action and demonstrates just how useful sensitivity labels will be as Microsoft steadily builds out the set of controls available through labels.

How to Decrypt Protected SharePoint Files Using PowerShell and the Graph API

Sensitivity labels are a great way to protect confidential documents stored in SharePoint Online. Sometimes the documents must be decrypted. This article explains how to build a PowerShell script which uses Graph API calls to navigate to a folder in a SharePoint Online document library and decrypt the protected documents found in the folder.

How to Use Sensitivity Labels to Protect Teams Meeting Recordings

OneDrive for Business now stores Teams meeting recordings. You can protect files with sensitivity labels, but does this have any side effects for Teams? As it turns out, it does because the protective wrapper which encrypts the recording breaks the link to Teams. This might not be important if you need to protect a confidential recording and restrict access to a known set of users, but it’s something to consider before applying any labels.

How to Report Audit Events Generated for Sensitivity Labels

Audit records are a great way to gain an understanding of what happens inside Office 365. We use PowerShell to report actions taken with sensitivity labels such as protecting files and containers. The latest development is the addition of support in the Microsoft 365 apps for enterprise (Office desktop) to log audit events when users interact with sensitivity labels. Unsurprisingly, more events are often logged by the desktop apps than their online equivalents.

Sensitivity Labels Control External Sharing for SharePoint Online Sites

The container management settings of sensitivity labels can now manage the external sharing capability of SharePoint Online team sites. The same settings as available in the SharePoint admin center or PowerShell can be applied through a label. Caching means that new settings in a label might not be picked up by SharePoint Online for up to 24 hours.

Exports of Exchange Online Search Results Now Decrypt Attachments

When you use an Office 365 content search to find items, the results from Exchange Online might include some encrypted attachments. A change means that the attachments can now be decrypted to make it easier for investigators to review the information. It’s a small but important change, just like the update to Edge which stops ClickOnce programs running unless an Edge setting is enabled. All good, clean, honest fun.

Reading PDFs Protected by Sensitivity Labels with the Edge Browser

The latest version of the Edge Chromium browser can read files protected by Office 365 sensitivity labels stored in SharePoint Online and Exchange Online. This might not be the feature that causes you to dump Chrome, but it’s very useful when your tenant uses sensitivity labels.

How to Use DLP Policies and Sensitivity Labels to Block External Access to Confidential Documents

When you need to block external access to your most sensitive documents, Office 365 Data Loss Prevention policies and sensitivity labels combine to find and protect the documents. A really simple policy is enough to detect and block external access, and is covered by Office 365 E3 licenses. If you have E5 licenses, you can consider auto-label policies to find and protect sensitive documents at scale.

Power BI Support for Sensitivity Labels Now Generally Available

Power BI support for Office 365 sensitivity labels is now generally available. Inside Power BI, the labels are visual markers. Encryption is applied when Power BI objects are exported. The interesting thing is that the user who exports content doesn’t have the right to change the label.