Office|Office 365|SharePoint Online

SharePoint Online Embraces Office 365 Sensitivity Labels

The Progress of Sensitivity Labels

The introduction of sensitivity labels into Office 365 has followed a measured path since their introduction in late 2018. Originally, you could apply labels to files only after installing the Azure Information Protection client on a workstation. Then labels were supported by the Office ProPlus applications, which eliminated the need for the client. Now, Microsoft is in the final phases of incorporating support for sensitivity labels into SharePoint Online, including the Office Online apps.

The use of sensitivity labels to mark Office 365 Groups, Teams, and SharePoint sites (collectively known as “containers”) is also in preview, as are previews of tools to apply labels at scale to data at rest, such as all the documents in a tenant. By the end of 2020, it will be true that sensitivity labels are pervasive within Office 365.

Update: Sensitivity label support for SharePoint Online is now Generally Available.

Marking and Protection

Sensitivity labels serve three purposes:

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

  • For documents and messages, labels can apply visual markings like headers and footers to show the importance of information in an item.
  • For containers, labels can manage some settings that control who can access information in the container.
  • Labels can also be linked to Microsoft Information Protection (rights management) to protect documents and messages by encrypting their content. Currently, applying a label to a container does not encrypt the items stored in the container.

SharePoint and Rights Management

Historically, SharePoint Online did not enjoy a happy relationship with rights management. You can upload protected documents into sites, but SharePoint couldn’t decrypt the content, which meant that the only information generated for content indexes was document metadata like titles, authors, and so on. Searches could still find protected documents, but only using the stored metadata.

Apart from searches, content indexes are used by Office 365 Data Loss Prevention (DLP) to make sure that sensitive information doesn’t leak outside the organization. Protected content was inaccessible for DLP checking, so it was possible for a protected document stuffed full of sensitive data to bypass checking en route to external recipients.

Other features that didn’t work with protected content include file preview and co-authoring.

SharePoint Support for Sensitivity Labels

The current preview addresses many of the problems with protected content. The preview has two parts:

  • Support in SharePoint Online to process protected content.
  • Support in the Office Online apps to interact with sensitivity labels in Office documents.

If things go well, it’s likely that Microsoft will make the code generally available in the April timeframe.

Decrypting Content

When you apply a sensitivity label to a new or updated file stored in SharePoint Online or OneDrive for Business, a background process detects the presence of the label. If the file is encrypted, its content is decrypted and indexed. No scan is done for protected files that were imported into SharePoint before the tenant is upgraded, so you must edit those files or update their properties to force the decryption and indexing process to happen.

SharePoint can’t decrypt files protected by labels that have user defined permissions or expiration dates. Microsoft reckons that only a small percentage of protected files are in these categories.

Office Apps and Sensitivity Labels

The Office Online apps can apply, update, and remove sensitivity labels (these actions are captured in the Office 365 audit log). The Office Online apps also support co-authoring and autosave. These features can’t be used when using Office ProPlus to work with protected documents because different mechanisms are used to update files.

In Figure 1, you can see the sensitivity button (top right) and the list of sensitivity labels published by the tenant to make them available to the user. The applied label is highlighted in the list and shown in the bottom infobar.

Working with a protected document using Word Online
Figure 1: Working with a protected document using Word Online (image credit: Tony Redmond)

Browser Interfaces Don’t Support Application of Sensitivity Labels

Figure 2 shows the properties of a selected document, which is protected. As you can see, the file preview works, but unlike retention labels, SharePoint and OneDrive for Business don’t support the ability to apply a sensitivity label to a file from their browser interface. You must apply labels while working inside an application that has native support for sensitivity labels (Office ProPlus Word, Excel, and PowerPoint) or Office Online, or you can use the Unified Labeling client to apply a label to a file outside Office 365 and then import the file into SharePoint Online or OneDrive for Business.

Preview works, but you can’t assign a sensitivity label through document properties
Figure 2: Preview works, but you can’t assign a sensitivity label through document properties (image credit: Tony Redmond)

Microsoft says that encryption slows the opening of documents (the larger the document, the bigger the delay). Although I have noticed that SharePoint is slower to display document properties for protected files (because of the need to generate the preview), I have not experienced huge delays in opening documents for edit sessions. However, it’s possible that this might be the case in some situations.

To highlight the presence of sensitivity labels, you can add a sensitivity column to document library views (Figure 3).

Sensitivity column in a document view
Figure 3: Sensitivity column in a document view (image credit: Tony Redmond)

Sticky Protection

Protection remains with documents when files are downloaded from SharePoint Online or OneDrive for Business (including when files are exported by Office 365 content searches). The rights defined in the assigned label determines who can do what with a file. It’s also the case that SharePoint Online blocks attempts to open a file if the user doesn’t have the right to access its content.

Protected Content Needs Different Handling

The thing about protected content is that it challenges the assumptions people have about files. It’s no longer the case that people can expect that they can open any file they can access. Rights management means that someone must have the right to access content before they can work with content. The percentage of protected content is very low in Office 365 today. But now that sensitivity labels are becoming more pervasive, I don’t expect this to be the case for much longer.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “SharePoint Online Embraces Office 365 Sensitivity Labels”

  1. <p>Thanks Tony for the article</p><p><br></p><p>Did you get a change to test the "Sites and group setting" for the label?</p><p><br></p><p>I have two questions:-</p><p>Can we and how:-&nbsp;</p><p><br></p><p>1. can we restrict the upload of the document to the same labeled site?(normal labeled doc to normal labeled site/Secret labeled doc to Secret labeled site) can you refer me to something so that I can test?</p><p>2. If above, cannot be done, then how can we do this: SECRET labeled document SHOULD NOT be downloaded from a NORMAL labeled Sharepoint library to an untrusted device, but it SHOULD be allowed to be downloaded to a trusted device.</p><p><br></p>

    • <blockquote><em><a href="#16728">In reply to thetechguru:</a></em></blockquote><p>I will cover the topic of sensitivity label settings for sites, groups. and teams in another article.</p><p><br></p><p>Re. 1, Labeling a site has no effect on the content. If you upload a document to a site that has an label inconsistent with the site label, it creates a condition called a label mismatch. Today, all that happens is the capture of an audit record in the Office 365 audit log. You'd have to take action to resolve the mismatches.</p><p>Re 2., not possible today.</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.