SharePoint Online Embraces Office 365 Sensitivity Labels

The Progress of Sensitivity Labels

The introduction of sensitivity labels into Office 365 has followed a measured path since their introduction in late 2018. Originally, you could apply labels to files only after installing the Azure Information Protection client on a workstation. Then labels were supported by the Office ProPlus applications, which eliminated the need for the client. Now, Microsoft is in the final phases of incorporating support for sensitivity labels into SharePoint Online, including the Office Online apps.

The use of sensitivity labels to mark Office 365 Groups, Teams, and SharePoint sites (collectively known as “containers”) is also in preview, as are previews of tools to apply labels at scale to data at rest, such as all the documents in a tenant. By the end of 2020, it will be true that sensitivity labels are pervasive within Office 365.

Update: Sensitivity label support for SharePoint Online is now Generally Available.

Marking and Protection

Sensitivity labels serve three purposes:

  • For documents and messages, labels can apply visual markings like headers and footers to show the importance of information in an item.
  • For containers, labels can manage some settings that control who can access information in the container.
  • Labels can also be linked to Microsoft Information Protection (rights management) to protect documents and messages by encrypting their content. Currently, applying a label to a container does not encrypt the items stored in the container.

SharePoint and Rights Management

Historically, SharePoint Online did not enjoy a happy relationship with rights management. You can upload protected documents into sites, but SharePoint couldn’t decrypt the content, which meant that the only information generated for content indexes was document metadata like titles, authors, and so on. Searches could still find protected documents, but only using the stored metadata.

Apart from searches, content indexes are used by Office 365 Data Loss Prevention (DLP) to make sure that sensitive information doesn’t leak outside the organization. Protected content was inaccessible for DLP checking, so it was possible for a protected document stuffed full of sensitive data to bypass checking en route to external recipients.

Other features that didn’t work with protected content include file preview and co-authoring.

SharePoint Support for Sensitivity Labels

The current preview addresses many of the problems with protected content. The preview has two parts:

  • Support in SharePoint Online to process protected content.
  • Support in the Office Online apps to interact with sensitivity labels in Office documents.

If things go well, it’s likely that Microsoft will make the code generally available in the April timeframe.

Decrypting Content

When you apply a sensitivity label to a new or updated file stored in SharePoint Online or OneDrive for Business, a background process detects the presence of the label. If the file is encrypted, its content is decrypted and indexed. No scan is done for protected files that were imported into SharePoint before the tenant is upgraded, so you must edit those files or update their properties to force the decryption and indexing process to happen.

SharePoint can’t decrypt files protected by labels that have user defined permissions or expiration dates. Microsoft reckons that only a small percentage of protected files are in these categories.

Office Apps and Sensitivity Labels

The Office Online apps can apply, update, and remove sensitivity labels (these actions are captured in the Office 365 audit log). The Office Online apps also support co-authoring and autosave. These features can’t be used when using Office ProPlus to work with protected documents because different mechanisms are used to update files.

In Figure 1, you can see the sensitivity button (top right) and the list of sensitivity labels published by the tenant to make them available to the user. The applied label is highlighted in the list and shown in the bottom infobar.

Working with a protected document using Word Online
Figure 1: Working with a protected document using Word Online (image credit: Tony Redmond)

Browser Interfaces Don’t Support Application of Sensitivity Labels

Figure 2 shows the properties of a selected document, which is protected. As you can see, the file preview works, but unlike retention labels, SharePoint and OneDrive for Business don’t support the ability to apply a sensitivity label to a file from their browser interface. You must apply labels while working inside an application that has native support for sensitivity labels (Office ProPlus Word, Excel, and PowerPoint) or Office Online, or you can use the Unified Labeling client to apply a label to a file outside Office 365 and then import the file into SharePoint Online or OneDrive for Business.

Preview works, but you can’t assign a sensitivity label through document properties
Figure 2: Preview works, but you can’t assign a sensitivity label through document properties (image credit: Tony Redmond)

Microsoft says that encryption slows the opening of documents (the larger the document, the bigger the delay). Although I have noticed that SharePoint is slower to display document properties for protected files (because of the need to generate the preview), I have not experienced huge delays in opening documents for edit sessions. However, it’s possible that this might be the case in some situations.

To highlight the presence of sensitivity labels, you can add a sensitivity column to document library views (Figure 3).

Sensitivity column in a document view
Figure 3: Sensitivity column in a document view (image credit: Tony Redmond)

Sticky Protection

Protection remains with documents when files are downloaded from SharePoint Online or OneDrive for Business (including when files are exported by Office 365 content searches). The rights defined in the assigned label determines who can do what with a file. It’s also the case that SharePoint Online blocks attempts to open a file if the user doesn’t have the right to access its content.

Protected Content Needs Different Handling

The thing about protected content is that it challenges the assumptions people have about files. It’s no longer the case that people can expect that they can open any file they can access. Rights management means that someone must have the right to access content before they can work with content. The percentage of protected content is very low in Office 365 today. But now that sensitivity labels are becoming more pervasive, I don’t expect this to be the case for much longer.