Blog post: 2 minute read.
Are you suffering from label confusion in Office 365? Well I sure was. I set out to understand what all these labels were being used for and what the relationship, if any, was between them. In this post, I’ll use real-world examples to illustrate the differences between the two types of labels.
Azure Information Protection (AIP) labels are used to apply a sensitivity setting to documents across Office 365. They are defined in the Azure Information service of the Azure portal. (Read my post on how to get started with AIP labels) When applied, it appears as a sensitivity setting in the UI ribbon (in the Office client) and is stored in clear text as a property in the document backstage in ‘Advanced Properties’. The label can be manually set by an end-user, can be recommended to an end-user based on document/email content or it can be automatically based on document/email content (based on an appropriate O365 license).
The sensitivity label, since it is in clear text, can be read by other services to take appropriate action. For example, DLP can be configured to prevent sharing of a document external to an organization if the document has a sensitivity label of ‘Highly Confidential’ or emails can be encrypted if they are marked as ‘Confidential’ or ‘Highly Confidential’. Any service that can read the sensitivity can take action upon it.
These are labels defined in the Security & Compliance Center of Office 365 (Overview of labels) and can be used to apply retention on a document in SharePoint, OneDrive, Office 365 Group or an email in Exchange. You can also declare a document a record to prevent further edits and deletes. Retention can be based off the created date, last modified date or the date the label was applied.
End-users can set the label on a document thru the SharePoint UI using the document detail pane and it can also be applied automatically at either a document library level or by using a keyword query in the label setup. You can see a document’s label by adding it into any view in SharePoint.
What’s the difference?
“AIP labels have everything to do with protection of your corporate assets.”
“Retention labels have everything to do with compliance and regulatory requirements in your organization as it relates to retention and disposition.”
They’re both called labels but they are doing very different things. AIP labels have everything to do with protection of your corporate assets. Imagine you have setup a corporate classification in your organization as follows (Microsoft’s label classification recommendations):
Using the above labels, you could configure anything labeled “Highly Confidential” in your organization to prevent external sharing (outside your organization) as well as download. Examples of content that could fall into a “Highly Confidential” classification are:
- Corporate budgets: download not allowed, cannot share externally
- Corporate contracts: download not allowed, cannot share externally
- Pending patents: download not allowed, cannot share externally
Retention labels, on the other hand, have everything to do with compliance and regulatory requirements in your organization as it relates to retention and disposition. Let’s look at the example above but thru a lens of retention. These 3 types of content may have very different retention requirements even though they all have an AIP sensitivity label of “Highly Confidential”:
- Corporate budgets: retain for 5 years after budget end date.
- Corporate contracts: retain for 10 years after the contract expiry date.
- Pending patents: permanently declare a record.
How would we implement this?
Classify all of the above documents at time of creation with the AIP ‘Highly Confidential’ sensitivity label. This will prevent external sharing both while they are being worked on and when they are in final version. In the Security & Compliance Center, define labels for your corporate retention schedule. Within that you will have labels for Budgets, Contracts, and Patents. You publish these labels to the appropriate site collection or tenant in a Label Policy. Once published it can be applied to content as follows:
- Corporate Budgets: Once the budget is done, apply a ‘Budget’ retention label.
- Corporate contracts: Once the contract has expired, apply a ‘Contract’ retention label.
- Pending patent: At time of creation, automatically label the document as a permanent record.
You can manually set the label on the above content, however where the real power comes in is with auto-application. The ability to auto-apply a retention label is currently available by use of keyword query as well as at a specific document library. Coming soon, we will also be able to use a managed property that is identified as ‘searchable’ in the SharePoint search schema. This is very good news as it will allow more advanced queries to be used against SharePoint metadata when setting retention. (The ‘Content Type’ managed property would be a very powerful option!)
Now that I have a better understanding of the meaning behind both of these kinds of labels, I’m looking forward to where the new world of “Office 365 labels” is taking us. It’s clear that data protection on all fronts is an important focus for Microsoft – both from a security as well as a retention and disposition perspective.
Thanks for reading.