Blog post: 2 minute read.
Are you suffering from label confusion in Office 365? Well I sure was. I set out to understand what all these labels were being used for and what the relationship, if any, was between them. In this post, I’ll use real-world examples to illustrate the differences between the two types of labels.
Azure Information Protection (AIP) labels are used to apply a sensitivity setting to documents across Office 365. They are defined in the Azure Information service of the Azure portal. (Read my post on how to get started with AIP labels) When applied, it appears as a sensitivity setting in the UI ribbon (in the Office client) and is stored in clear text as a property in the document backstage in ‘Advanced Properties’. The label can be manually set by an end-user, can be recommended to an end-user based on document/email content or it can be automatically based on document/email content (based on an appropriate O365 license).
The sensitivity label, since it is in clear text, can be read by other services to take appropriate action. For example, DLP can be configured to prevent sharing of a document external to an organization if the document has a sensitivity label of ‘Highly Confidential’ or emails can be encrypted if they are marked as ‘Confidential’ or ‘Highly Confidential’. Any service that can read the sensitivity can take action upon it.
These are labels defined in the Security & Compliance Center of Office 365 (Overview of labels) and can be used to apply retention on a document in SharePoint, OneDrive, Office 365 Group or an email in Exchange. You can also declare a document a record to prevent further edits and deletes. Retention can be based off the created date, last modified date or the date the label was applied.
End-users can set the label on a document thru the SharePoint UI using the document detail pane and it can also be applied automatically at either a document library level or by using a keyword query in the label setup. You can see a document’s label by adding it into any view in SharePoint.
What’s the difference?
“AIP labels have everything to do with protection of your corporate assets.”
“Retention labels have everything to do with compliance and regulatory requirements in your organization as it relates to retention and disposition.”
They’re both called labels but they are doing very different things. AIP labels have everything to do with protection of your corporate assets. Imagine you have setup a corporate classification in your organization as follows (Microsoft’s label classification recommendations):
Using the above labels, you could configure anything labeled “Highly Confidential” in your organization to prevent external sharing (outside your organization) as well as download. Examples of content that could fall into a “Highly Confidential” classification are:
- Corporate budgets: download not allowed, cannot share externally
- Corporate contracts: download not allowed, cannot share externally
- Pending patents: download not allowed, cannot share externally
Retention labels, on the other hand, have everything to do with compliance and regulatory requirements in your organization as it relates to retention and disposition. Let’s look at the example above but thru a lens of retention. These 3 types of content may have very different retention requirements even though they all have an AIP sensitivity label of “Highly Confidential”:
- Corporate budgets: retain for 5 years after budget end date.
- Corporate contracts: retain for 10 years after the contract expiry date.
- Pending patents: permanently declare a record.
How would we implement this?
Classify all of the above documents at time of creation with the AIP ‘Highly Confidential’ sensitivity label. This will prevent external sharing both while they are being worked on and when they are in final version. In the Security & Compliance Center, define labels for your corporate retention schedule. Within that you will have labels for Budgets, Contracts, and Patents. You publish these labels to the appropriate site collection or tenant in a Label Policy. Once published it can be applied to content as follows:
- Corporate Budgets: Once the budget is done, apply a ‘Budget’ retention label.
- Corporate contracts: Once the contract has expired, apply a ‘Contract’ retention label.
- Pending patent: At time of creation, automatically label the document as a permanent record.
You can manually set the label on the above content, however where the real power comes in is with auto-application. The ability to auto-apply a retention label is currently available by use of keyword query as well as at a specific document library. Coming soon, we will also be able to use a managed property that is identified as ‘searchable’ in the SharePoint search schema. This is very good news as it will allow more advanced queries to be used against SharePoint metadata when setting retention. (The ‘Content Type’ managed property would be a very powerful option!)
Now that I have a better understanding of the meaning behind both of these kinds of labels, I’m looking forward to where the new world of “Office 365 labels” is taking us. It’s clear that data protection on all fronts is an important focus for Microsoft – both from a security as well as a retention and disposition perspective.
Thanks for reading.
Handy and clear explanation. I was digging through various pieces by Microsoft on these, and had come to the same conclusions as you reach here. It was nice to read someone else writing what I was thinking.
I think one way forward, that I’ve caught in some of the Microsoft documentation, is to join the two, or at least join the AIP rules to a retention policy.
I’ve heard they are going that direction, but I can’t seem to reconcile the two coming together since they are addressing different needs in my opinion. One is dealing with data protection, the other is dealing with retention. However… I’m keeping an open mind and waiting to see what vNext will bring for both of them.
I am working on a concept with a merger of the AIP/365 labels. You should be able to apply policy rules from both protection and retention perspective together. The secret I think may have something to do with a focus on the business function that a user is performing. Layer one helps to identify the function domain “general” records. Layer two is a qualifying layer that aligns to enhanced access or retention requirements.
Most people don’t really understand information security classifications and thus what is appropriate – it isn’t familiar language. However, they do know what they are working on. So for functional domains you would create policies to match the functional need and match them to a label set.
I could send you an email with a diagram if you like.
I like that approach. We definitely need to come up with a strategy for making this understandable to the business and the “functional need” is one thing they should understand.
I would love to see a diagram if you’ve come up with one – I’m coming up with one as well! It’s a good way to explain it to the business.
Thanks for sharing!
Dean, I’m interested in the diagram as well. I’ve been struggling through working out a model that would incorporate both, to make it easier for the colleague him/herself to make the right choice. Perhaps we could share information with one another – although I’ll need to translate mine from Dutch first!
The biggest challenge we face is the inability to apply retention labels to documents that don’t live in SharePoint. We have many different repositories spanning on-prem, hosted, and cloud locations. The AIP labels work great in this environment because they live in the document’s metadata. My hope is that when Microsoft consolidates the AIP labels and the Compliance Center labels, they do so my leveraging the built-in metadata in Office documents.
I think I have heard you mention “Sensitivity Labels” recently, on one of the podcasts (Intrazone?). Is the idea “unify” these labels so that they can administered mainly from the Office 365 Admin portal. Indeed, are these sensitivity labels going subsume the AIP labels you discuss in the article? My next question is can we apply these sensitivity labels automatically (flow?) or through provisioning to all hub, comms, modern Teams say to provide better consistency than say the current classification labels we can only apply to groups, individually or at the global directory settings level.