Label. There’s that word again.
If you need to get up-to-speed quickly on how labels are used across apps and services in Office 365 and have been pouring thru documentation on docs.microsoft.com, by now you’ve likely got numerous tabs open in your browser and have noticed there’s multiple kinds of labels each doing different things. This post will articulate the differences and interplay between them. The 4 types of labels you may have come across are:
For each one, I’ll give an overview of what it does by answering 4 questions:
- Where does an end-user see this label?
- What’s the interplay with other labels?
- Where is the label created?
- What’s a good thing to know about the label?
Retention Labels
Like the name implies, the primary responsibility of this kind of label is to apply retention to a piece of content (document, item, email). A retention label can do 1 of 3 things:
- retain content for a predetermined period of time
- retain content and then delete it after a predetermined period of time
- outright delete it after a predetermined period of time
A label can also mark a document as a record making it so you can’t change the content of the document.
Q1: Where does an end-user see this label? It’s a piece of metadata for a document which means you can see it/modify it thru the document detail pane and in views. The display name is Retention label and the internal name is ComplianceTag.
Q2: What’s the interplay with the other labels? You can have a retention label on a document as well as either an Azure Information Protection (AIP) label or a sensitivity label as the labels are doing very different things.
Q3: Where is the label created? These labels are created in the Security & Compliance Center in Office 365 at protection.office.com. As of the time of this writing (December 2019), you will see it under the Classifications navigation heading.
Q4: What are good things to know about this label? If the retention label declares a document a record, a hidden Yes/No column will be automatically added to your list/library called Item is a Record and will be set if the retention label has been applied. This can be added to views and filtered on.
Note: there’s currently no way to see the date a document will be retained until/deleted on.
Azure Information Protection (AIP) Labels
These labels are used to apply protection, rights management, and/or visual markings to an email or document. Examples of this include:
- apply a watermark, header, or footer to a document based on the label
- encrypt a document based on the label
- allow only a specific team in your organization to view, edit and print a document based on the label (different than SharePoint permissions)
- prevent any external user from accessing an email and attached document if sent to them
AIP labels align to a data classification scheme your organization must define to describe the handling and protection controls for your organization’s content. Typically, an Information Management and/or Compliance team will define an organization’s data classification scheme. Each label will have corresponding settings configured to implement the controls. This is an example of a data classification scheme and the controls for each:
Q1: Where does an end-user see this label? An end-user will see the label in the following clients/apps when working with the content:
- Word, Excel, PowerPoint, Outlook apps (desktop clients) (image) – an Information Protection bar will be shown
- Word, Excel, PowerPoint on the web: not currently available
- PDFs: Using Azure Information Protection to protect PDF’s
Sensitivity is a property automatically added to any list/library in SharePoint, however an AIP label value will not populate this column.
Once an AIP label is applied, it is stored in clear-text in a document’s properties under the ‘sensitivity’ property for Word, Excel, and PowerPoint files (image) and in the email header on an email. This is important because other applications can then read the label and take action based on it. (Data Loss Prevention, SharePoint search, mail flow rules, etc.)
Q2: What’s the interplay with the other labels? These labels are being replaced with sensitivity labels and there’s an option to migrate them to sensitivity labels right from within the Azure portal. You can have both a retention label and an AIP label on the same document or email. Even if an AIP label encrypts a document (uses Azure Rights management), you can still apply a retention label on it. **See Sensitivity labels for improvements with encrypted documents.
Q3: Where is the label created? These labels are created in the Azure portal for your tenant.
Q4: What are good things to know about this label? An AIP label can override SharePoint permissions! If you have a document in a SharePoint library and 1 of the documents is protected with an AIP label with rights management limited to a few select individuals, other people won’t have access to the document even if they have access to the SharePoint document library. Refer to this post of mine where I walk thru an example of this: Azure Information Protection Usage Rights and SharePoint Permissions.
AIP labels can also be applied to files outside of Office 365 either programmatically using the SDK, manually or with the AIP Scanner.
Sensitivity Labels
These are the new and recommended way of applying protection to documents and emails on a go-forward basis. All the cool kids are using these. 🙂 Over time, they will replace AIP labels for label and policy management for protecting content within Office 365, however there currently isn’t 1:1 feature parity between the two. If you are currently using AIP labels, be mindful of the capabilities you are leveraging before migrating to sensitivity labels.
Refer to this link for the current feature comparison: Client Comparison
Q1: Where does an end-user see this label? To see the sensitivity labels, you need to either have migrated your AIP labels from the Azure Portal to the Security & Compliance Center (if you were previously using AIP labels) OR created net new Sensitivity labels in the Security & Compliance Center.
Whichever way your sensitivity labels were created, end-users must be using 1 of 2 clients to see the sensitivity label:
- Unified label AIP client Office add-in
- Native labeling built into the Office Pro-plus install
There is a difference between the user experience depending on which of the above client options you’ve gone with. The key difference end-users will notice is with the version built-in, you will no longer see the Information Protection bar in the Office clients, you will only see the Sensitivity button on the toolbar.
Sensitivity labels will eventually have broad coverage and visibility across apps and services as you will see them in the Office clients, Office on the web (currently in Public Preview), Outlook on the Web, SharePoint Online (Preview), iOS (image), and Android Office apps. I love the consistency of this to improve the end-user experience and the familiarity with what Sensitivity means to protect corporate content.
Sensitivity is a property automatically added to any list/library in SharePoint, and I’m hopeful this value will be populated with the preview version of Sensitivity labels in SharePoint Online.
Q2: What’s the interplay with the other labels? Once you migrate your labels from the Azure portal to the Security & Compliance Center (SCC), you can administer then from either the SCC or the Azure Portal and the label changes are synced to the other portal. Which management portal you choose will depend on the labeling clients you have installed for your users. (Link: After I’ve migrated my labels, which management portal do I use?)
Similar to retention labels and AIP labels, you can have both a retention label and a sensitivity label on the same document, even if the document is encrypted.
Q3: Where is the label created? They are administered from the Security & Compliance Center under the Classification section on the left-hand navigation. If you have migrated AIP labels from the Azure Portal, this is where it put them.
Q4: What are good things to know about this label? Sensitivity labels can use sensitive information types to be auto-applied (just like Data Loss Prevention and Retention), something requiring regular expressions in a classic AIP label.
Announced at Microsoft Ignite 2019:
- Data Loss Prevention can use sensitivity labels to take action
- Sensitivity labels can be applied to an Office 365 Group, Teams, SharePoint site, or PowerBI workspace
- Up to this point in time, once a document was encrypted in SharePoint/OneDrive, the following features didn’t work on the file: Coauthoring, eDiscovery, Data Loss Prevention, search (for the file’s content), and Delve. At Ignite, an update was announced in Public Preview to allow: co-authoring, eDiscovery, search, and Delve
New investments from Microsoft will be on Sensitivity labels for protecting content across Microsoft 365 apps and services. If you aren’t currently using AIP labels and you don’t require the functionality they provide that Sensitivity labels don’t, I recommend going straight to Sensitivity labels to future-proof your effort.
Currently in preview for Sensitivity labels:
- Azure Information Protection Scanner
- SharePoint Online
- Office for the Web
Unified labels
This is analogous to a Sensitivity label, but it’s also an “approach”.
I was initially confused by what this term meant and I can only assume there are others new to the world of labels who are also.
Microsoft made a strategic decision to incorporate AIP labeling capabilities into Office 365 services by administering them from the Security & Compliance center (SCC) backend. The migration process migrates the AIP labels (and policies) to the SCC and they are then referred to as Sensitivity labels once migrated. This “unification” allowed Microsoft to standardize the SDK to allow other applications and services to use AIP classification and labeling and to administer both types of labels (sensitivity and retention) from the same label management portal (SCC).
It doesn’t mean “1 unified label to perform both retention and protection functions” as I had initially thought.
I hope this post helped articulate the different types of labels available across Office 365. As new capabilities are introduced for retention and protection labels, I’ll update this post.
Thanks for reading.
-JCK
Credit: Image by Дарья Яковлева from Pixabay
Thank you for sharing this. Very good overview of the subject.
Very good article, to the point and easy to read.
How do you add the PolicyExpiryDate column in SharePoint. I don’t seem to have that column available.
Hi Charles,
In my example, this is a custom column I’ve added to the library in SharePoint. I’m using the managed property generated from that column.
-JCK
Thanks for your usual clarity around the changing and somewhat confusing world of labels!
In your post you wrote that DLPs can be based on sensitivity labels, but I don’t see that in my Compliance Center. What I see is that they can be based on Sensitivity Types (ex Credit Card number) and Retention Labels. Am I missing something or is that a planned feature?
Hi Michael, that’s under my “announced at Ignite” section. It’s not available yet… coming soon. 😊
-JCK
Hi. Very interesting. However, there is something not clear. Is the usage of sensitivity labels also possible for PDF documents ? As all our validated documents are PDF. If not, is it planned in the future ? Or is there another recommendation to protect PDF documents next to Office documents ? (my Sharepoint library contains both). Tx
Great article, thanks!
I have a question around support for MAC if i have customized my labels with powershell.
on windows, i can block sending to untrusted domains, and show pop ups. (leveraging the labeling client). can this be achieved on outllook on MAC?
tnx
Hi Dagan, assuming you’re meaning sensitivity labels???? I don’t know. I don’t have a Mac and don’t regularly test with them. What kind of “customization” have you done? That likely has an impact.
Sorry, can’t help you with this one.
-JCK
Thanks Joanne, you reply fast! well yes I meant Sensitivity labels. I have configured trusted domains, and the warn / justify / block pop ups. i.e if you try to send an email with the label “Internal” to someone outside the organization, you get a pop up blocking you and asking you to change Email address X.
that doesn’t work on MAC since it is depending on the AIP unified labeling client that supports only windows… thanks anyway!
Dagan.
Hi Joanne,
Great series of articles – thank you.
I’m trying to find a way to make Sensitivity Labels available as a Document Property (in the way you have described with) AIP labels above.
Do you have any advice you can offer?
Mark
Thank you Joanne,
Noting the time and date of the post I can honestly say it has been extremely useful in helping me understand and implement sensitivity and retention labels internally and for my clients
Hi Joanne,
Thanks for your informative articles, it’s helped me a lot to better understand some of the features available in M365 to support records/information management. I just had a question around the retention labels, are all retention label properties able to be edited/modified after the label is created (i.e. name, notes, retention periods and triggers, citation references, etc)? I’m just thinking from a government recordkeeping perspective where retention and disposal authorities have to be followed, those are updated semi-regularly and I wonder if you could make a change to an existing label where necessary rather than having to create new labels to account for the change.
Kind regards,
Adelaide
Hi Adelaide,
It depends. You can’t change a retention label name after-the-fact. There are some changes you can make to the retention period, however only under certain conditions. (E.g. if it’s a regulatory record, you can’t change it to a shorter period although you can for a regular or record label) Auto-apply triggers will not overwrite a piece of content that already has a retention label applied, unless it is from another auto-apply that was created earlier. You can add/remove disposition reviewers after-the-fact. Citation references are just text so you can change them after-the-fact as well as the descriptions for users/admins. You can also change all of the attributes within the File Plan (Reference ID, Business Function, Category/Subcategory, Authority Type, Provision/Citation)
Hope that helps.
-JCK
Hi Joanne,
Thanks for your always great explanatory articles.
One question left unanswered, though (there had to be one, right? :-)) is what comes out of combining retention and sensitivity labels…
First a bit of background:
– We use retention labels in SharePoint libraries, we configure them to be set automatically and love the fact that they can be made records
– We use sensitivity labels to classify the sensitivity of the content (doh)
Now comes the tricky part… We cannot find a way to be able to set the sensitivity label AFTER the document has been saved – as it is then a record. I assume that this happens because the item is locked for changes to the binary file whereas the metadata still can be updated.
So we are reliant on the users remembering to set the sensitivity label before the document is stored to the location – which honestly rarely happens (and I’d have loved to be able to set it automatically beforehand based on the library settings as opposed to the site which isn’t granular enough).
Have you exprienced this issue and/or heard of any workarounds?
Best regards,
Thomas