Label. There’s that word again.
If you need to get up-to-speed quickly on how labels are used across apps and services in Office 365 and have been pouring thru documentation on docs.microsoft.com, by now you’ve likely got numerous tabs open in your browser and have noticed there’s multiple kinds of labels each doing different things. This post will articulate the differences and interplay between them. The 4 types of labels you may have come across are:
For each one, I’ll give an overview of what it does by answering 4 questions:
- Where does an end-user see this label?
- What’s the interplay with other labels?
- Where is the label created?
- What’s a good thing to know about the label?
Like the name implies, the primary responsibility of this kind of label is to apply retention to a piece of content (document, item, email). A retention label can do 1 of 3 things:
- retain content for a predetermined period of time
- retain content and then delete it after a predetermined period of time
- outright delete it after a predetermined period of time
A label can also mark a document as a record making it so you can’t change the content of the document.
Q1: Where does an end-user see this label? It’s a piece of metadata for a document which means you can see it/modify it thru the document detail pane and in views. The display name is Retention label and the internal name is ComplianceTag.
Q2: What’s the interplay with the other labels? You can have a retention label on a document as well as either an Azure Information Protection (AIP) label or a sensitivity label as the labels are doing very different things.
Q3: Where is the label created? These labels are created in the Security & Compliance Center in Office 365 at protection.office.com. As of the time of this writing (December 2019), you will see it under the Classifications navigation heading.
Q4: What are good things to know about this label? If the retention label declares a document a record, a hidden Yes/No column will be automatically added to your list/library called Item is a Record and will be set if the retention label has been applied. This can be added to views and filtered on.
If you want to see the date a document will be retained until/deleted on, select the 3 dots beside the document in SharePoint, click More… Compliance details to view the retention information. The date will be shown in the Expiration Status.
Azure Information Protection (AIP) Labels
These labels are used to apply protection, rights management, and/or visual markings to an email or document. Examples of this include:
- apply a watermark, header, or footer to a document based on the label
- encrypt a document based on the label
- allow only a specific team in your organization to view, edit and print a document based on the label (different than SharePoint permissions)
- prevent any external user from accessing an email and attached document if sent to them
AIP labels align to a data classification scheme your organization must define to describe the handling and protection controls for your organization’s content. Typically, an Information Management and/or Compliance team will define an organization’s data classification scheme. Each label will have corresponding settings configured to implement the controls. This is an example of a data classification scheme and the controls for each:
Q1: Where does an end-user see this label? An end-user will see the label in the following clients/apps when working with the content:
- Word, Excel, PowerPoint, Outlook apps (desktop clients) (image) – an Information Protection bar will be shown
- Word, Excel, PowerPoint on the web: not currently available
- PDFs: Using Azure Information Protection to protect PDF’s
Sensitivity is a property automatically added to any list/library in SharePoint, however an AIP label value will not populate this column.
Once an AIP label is applied, it is stored in clear-text in a document’s properties under the ‘sensitivity’ property for Word, Excel, and PowerPoint files (image) and in the email header on an email. This is important because other applications can then read the label and take action based on it. (Data Loss Prevention, SharePoint search, mail flow rules, etc.)
Q2: What’s the interplay with the other labels? These labels are being replaced with sensitivity labels and there’s an option to migrate them to sensitivity labels right from within the Azure portal. You can have both a retention label and an AIP label on the same document or email. Even if an AIP label encrypts a document (uses Azure Rights management), you can still apply a retention label on it. **See Sensitivity labels for improvements with encrypted documents.
Q3: Where is the label created? These labels are created in the Azure portal for your tenant.
Q4: What are good things to know about this label? An AIP label can override SharePoint permissions! If you have a document in a SharePoint library and 1 of the documents is protected with an AIP label with rights management limited to a few select individuals, other people won’t have access to the document even if they have access to the SharePoint document library. Refer to this post of mine where I walk thru an example of this: Azure Information Protection Usage Rights and SharePoint Permissions.
AIP labels can also be applied to files outside of Office 365 either programmatically using the SDK, manually or with the AIP Scanner.
These are the new and recommended way of applying protection to documents and emails on a go-forward basis. All the cool kids are using these. 🙂 Over time, they will replace AIP labels for label and policy management for protecting content within Office 365, however there currently isn’t 1:1 feature parity between the two. If you are currently using AIP labels, be mindful of the capabilities you are leveraging before migrating to sensitivity labels.
Refer to this link for the current feature comparison: Client Comparison
Q1: Where does an end-user see this label? To see the sensitivity labels, you need to either have migrated your AIP labels from the Azure Portal to the Security & Compliance Center (if you were previously using AIP labels) OR created net new Sensitivity labels in the Security & Compliance Center.
Whichever way your sensitivity labels were created, end-users must be using 1 of 2 clients to see the sensitivity label:
- Unified label AIP client Office add-in
- Native labeling built into the Office Pro-plus install
There is a difference between the user experience depending on which of the above client options you’ve gone with. The key difference end-users will notice is with the version built-in, you will no longer see the Information Protection bar in the Office clients, you will only see the Sensitivity button on the toolbar.
Sensitivity labels will eventually have broad coverage and visibility across apps and services as you will see them in the Office clients, Office on the web (currently in Public Preview), Outlook on the Web, SharePoint Online (Preview), iOS (image), and Android Office apps. I love the consistency of this to improve the end-user experience and the familiarity with what Sensitivity means to protect corporate content.
Sensitivity is a property automatically added to any list/library in SharePoint, and I’m hopeful this value will be populated with the preview version of Sensitivity labels in SharePoint Online.
Q2: What’s the interplay with the other labels? Once you migrate your labels from the Azure portal to the Security & Compliance Center (SCC), you can administer then from either the SCC or the Azure Portal and the label changes are synced to the other portal. Which management portal you choose will depend on the labeling clients you have installed for your users. (Link: After I’ve migrated my labels, which management portal do I use?)
Similar to retention labels and AIP labels, you can have both a retention label and a sensitivity label on the same document, even if the document is encrypted.
Q3: Where is the label created? They are administered from the Security & Compliance Center under the Classification section on the left-hand navigation. If you have migrated AIP labels from the Azure Portal, this is where it put them.
Q4: What are good things to know about this label? Sensitivity labels can use sensitive information types to be auto-applied (just like Data Loss Prevention and Retention), something requiring regular expressions in a classic AIP label.
Announced at Microsoft Ignite 2019:
- Data Loss Prevention can use sensitivity labels to take action
- Sensitivity labels can be applied to an Office 365 Group, Teams, SharePoint site, or PowerBI workspace
- Up to this point in time, once a document was encrypted in SharePoint/OneDrive, the following features didn’t work on the file: Coauthoring, eDiscovery, Data Loss Prevention, search (for the file’s content), and Delve. At Ignite, an update was announced in Public Preview to allow: co-authoring, eDiscovery, search, and Delve
New investments from Microsoft will be on Sensitivity labels for protecting content across Microsoft 365 apps and services. If you aren’t currently using AIP labels and you don’t require the functionality they provide that Sensitivity labels don’t, I recommend going straight to Sensitivity labels to future-proof your effort.
Currently in preview for Sensitivity labels:
- Azure Information Protection Scanner
- SharePoint Online
- Office for the Web
This is analogous to a Sensitivity label, but it’s also an “approach”.
I was initially confused by what this term meant and I can only assume there are others new to the world of labels who are also.
Microsoft made a strategic decision to incorporate AIP labeling capabilities into Office 365 services by administering them from the Security & Compliance center (SCC) backend. The migration process migrates the AIP labels (and policies) to the SCC and they are then referred to as Sensitivity labels once migrated. This “unification” allowed Microsoft to standardize the SDK to allow other applications and services to use AIP classification and labeling and to administer both types of labels (sensitivity and retention) from the same label management portal (SCC).
It doesn’t mean “1 unified label to perform both retention and protection functions” as I had initially thought.
I hope this post helped articulate the different types of labels available across Office 365. As new capabilities are introduced for retention and protection labels, I’ll update this post.
Thanks for reading.