This post explains the key difference between the 2 automated techniques for applying Sensitivity Labels and why you (as an administrator) should care.
Why does this matter?
End-users can certainly apply a sensitivity label manually to an Office document within their editing session, but you shouldn’t rely on this method alone to consistently and accurately represent the sensitivity of the content within the document. We must employ automation to both ease the reliance on the end-user and increase the accuracy of the sensitivity label application.
In addition, if you are migrating thousands of documents into SharePoint and OneDrive, you need to ensure your organization’s sensitivity labels are intelligently applied to these documents in a similar manner to how they are being automatically applied for an end-user while they are working with their documents in their Office applications.
You can do both by using client-side AND service-side auto-labeling features!
Note: at the time of this writing there are limitations on the number of sites that can be included within the service-side auto-labeling feature. Over time, this limit should increase to address the need for applying your data classification at-scale across your data landscape. As of February 2021, the limitations are:
- Maximum of 25,000 automatically labeled files in your tenant per day
- Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive)
From Microsoft: How to configure auto-labeling for Office apps
You can auto-apply a sensitivity label from the client (i.e. end-user’s) perspective. This is an “in-the-moment” behavior while an end-user is editing a document either in an Online version (Word Online) or the App version (Desktop Word). If information is entered in the document that triggers the condition you’ve configured in the auto-labeling settings, it will either automatically apply or recommend the sensitivity label (dependent on your configuration).
Client-side auto-labeling for a sensitivity label is configured in the Sensitivity Label’s setting in the Compliance Center under Files & emails. Below is an example of auto-applying (recommending) a Confidential sensitivity label:
The settings above will recommend the Confidential sensitivity label if a Canadian Social Insurance Number is detected in a document’s content while the end-user is editing the document and is demonstrated in the image below: (Word Online)
Once applied (by clicking Change now), the property is persisted with the document and it can be displayed as a Sensitivity property in the SharePoint document library view:
From Microsoft: How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange
What about applying this same set of rules and sensitivity labels to data at rest? For most organizations, it’s not sufficient to auto-apply net new and changed content with sensitivity labels… you ALSO need to apply a consistent set of rules to content sitting in existing SharePoint and OneDrive sites. i.e. data “at rest”
You can do this using Service-side Auto-labeling from within Information Protection in the Compliance Center:
Service-side auto-labeling is an important supplement to the client-side auto-labeling feature. You can define the same conditions as was done in the client-side auto-labeling feature to ensure the same sensitivity label will be applied. Below, I’ve configured service-side auto-labeling for the same condition as was done in the Client-side auto-labeling above:
Step 1: Define the condition(s)
Step 2: Select the Sensitivity Label to automatically apply
Step 3: You MUST run in simulation mode before enabling the policy
Once the simulation is done and you have verified the conditions are configured correctly, you can enable the service-side auto-labeling policy to automatically apply the Sensitivity label to content matching the condition(s) specified.
In the image below, 3 of the documents’ contents in the New Library contain a Canadian Social Insurance number so the Confidential sensitivity label was automatically applied. An end-user did not have to open/view/edit the document for the sensitivity label to be applied. Awesome.
Important Tidbits to know
- When content has been manually labeled, that label will never be replaced by automatic labeling. However, automatic labeling can replace a lower priority label that was automatically applied.
- Automatic labeling can overwrite the default sensitivity label if you have one set in your label policy
- Service-side auto-labeling will NOT apply a sensitivity label to Exchange email at rest – it will apply labels to emails in transit (when sent).
Thanks for reading. How are YOU applying sensitivity labels across your tenant? 🙂
Credit: Photo by Markus Spiske from Pexels
This is awesome Joanne thanks. Sadly we are not using this yet….although I believe we are getting a project together to move in that direction…and I cannot wait.
Very helpful and clear — thanks for your post. What if I want to apply a specific label to every document that gets placed in a specific SharePoint library, so all documents in that site are labeled with that label when they are placed there?
Hi Revakg, you can’t do this using the auto-labeling capability. Microsoft Cloud App Security can do it.
Joanne, any hope for being able to use server-side auto-labeling for more than 10 sites/onedrive sites? Starting to get some clients that want to turn it on tenant wide for SharePoint and OneDrive and be able to check all their sites.
Hey Ben, the team at Microsoft is working on this current limitation. I’m not aware of a date though.
Awesome, thanks! Glad to know it’s at least coming 🙂
Awesome content, thanks a lot!
Can I select all tenant sharepoint sites in auto labeling (service side)? I wonder if there is a site limit?
There is currently a site limit (I *think* it’s 100 but it’s well documented in Microsoft Docs). I believe this limit will change.
Thanks for reply. You are wonderful. I have a another question. Please forgive me 🙂
After deploying this policy, can newly created sharepoint sites be automatically included in this policy? Or should I always include it manually?
Well because you can’t currently go tenant-wide, wouldn’t you have to manually include it? (not sure if there is a PS script where you could automate it)
Thank you very much for your wonderful article madam. I have benefited quite a lot.
My goal is to classify unclassified data on sharepoint sites and onedrive accounts with AIP (UL). I have no license problem for this, I will buy it if necessary.
What is the most painless way? “Microsoft Cloud App Security” or “Auto-Labeling Policy”?
Or am I confusing these two in different things 🙂
HI Sena, I think they will both do what you want (apply a sensitivity label), however the devil’s in the details. Once the service-side auto-labeling site limit has been lifted/increased I would lean to this option as it will be a single source of functionality across all of your workloads. Please check out this blog on Microsoft’s tech community where they talk about exactly your question: https://techcommunity.microsoft.com/t5/microsoft-security-and/mcas-data-protection-blog-series-do-i-use-mcas-or-mip/ba-p/2011039
Hope this helps.
Thank you very much for your quick response, one more question, I would appreciate it if you could help.
I installed AIP Scanner to protect and classify data on File Servers and it works fine.
Is something like this possible? All files with “png” and “dwg” extensions in fileservers should have “Top Secret” labels? I want the same to be true for the sharepoint site.
In summary, can I make this request on both fileservers and sharepoint online sites? Or is Microsoft automatic labeling on text-only files? An automatic labeling with reference to the file extension is not possible?
Yes other file types are possible. The list of filetypes is well-documented by Microsoft. I’ll leave that up to you to google. 😊
I searched on google but could not find a detail. My request is that only “dwg” and “png” extension files are “Top Secret” by default. Other file types should not be labelled.
Please help me 🙁
Hi Sena, I reread your initial question…to my knowledge you can’t apply a sensitivity label to content based on its extension (meaning ALL .png be assigned a ‘Top Secret’ label)… it is based on the conditions specified by your sensitivity label definition in the Compliance Center (which does not include file type) but rather the detection of a sensitive information type in the file. You can certainly include/exclude file types, but the application of the label is based on the sensitivity of the content. I haven’t worked with AIP scanner very much.
Please post your question on Microsoft’s Tech Community for broader reach. Link: https://techcommunity.microsoft.com/t5/microsoft-security-and/ct-p/MicrosoftSecurityandCompliance
Thank you JCK for your great writing 🙂
I have a question. I would be grateful if you could answer me.
Can I automatically label the docs found in my users’ local(laptop) ? There is a product called Microsoft Endpoint DLP, will it meet my needs?
A question about auto-labeling in Information Protection. I have set up a simulation using the GLBA. It shows that there are 5 items matched. However, when I click to review matched items it tells me that there is not data. Do I need a particular privilege to view that?
Hi Alan, here is some info that may help. https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide#prerequisites-for-auto-labeling-policies
You do need permission to click in and view – not sure if that is the exact issue you’re having though. Hope this helps.
Hello, yes, the permission issue is what I am wondering about. I have Global Reader and Data Compliance Admin, what other permission is needed?
Thanks for your help,
Hi Alan, the permissions you require are in the link I just sent you under the ‘Simulation mode’ heading. It says “Content Explorer Content Viewer” role.
I have asked my boss to check into the link you sent. I am thinking that I will need those permissions to see how things are going.
can we apply the client side auto label for incoming external email?
Hi Sameer, to my knowledge no.
Thanks Joanne!!……But Server Side should be possible right?
Hi Sameer, emails are labeled in transit as they are sent using service-side auto-labeling. Not incoming from external.
– A auto-labeling policy for Exchange only, where the label to be applied is Confidential.
– In the client-side, directly in the Internal label, setting auto-labeling.
Given the two ways, what is the prevalence between them? Between client-side and service-side, who wins?