This post explains the key difference between the 2 automated techniques for applying Sensitivity Labels and why you (as an administrator) should care.
Why does this matter?
End-users can certainly apply a sensitivity label manually to an Office document within their editing session, but you shouldn’t rely on this method alone to consistently and accurately represent the sensitivity of the content within the document. We must employ automation to both ease the reliance on the end-user and increase the accuracy of the sensitivity label application.
In addition, if you are migrating thousands of documents into SharePoint and OneDrive, you need to ensure your organization’s sensitivity labels are intelligently applied to these documents in a similar manner to how they are being automatically applied for an end-user while they are working with their documents in their Office applications.
You can do both by using client-side AND service-side auto-labeling features!
Note: at the time of this writing there are limitations on the number of sites that can be included within the service-side auto-labeling feature. Over time, this limit should increase to address the need for applying your data classification at-scale across your data landscape. As of February 2021, the limitations are:
- Maximum of 25,000 automatically labeled files in your tenant per day
- Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive)
From Microsoft: How to configure auto-labeling for Office apps
You can auto-apply a sensitivity label from the client (i.e. end-user’s) perspective. This is an “in-the-moment” behavior while an end-user is editing a document either in an Online version (Word Online) or the App version (Desktop Word). If information is entered in the document that triggers the condition you’ve configured in the auto-labeling settings, it will either automatically apply or recommend the sensitivity label (dependent on your configuration).
Client-side auto-labeling for a sensitivity label is configured in the Sensitivity Label’s setting in the Compliance Center under Files & emails. Below is an example of auto-applying (recommending) a Confidential sensitivity label:
The settings above will recommend the Confidential sensitivity label if a Canadian Social Insurance Number is detected in a document’s content while the end-user is editing the document and is demonstrated in the image below: (Word Online)
Once applied (by clicking Change now), the property is persisted with the document and it can be displayed as a Sensitivity property in the SharePoint document library view:
What about applying this same set of rules and sensitivity labels to data at rest? For most organizations, it’s not sufficient to auto-apply net new and changed content with sensitivity labels… you ALSO need to apply a consistent set of rules to content sitting in existing SharePoint and OneDrive sites. i.e. data “at rest”
You can do this using Service-side Auto-labeling from within Information Protection in the Compliance Center:
Service-side auto-labeling is an important supplement to the client-side auto-labeling feature. You can define the same conditions as was done in the client-side auto-labeling feature to ensure the same sensitivity label will be applied. Below, I’ve configured service-side auto-labeling for the same condition as was done in the Client-side auto-labeling above:
Once the simulation is done and you have verified the conditions are configured correctly, you can enable the service-side auto-labeling policy to automatically apply the Sensitivity label to content matching the condition(s) specified.
In the image below, 3 of the documents’ contents in the New Library contain a Canadian Social Insurance number so the Confidential sensitivity label was automatically applied. An end-user did not have to open/view/edit the document for the sensitivity label to be applied. Awesome.
Important Tidbits to know
- When content has been manually labeled, that label will never be replaced by automatic labeling. However, automatic labeling can replace a lower priority label that was automatically applied.
- Automatic labeling can overwrite the default sensitivity label if you have one set in your label policy
- Service-side auto-labeling will NOT apply a sensitivity label to Exchange email at rest – it will apply labels to emails in transit (when sent).
Thanks for reading. How are YOU applying sensitivity labels across your tenant? 🙂