Understanding Microsoft 365 Sensitivity Labels


Introduction

This article describes

Content

Explanation

Microsoft 365 Sensitivity Labels are a part of the Azure Information Protection (AIP) tool set. They are a data-protection solution from Microsoft that helps an organization classify and protect its sensitive files and emails. The current protections implemented are Encryption and Email Forwarding Block. These are activated when a user applies a label to an email or file.

What do these labels provide to users on files and emails?

Top of Page

What labels are currently available for files and emails?

The following chart indicates currently available labels and their associated protections.

Label

Description

Encryption

Forwarding Block

All Applications

PII

Data containing personally identifiable information. Emails and documents marked as PII will be encrypted and recipients of PII labeled emails will be prevented from forwarding.

Yes

Yes

FERPA

Data containing information on student academic records. Emails and documents marked as FERPA will be encrypted and recipients of FERPA labeled emails will be prevented from forwarding.

Yes

Yes

EPHI

Data containing ePHI. Emails and documents marked as EPHI will be encrypted, and recipients of these emails will be prevented from forwarding.

Yes

Yes

Email Applications Only

Encrypt

Encryption of data at rest and in transit.

Yes

No

Do Not Forward

Prevents recipients from forwarding, printing, or copying content.

No

Yes

Top of Page

How do I protect items with Sensitivity Labels in Outlook Web App (OWA)?

FERPA, PII, and ePHI

  1. Open a browser window and navigate to http://my.office365.vt.edu.
  2. Click on the Outlook icon.
  3. If the icon is not available, click on the Explore all your apps link and search for the Outlook entry in the list provided.
  4. Click on the New message menu item.
  5. Click on the Sensitivity drop-down box.



  6. Apply the appropriate label.
  7. You will now see the label applied to your email. If your email had any attachments, the same protections will also be applied to the attachments.

Examples

Top of Page

Encrypt and Do Not Forward

  1. Click on the New message menu item.



  2. Click on the ellipses to the right of the ribbon.



  3. Locate and click on the Encrypt button.
  4. Apply either Encrypt of Do Not Forward as appropriate.

 

Top of Page

 

How do I apply Sensitivity Labels in Office Desktop Applications (Outlook, Word, PowerPoint, etc.)?

AIP functionality is native to desktop applications. They will appear under the "Sensitivity" menu in Word, Excel, PowerPoint, and Outlook. For more information on Sensitivity Labels in Office for Mac, please see the Apply sensitivity labels to your files and email in Office Microsoft support page.

Microsoft Word, Excel, and PowerPoint

  1. Be sure you are on the Home tab of your desktop application.
  2. On the right-hand side of the ribbon, click on the Sensitivity menu item.
  3. From here, you can choose the label that represents your data.

Your chosen label will have

Top of Page

Microsoft Outlook

 

  1. Be sure you are on the Home tab of your desktop application.
  2. Click on the New Email button.
  3. Be sure you are in the Message tab of Outlook Desktop.
  4. On the right-hand side of the ribbon, click on the Sensitivity menu item.
  5. From here, you can choose the label that represents your data.
    1. The options are identical to the other desktop application as shown:
    2. Upon selecting one of the options (for the purposes of this example, we're going to use FERPA), you will see the label at the top of your email window, just under the ribbon. There will also be a check beside the chosen option in the Sensitivity menu item.

  6. To apply only Encryption, go to the Options tab.
  7. Select the Encrypt menu item.

    • You will have several options to choose from, similar to the Online Web Application. Applicable options that don't involve sensitivity labels are:

      • Encrypt-Only
      • Do Not Forward

    • Once you choose one of these options (for the purposes of this example, we will use Encrypt-Only), similar to the other sensitivity labels, it will appear directly under the ribbon on your email window. There will also be a check beside the chosen option in the Encrypt menu item.

You are able to apply Sensitivity and Encryption labels to your email simultaneously. Be sure to select the Sensitivity label prior to selecting the Encryption label.

Video

Top of Page

How do I remove labels in Office Desktop Applications?

You can only remove a label that you personally have applied. 

Top of Page

 

How do I directly protect files using AIP? 

In order to classify a document within Windows Explorer through the right-click context menu, Windows Requires the AIP Client to be installed separately from Office products. 

To install the AIP Client

  1. Click on https://www.microsoft.com/en-us/download/details.aspx?id=53018.
  2. Once the site loads, click the Download button.

  3. Choose one of the installation file options with _UL.exe in the name.
  4. Click the Next button.
  5. Once the AIP client installation file is downloaded, open the installation file and follow the prompts on the screen to install the client.

Please visit Admin Guide: File types supported by the Azure Information Protection client to understand which file formats work with AIP protections applied. You can apply the protection through labelling directly to an individual file or to all files in a folder.

Top of Page

To apply a label to a file

  1. Locate the file within your operating system.
  2. Right-Click on the file and choose Classify and protect from the Context menu.

  1. Choose the appropriate label: FERPA, PII, or EPHI.

  1. Click the Apply button.
Top of Page

To apply a label to all applicable files in a folder

Watermarks are not applied to files using this method.

  1. Locate the folder within your operating system.
  2. Right-Click on the file and choose Classify and protect from the Context menu.



  3. Choose the appropriate label: FERPA, PII, or EPHI.
  4. Click the Apply button.
  5. Click the Show Results link to ensure the results are as expected.

Top of Page

How do I directly remove labels using AIP?

Please visit Microsoft's Admin Guide: File types supported by the Azure Information Protection client documentation page to understand which file formats work with AIP protections applied. You can only remove a label that you personally have applied.

To remove a label from a file

  1. Locate the file within your operating system.
  2. Right-Click on the file and choose Classify and protect from the Context menu.



  3. Click the Delete Label button.
  4. In the dialog box that appears, choose the appropriate reason for why you are removing the label. Enter any extra information into the text box as appropriate.
  5. Click the Confirm button.
  6. Click the Close button.
Top of Page

To remove a label from all applicable files in a folder

  1. Locate the folder within your operating system.
  2. Right-Click on the file and choose Classify and protect from the Context menu
  3. Click the Delete Label button.
  4. In the dialog box that appears, choose the appropriate reason for why you are removing the label. Enter any extra information into the text box as appropriate.
  5. Click the Confirm button.
  6. Click the Close button.

Video

Top of Page

How do I open a file or email that is protected with AIP?

The method and experience for opening a file will vary depending on several factors:

Top of Page

Do I need to use Sensitivity Labels when sharing files completely within an environment that is already considered compliant such as Virginia Tech’s Microsoft 365 or Google Workspace for Education?

MIP is intended to protect files that need to be distributed outside of compliant environments at Virginia Tech. Microsoft 365 and Google Workspace for Education are compliant. So, adding the labels and protection is overhead that is not required. MIP should be used when you share files containing sensitive data outside of these collaborative spaces.

Top of Page

What do the sensitivity labels mean in SharePoint and Teams?

When a sensitivity label is applied to a SharePoint site or Team, it is for descriptive purposes only. It does not apply any data protection. 

To apply a label to an existing team,

  1. Click on the ellipsis next to the team's name.
  2. Click Edit Team.
  3. Select the appropriate sensitivity label under Sensitivity.

To apply a label to a new team, when creating the team, choose the appropriate sensitivity label under Sensitivity.

Top of Page

More Information

Microsoft’s introductory documentation for AIP

Using information protection with Microsoft 365, Office 2019, Office 2016, or Office 2013

Compliance and supporting information for Azure Information Protection

Top of Page