Introduction

This article describes

• What Microsoft 365 Sensitivity Labels are
• How they are implemented at Virginia Tech
• Benefits to using the labels
• Steps to include using the labels as a part of your workflow

Content

• What do these labels provide to users on files and emails?
• What labels are currently available for files and emails? 
• How do I protect items with Sensitivity Labels in Outlook Web App (OWA)?
  
  • FERPA, PII, and ePHI
  • Encrypt and Do Not Forward
• How do I apply Sensitivity Labels in Office Desktop Applications (Outlook, Word, PowerPoint, etc.)?
  
  • Microsoft Word, Excel, and PowerPoint
  • Microsoft Outlook
• How do I remove labels in Office Desktop Applications?
• How do I directly protect files using AIP?
  
  • To install the AIP Client
  • To apply a label to a file
  • To apply a label to all applicable files in a folder
• How do I directly remove labels using AIP?
  
  • To remove a label from a file
  • To remove a label from all applicable files in a folder
• How do I open a file or email that is protected with AIP?
• Do I need to use Sensitivity Labels when sharing files completely within an environment that is already considered compliant such as Virginia Tech’s Microsoft 365 or Google Workspace for Education?
• What do the sensitivity labels mean for SharePoint sites and Teams?
• More Information

Explanation

Microsoft 365 Sensitivity Labels are a part of the Azure Information Protection (AIP) tool set. They are a data-protection solution from Microsoft that helps an organization classify and protect its sensitive files and emails. The current protections implemented are Encryption and Email Forwarding Block. These are activated when a user applies a label to an email or file.

What do these labels provide to users on files and emails?

• Help with compliance – Users can quickly label items as containing Personally Identifiable Information (PII), Family Educational Rights and Privacy Act (FERPA) data, or electronic protected health information (ePHI). In addition, users are assured that labeled items meet at least the encrypt at rest and in transit elements of compliance.
• Enhanced security – Protections are applied that assist with ensuring that only authorized users can access the protected items.
• Greater end-to-end control over data – In general use, only the person applying the label can remove it. Therefore, users know that even though the data may no longer be on their system, it is still protected.

Top of Page

What labels are currently available for files and emails?

The following chart indicates currently available labels and their associated protections.

Label	Description	Encryption	Forwarding Block
All Applications
PII	Data containing personally identifiable information. Emails and documents marked as PII will be encrypted and recipients of PII labeled emails will be prevented from forwarding.	Yes	Yes
FERPA	Data containing information on student academic records. Emails and documents marked as FERPA will be encrypted and recipients of FERPA labeled emails will be prevented from forwarding.	Yes	Yes
EPHI	Data containing ePHI. Emails and documents marked as EPHI will be encrypted, and recipients of these emails will be prevented from forwarding.	Yes	Yes
Email Applications Only
Encrypt	Encryption of data at rest and in transit.	Yes	No
Do Not Forward	Prevents recipients from forwarding, printing, or copying content.	No	Yes

Top of Page

How do I protect items with Sensitivity Labels in Outlook Web App (OWA)?

FERPA, PII, and ePHI

1. Open a browser window and navigate to http://my.office365.vt.edu.
2. Click on the Outlook icon.
3. If the icon is not available, click on the Explore all your apps link and search for the Outlook entry in the list provided.
4. Click on the New message menu item.
   
5. Click on the Sensitivity drop-down box.
   
   
   
   
6. Apply the appropriate label.
7. You will now see the label applied to your email. If your email had any attachments, the same protections will also be applied to the attachments.

Examples

• Example FERPA Label
  
  
  
  
  
  

Top of Page

Encrypt and Do Not Forward

1. Click on the New message menu item.
   
   
   
   
2. Click on the ellipses to the right of the ribbon.
   
   
   
   
3. Locate and click on the Encrypt button.
4. Apply either Encrypt of Do Not Forward as appropriate.

 

Top of Page

 

How do I apply Sensitivity Labels in Office Desktop Applications (Outlook, Word, PowerPoint, etc.)?

AIP functionality is native to desktop applications. They will appear under the "Sensitivity" menu in Word, Excel, PowerPoint, and Outlook. For more information on Sensitivity Labels in Office for Mac, please see the Apply sensitivity labels to your files and email in Office Microsoft support page.

Microsoft Word, Excel, and PowerPoint

1. Be sure you are on the Home tab of your desktop application.
2. On the right-hand side of the ribbon, click on the Sensitivity menu item.
3. From here, you can choose the label that represents your data.

Your chosen label will have

• A check beside it in the Sensitivity menu and
• A watermark will appear for files that use a Microsoft File format (Word, Excel, PowerPoint, etc.). For example, on your Word Document, if you choose the FERPA label, a watermark will appear in the header and the footer.

   

Top of Page

Microsoft Outlook

 

1. Be sure you are on the Home tab of your desktop application.
2. Click on the New Email button.
3. Be sure you are in the Message tab of Outlook Desktop.
4. On the right-hand side of the ribbon, click on the Sensitivity menu item.
5. From here, you can choose the label that represents your data.
   
   1. The options are identical to the other desktop application as shown:
   2. Upon selecting one of the options (for the purposes of this example, we're going to use FERPA), you will see the label at the top of your email window, just under the ribbon. There will also be a check beside the chosen option in the Sensitivity menu item.
      
      
6. To apply only Encryption, go to the Options tab.
7. Select the Encrypt menu item.
   
   
   • You will have several options to choose from, similar to the Online Web Application. Applicable options that don't involve sensitivity labels are:
     
     
     • Encrypt-Only
     • Do Not Forward
       
       
   • Once you choose one of these options (for the purposes of this example, we will use Encrypt-Only), similar to the other sensitivity labels, it will appear directly under the ribbon on your email window. There will also be a check beside the chosen option in the Encrypt menu item.
     
     

You are able to apply Sensitivity and Encryption labels to your email simultaneously. Be sure to select the Sensitivity label prior to selecting the Encryption label.

Video

Top of Page

How do I remove labels in Office Desktop Applications?

You can only remove a label that you personally have applied. 

• To remove a label:
  
  • Deselect the chosen label by clicking on the Sensitivity menu item and clicking on the corresponding label with a check mark next to it.
    

    

Top of Page

 

How do I directly protect files using AIP? 

In order to classify a document within Windows Explorer through the right-click context menu, Windows Requires the AIP Client to be installed separately from Office products. 

To install the AIP Client

1. Click on https://www.microsoft.com/en-us/download/details.aspx?id=53018.
2. Once the site loads, click the Download button.
   
   
3. Choose one of the installation file options with _UL.exe in the name.
4. Click the Next button.
5. Once the AIP client installation file is downloaded, open the installation file and follow the prompts on the screen to install the client.

Please visit Admin Guide: File types supported by the Azure Information Protection client to understand which file formats work with AIP protections applied. You can apply the protection through labelling directly to an individual file or to all files in a folder.

Top of Page

To apply a label to a file

1. Locate the file within your operating system.
2. Right-Click on the file and choose Classify and protect from the Context menu.

3. Choose the appropriate label: FERPA, PII, or EPHI.

4. Click the Apply button.

Top of Page

To apply a label to all applicable files in a folder

Watermarks are not applied to files using this method.

5. Locate the folder within your operating system.
6. Right-Click on the file and choose Classify and protect from the Context menu.
   
   
   
   
7. Choose the appropriate label: FERPA, PII, or EPHI.
8. Click the Apply button.
9. Click the Show Results link to ensure the results are as expected.
   
   

Top of Page

How do I directly remove labels using AIP?

Please visit Microsoft's Admin Guide: File types supported by the Azure Information Protection client documentation page to understand which file formats work with AIP protections applied. You can only remove a label that you personally have applied.

To remove a label from a file

1. Locate the file within your operating system.
2. Right-Click on the file and choose Classify and protect from the Context menu.
   
   
   
   
3. Click the Delete Label button.
4. In the dialog box that appears, choose the appropriate reason for why you are removing the label. Enter any extra information into the text box as appropriate.
5. Click the Confirm button.
6. Click the Close button.

Top of Page

To remove a label from all applicable files in a folder

1. Locate the folder within your operating system.
2. Right-Click on the file and choose Classify and protect from the Context menu
3. Click the Delete Label button.
4. In the dialog box that appears, choose the appropriate reason for why you are removing the label. Enter any extra information into the text box as appropriate.
5. Click the Confirm button.
6. Click the Close button.

Video

Top of Page

How do I open a file or email that is protected with AIP?

The method and experience for opening a file will vary depending on several factors:

• File format – You may be required to download specific applications to open non-Microsoft file formats. For example, to open a PDF, you may be required to download Adobe Acrobat Reader
• Recipient internal to Virginia Tech – You may be required to authenticate with your Virginia Tech username and passphrase
• Recipient external to Virginia Tech – You may be required to authenticate with your username and passphrase
• Recipient external to Virginia Tech – You may be required to enter a one-time passcode

Top of Page

Do I need to use Sensitivity Labels when sharing files completely within an environment that is already considered compliant such as Virginia Tech’s Microsoft 365 or Google Workspace for Education?

MIP is intended to protect files that need to be distributed outside of compliant environments at Virginia Tech. Microsoft 365 and Google Workspace for Education are compliant. So, adding the labels and protection is overhead that is not required. MIP should be used when you share files containing sensitive data outside of these collaborative spaces.

Top of Page

What do the sensitivity labels mean in SharePoint and Teams?

When a sensitivity label is applied to a SharePoint site or Team, it is for descriptive purposes only. It does not apply any data protection. 

To apply a label to an existing team,

1. Click on the ellipsis next to the team's name.
2. Click Edit Team.
3. Select the appropriate sensitivity label under Sensitivity.

To apply a label to a new team, when creating the team, choose the appropriate sensitivity label under Sensitivity.

Top of Page

More Information

Microsoft’s introductory documentation for AIP

Using information protection with Microsoft 365, Office 2019, Office 2016, or Office 2013

Compliance and supporting information for Azure Information Protection

Top of Page