Introduction

This article describes

• What Microsoft 365 Sensitivity Labels are
• How they are implemented at Virginia Tech
• Benefits to using the labels
• Steps to include using the labels as a part of your workflow

Contents

• What Do These Labels Provide You on Files and Emails?
• What Labels Are Currently Available for Files and Emails?
• How Do I Protect Items with Sensitivity Labels in Outlook Web App (OWA)?
  
  • FERPA, PII, and ePHI
  • Encrypt and Do Not Forward
• How Do I Apply Sensitivity Labels in Office Desktop Applications (Outlook, Word, PowerPoint, etc.)?
  
  • Microsoft Word, Excel, and PowerPoint
  • Microsoft Outlook
• How Do I Remove Labels in Office Desktop Applications?
• How Do I Directly Protect Files using AIP?
  
  • To Install the AIP Client
  • To Apply a Label to a File
  • To Apply a Label to All Applicable Files in a Folder
• How Do I Directly Remove Labels using AIP?
  
  • To Remove a Label from a File
  • To Remove a Label from All Applicable Files in a Folder
• How Do I Open a File or Email that Is Protected with AIP?
• Do I Need to Use Sensitivity Labels when Sharing Files Completely within an Environment That is Already Considered Compliant such as Virginia Tech's Microsoft 365 or Google Workspace for Education?
• What Do the Sensitivity Labels Mean for SharePoint Sites and Teams?
• More Information

Explanation

Microsoft 365 Sensitivity Labels are a part of the Azure Information Protection (AIP) tool set. They are a data-protection solution from Microsoft that helps an organization classify and protect its sensitive files and emails. The current protections implemented are Encryption and Email Forwarding Block. These are activated when you apply a label to an email or file.

What Do These Labels Provide You on Files and Emails?

• Help with compliance – You can quickly label items as containing Personally Identifiable Information (PII), Family Educational Rights and Privacy Act (FERPA) data, or electronic protected health information (ePHI). In addition, you can be assured that labeled items meet at least the encrypt at rest and in transit elements of compliance.
• Enhanced security – Protections are applied that assist with ensuring that only authorized people can access the protected items.
• Greater end-to-end control over data – In general use, only the person applying the label can remove it. Therefore, even though the data may no longer be on your system, it is still protected.

Top of page

What Labels Are Currently Available for Files and Emails?

The following chart indicates currently available labels and their associated protections.

Label	Description	Encryption	Forwarding Block
All Applications
PII	Data containing personally identifiable information. Emails and documents marked as PII will be encrypted and recipients of PII labeled emails will be prevented from forwarding.	Yes	Yes
FERPA	Data containing information on student academic records. Emails and documents marked as FERPA will be encrypted and recipients of FERPA labeled emails will be prevented from forwarding.	Yes	Yes
EPHI	Data containing ePHI. Emails and documents marked as EPHI will be encrypted, and recipients of these emails will be prevented from forwarding.	Yes	Yes
Email Applications Only
Encrypt	Encryption of data at rest and in transit.	Yes	No
Do Not Forward	Prevents recipients from forwarding, printing, or copying content.	No	Yes

Top of page

How Do I Protect Items with Sensitivity Labels in Outlook Web App (OWA)?

FERPA, PII, and ePHI

1. Open a browser window and navigate to the Virginia Tech Microsoft Office portal.
2. Click Outlook.
3. If Outlook is not available, click Explore all your apps and search for Outlook.
4. Click New message.

   

5. Click Sensitivity.

   

6. Apply the appropriate label.
7. You will now see the label applied to your email. If your email had any attachments, the same protections will also be applied to the attachments.

Examples

Example FERPA Label

Top of page

Encrypt and Do Not Forward

1. Click New message.

   

2. Click the ellipses (three dots) to the right of the ribbon.

   

3. Click Encrypt.
4. Apply either Encrypt of Do Not Forward as appropriate.

Top of page

 

How Do I Apply Sensitivity Labels in Office Desktop Applications (Outlook, Word, PowerPoint, etc.)?

AIP functionality is native to desktop applications. They will appear under the "Sensitivity" menu in Word, Excel, PowerPoint, and Outlook. For more information on Sensitivity Labels in Office for Mac, please see the Apply sensitivity labels to your files and email in Office Microsoft support page.

Microsoft Word, Excel, and PowerPoint

1. Be sure you are on the Home tab of your desktop application.
2. On the right-hand side of the ribbon, click Sensitivity.
3. From here, you can choose the label that represents your data.

Your chosen label will have

• A check beside it in the Sensitivity menu and
• A watermark will appear for files that use a Microsoft File format (Word, Excel, PowerPoint, etc.). For example, on your Word Document, if you choose the FERPA label, a watermark will appear in the header and the footer.

Top of page

Microsoft Outlook

1. Be sure you are on the Home tab of your desktop application.
2. Click New Email.
3. Be sure you are in the Message tab of Outlook Desktop.
4. On the right-hand side of the ribbon, click Sensitivity.
5. From here, you can choose the label that represents your data.
6. Upon selecting one of the options, you will see the label at the top of your email window, just under the ribbon. There will also be a check beside the chosen option in the Sensitivity menu item.
7. To apply only Encryption, go to the Options tab.
8. Select Encrypt.
   
   1. You will have several options to choose from. Applicable options that don't involve sensitivity labels are:
      
      • Encrypt-Only
      • Do Not Forward
   2. Once you choose one of these options, similar to the other sensitivity labels, it will appear directly under the ribbon on your email window. There will also be a check beside the chosen option in the Encrypt menu item.

You are able to apply Sensitivity and Encryption labels to your email simultaneously. Be sure to select the Sensitivity label prior to selecting the Encryption label.

Video

Top of page

How Do I Remove Labels in Office Desktop Applications?

You can only remove a label that you personally have applied. 

To remove a label:

1. Deselect the chosen label by clicking Sensitivity and clicking the corresponding label with a check mark next to it.

   

Top of page

How Do I Directly Protect Files using AIP? 

In order to classify a document within Windows Explorer through the right-click context menu, Windows requires the AIP Client to be installed separately from Office products. 

To Install the AIP Client

1. Go to the Microsoft Azure Information Protection page.
2. Click Download.
3. Choose one of the installation file options with _UL.exe in the name.
4. Click Next.
5. Once the installation file is downloaded, launch the installation file and follow the prompts on the screen to install the client.

Please visit Admin Guide: File types supported by the Azure Information Protection client to understand which file formats work with AIP protections applied. You can apply the protection through labeling directly to an individual file or to all files in a folder.

Top of page

To Apply a Label to a File

1. Locate the file within your operating system.
2. Right-click the file and click Classify and protect from the drop-down.

   

3. Click the appropriate label: FERPA, PII, or EPHI.

   

4. Click Apply.

Top of page

To Apply a Label to All Applicable Files in a Folder

Watermarks are not applied to files using this method.

1. Locate the folder within your operating system.
2. Right-click the file and click Classify and protect from the drop-down.

   

3. Click the appropriate label: FERPA, PII, or EPHI.
4. Click Apply.
5. Click Show Results to ensure the results are as expected.

   

Top of page

How Do I Directly Remove Labels using AIP?

Please visit Microsoft's Admin Guide: File types supported by the Azure Information Protection client documentation page to understand which file formats work with AIP protections applied. You can only remove a label that you personally have applied.

To Remove a Label from a File

1. Locate the file within your operating system.
2. Right-click the file and click Classify and protect from the drop-down.

   

3. Click Delete Label.
4. In the window that appears, choose the appropriate reason for why you are removing the label. Type any extra information into the text box as appropriate.
5. Click Confirm.
6. Click Close.

Top of page

To Remove a Label from All Applicable Files in a Folder

1. Locate the folder within your operating system.
2. Right-Click on the file and click Classify and protect from the drop-down.
3. Click Delete Label.
4. In the window that appears, choose the appropriate reason for why you are removing the label. Type any extra information into the text box as appropriate.
5. Click Confirm.
6. Click Close.

Video

Top of page

How Do I Open a File or Email that Is Protected with AIP?

The method and experience for opening a file will vary depending on several factors:

• File format – You may be required to download specific applications to open non-Microsoft file formats. For example, to open a PDF, you may be required to download Adobe Acrobat Reader.
• Recipient internal to Virginia Tech – You may be required to authenticate with your Virginia Tech username and passphrase.
• Recipient external to Virginia Tech – You may be required to authenticate with your username and passphrase.
• Recipient external to Virginia Tech – You may be required to enter a one-time passcode.

Top of page

Do I Need to Use Sensitivity Labels When Sharing Files Completely within an Environment that is Already Considered Compliant such as Virginia Tech's Microsoft 365 or Google Workspace for Education?

MIP is intended to protect files that need to be distributed outside of compliant environments at Virginia Tech. Microsoft 365 and Google Workspace for Education are compliant. So, adding the labels and protection is overhead that is not required. MIP should be used when you share files containing sensitive data outside of these collaborative spaces.

Top of page

What Do the Sensitivity Labels Mean in SharePoint and Teams?

When a sensitivity label is applied to a SharePoint site or Team, it is for descriptive purposes only. It does not apply any data protection. 

To apply a label to an existing team:

1. Click the ellipsis (three dots) next to the team's name.
2. Click Edit Team.
3. Select the appropriate sensitivity label under Sensitivity.

To apply a label to a new team, when creating the team, click the appropriate sensitivity label under Sensitivity.

Top of page

More Information

Microsoft's introductory documentation for AIP

Using information protection with Microsoft 365, Office 2019, Office 2016, or Office 2013

Compliance and supporting information for Azure Information Protection

Top of page