Part three of a deep dive series on Purview Sensitivity Labels:
Part 1 - Manual Labelling
Part 2 - Automatic Labelling
Part 3 - Recommendations and Limitations
Labelling Recommendations
Data Classification requires broad organizational support to be successful. The following design recommendations should help with implementation…
Keep the number of labels to a minimum
Labelling needs to be simple and the options clearly defined, otherwise adoption will suffer
Create separate labels for Items and Containers
Item and Container Labels apply different controls. Separate labels means the name and description can be clearer. For example, Confidential may be suitable for documents, but it would be less clear for M365 Groups.
Create separate labels for Files, Emails and Meetings
There are sub-scopes within Items for Files, Emails and Meetings (Calendar events). Again, the controls are different so labels can be more specific if targeted. For example, email labels can control view, reply, forwarding, whereas file labels can control Save, Print, Copy, Expiry, Offline Access.
It helps that client apps only show labels applicable to the current scope, so a label scoped to Items - Email will not be displayed in a document, spreadsheet or presentation.
Create a baseline set of company-wide labels and a small number of targeted additions
A core set of labels should be applicable to everyone. Specific departments or teams may need extra labels for custom data, such as PII, or Blueprints. Label policies can deploy the extra labels just to specific AAD groups.
Create labels that will endure over a long period
Choose labels that will still be applicable in years to come and then consult users (and perhaps run a limited pilot) to get labels right before mass adoption. Deleting labels is problematic. The label is added to the metadata of items and deleting the label does not remove it from the metadata. The recommended way to retire a label is to stop publishing it (label policy), but don’t delete the label itself.
Avoid sub labels
There are some quirks with sub labels and they don’t add much value.
Use same text for the Label Name and Display Name
The Label Name is used internally and the Display Name is visible to users. Making them different is just adding complexity. The label is actually assigned a GUID that must be used in advanced administrator operations anyway.
Don’t apply policy controls straight-away
Consider publishing Labels and using them without controls initially. You can then use the Data Classification Content Explorer and Activity Explorer to review how Labels are being used before applying that knowledge to policy creation.
Use file encryption to protect intellectual property
Employee-only content can be encrypted with Co-Author permissions for All users and groups in your organization. Leavers who attempt to take protected data with them will be denied access when their account is disabled. Protected Data sent or copied to a third party will be inaccessible.
Create an FAQ and include the link in the Label Policy Users will need reassurance to feel confident in applying labels with content restrictions. There will also be edge cases that need more information. Label Policies include an option to deploy a URL help link.
Check your Service and Tenant settings
Depending on the age of your Tenant, the following may already be enabled…
Enable sensitivity labels for Office files in SharePoint and OneDrive
Data Classification support is not enabled by default in SharePoint. The following features are turned on when enabled:
- Default Sensitivity Label option is available for Document Libraries
- Sensitivity column can be added to Library views
- Encrypted document can be indexed and returned in search results
- Data classification reports can show documents by Label in SharePoint and OneDirve
- Auto-labelling policies can apply to data at reset in SharePoint and OneDrive
PS C:\> Install-module -Name Microsoft.Online.SharePoint.PowerShell
PS C:\> Connect-SPOService -Url "https://$($tenant)-admin.sharepoint.com"
PS C:\> Get-SPOTenant | Select-Object EnableAIPIntegration
EnableAIPIntegration
--------------------
False
PS C:\> Set-SPOTenant -EnableAIPIntegration $True
Enable co-authoring for files encrypted with sensitivity labels
Check that document co-authoring is enabled in the Tenant. Older versions of the Information Protection SDK (before v1.7) did not support co-authoring or Autosave. In version 1.7, changes were made to encrypted document metadata to enable these features.
PS C:\> Instal-module -Name ExchangeOnlineManagement
PS C:\> Connect-IPPSSession
PS C:\> get-PolicyConfig | Select EnableLabelCoauth
EnableLabelCoauth
------------------
False
PS C:\> Set-PolicyConfig -EnableLabelCoauth $True
Enable cross-Tenant access for encrypted files
By default, a Tenant will accept B2B authentication from other Azure AD Tenants, but if users receive error messages, it’s possible these settings have been restricted by an Administrator.
For example, on attempting to authenticate and decrypt a document the user may see one of the following messages, depending on whether B2B authentication has been restricted in the source organization (inbound) or the receiving organization (outbound)
Your tenant administrator has restricted which organizations can be accessed. Contact your IT department to request access to the Wingtiptoys.com organization
The Contoso.com administrator has restricted which organizations can access their tenant. Contact the Contoso.com IT department to request access
PS C:\> Import-Module Microsoft.Graph.Identity.SignIns
PS C:\> Connect-MGGraph
# INBOUND
PS C:\> Get-MgPolicyCrossTenantAccessPolicyDefault | select -ExpandProperty B2BCollaborationInbound | select -ExpandProperty UsersAndGroups
AccessType
----------
allowed
PS C:\> Get-MgPolicyCrossTenantAccessPolicyDefault | select -ExpandProperty B2BCollaborationInbound | select -ExpandProperty Applications
AccessType
----------
allowed
# OUTBOUND
PS C:\> Get-MgPolicyCrossTenantAccessPolicyDefault | select -ExpandProperty B2BCollaborationOutbound | select -ExpandProperty UsersAndGroups
AccessType
----------
allowed
PS C:\> Get-MgPolicyCrossTenantAccessPolicyDefault | select -ExpandProperty B2BCollaborationOutbound | select -ExpandProperty Applications
AccessType
----------
allowed
If needed, the settings can be modified in the Azure AD portal, External Identities > Cross-tenant access settings > Default settings, or using the Update-MgPolicyCrossTenantAccessPolicyDefault command.
Exchange Online: IRM Configuration
The following features are dependent on Information Rights Management Licensing in Exchange Online:
- Message Encryption using mail flow rules
- Encryption using DLP policies
- Support for sensitivity labels with encryption using Outlook on the Web, Mac, iOS and Android
- Auto-labelling policies in Exchange with encryption
Ensure Azure RMS licensing is enabled as follows:
PS C:\> Instal-module -Name ExchangeOnlineManagement
PS C:\> Connect-ExchangeOnline
PS C:\> Get-IRMConfiguration | Select AzureRMSLicensingEnabled
AzureRMSLicensingEnabled
-------------------------
False
Set-IRMConfiguration -AzureRMSLicensingEnabled $True
Multi-language support
Sensitivity Labels and their descriptions can be localised to match the Office language. Local language support can only be added using the Set-Language PowerShell command.
Set-Label is available in the Security and Compliance PowerShell module (available after using Connect-IPPSSession from the ExchangeOnlineManagement PowerShell module).
You may see references to adding multi-language support using an XML export and import process in the Azure Information Protection blade of the Azure Portal. This method relates to AIP Classic that is now deprecated.
Limitations
Supported Office versions
Sensitivity Labels are not supported in the Office Desktop Perpetual Editions (standalone). In addition, a subscription version of Office must be:
- Semi-annual Enterprise 2002+
- Monthly Enterprise and Current Channel 1910+
There are some features that require later versions, such as Dynamic content marking, Let users assign permissions and audit label-related user activity.
User encryption over-ride
Users are able to over-ride the encryption settings applied by a manual label. After they apply the label to their content, they can make changes to the protection using File > Info > Protect Document > Restrict Access.
The only way to avoid this is to provide at least one Label with Let users assign their own permissions and educate users to choose this Label rather than modifying a pre-configured one.
Lost Email Labels
Labelled emails can lose their Label when a reply comes from an external organization that doesn’t use Outlook. Any encryption is retained, but the original Label will be removed.
“Encrypt with Password” missing in PDF
If a PDF is encrypted with Information Protection, the Adobe option to Encrypt with Password is no longer available.
Limits on SharePoint auto-labelling
Service-side Auto-Labelling for SharePoint and OneDrive has some limitations when scanning data at rest:
- Maximum of 25,000 files labelled per day
- Maximum of 100 Auto-label policies per Tenant
- Maximum of 100 Sites (SPO or OneDrive) when targeting individual Sites in a policy (alternative is to target All Sites)
Limits on SharePoint indexing
SharePoint can’t index encrypted files that have any of the following:
- Expiring access
- Double-key encryption
This affects search, preview and e-Discovery.
Update delays
Updates to Labels can take a few hours to apply and be visible to users. Similarly, there is often a delay with publishing Label Policies.
SharePoint caches Labels and Label Policies, so changes can take even longer e.g. 24hrs.
This article was originally posted on Write-Verbose.com