Skip links

Data Sensitivity Labels

Data Sensitivity Labels

Time to get to Grips with Microsoft’s Labelling Framework

Looking at the protection of sensitive data, such as personally identifiable information, inevitably requires an in-depth appreciation of data classification and labelling as part of an organisation’s overall data governance and compliance.

With Microsoft having recently extended the ability for end users to apply sensitivity labels from a dropdown box within Office applications on Windows (the functionality was previously available on Mac OS, IOS and Android), I thought this would be an opportune time to take a closer look.

Drop down box with sensitivity labels in Windows Office 365 Apps
Drop down box in Windows lets you apply a sensitivity label from any Office application – and the Learn More… lets you set up custom help.

What is data classification and labelling?

When conducting data privacy assessments with clients, I address the full gamut of an organisation’s remit regarding data classification – both for data security and data retention purposes.

At their core, data classification and labelling are designed to enable organisations to accurately and meaningfully classify data based on its sensitivity and to protect sensitive information from being accidentally or maliciously shared outside of approved channels. Data can also be labelled with no associated protection settings for future identification and/or protection, the generation of usage reports and to track activity.

Labelling works by attaching a clear-text tag (a “label”) to the metadata of an email or file.

That label roams with the file wherever it travels, whether internally or externally, and will persist even if downloaded from SharePoint or OneDrive.

Labels can either be applied manually by users (with or without the help of label recommendation tooltips) or entirely automatically. A combination of both methods can also be leveraged to minimise human error while maximising user flexibility. However, some of this labelling functionality is only available with certain subscription licences.

The starting point for all of this, however, is that labels must first be defined and published, creating a policy which will enforce the selected protections.

Keep reading for Kelly’s tips or click here.

Sensitivity Label Availability

Previously, organisations looking to protect their data had to have an Azure Information Protection (AIP) licence to access this functionality.

Now, however, Microsoft has introduced Microsoft Information Protection which is no longer a subscription or license that must be purchased, but rather a framework for products and integrated capabilities to assist organisations to protect their sensitive data.

This central labelling platform enables organisations to create and configure sensitivity labels as well as retention labels (read more on retention labels here) using the Office 365 Security & Compliance Centre, Microsoft 365 Security Centre, or Microsoft 365 Compliance Centre.

Third-party vendors can also leverage this framework via the Microsoft Information Protection SDK, and as we’ve said earlier, end-users can now add labels from their Office apps. The framework can also be used by products such as Office 365 Data Loss Prevention and, indeed, AIP.

If you’re already been using AIP, you can migrate any existing labels to the new unified labelling store so that these can be used as sensitivity labels with all the protection they afford.

However, not all AIP labelling functionality is currently supported in the new unified labelling client, and it’s vital that organisations audit their requirements before making this move for now.

The right time to migrate will likely differ for every organisation, with the option of a dual-client setup available to smooth the transition in the meanwhile. Read more on label migration here.

Controls you should be using right now

Base-level enterprise licenses include the ability to encrypt labelled content or to automatically insert watermarks, a header and/or a footer.

These are some of my tips on how your business (and especially your legal department) might want to use these capabilities in order to protect your company’s content:

  • For emails exchanged during the course of settlement negotiations, those parties involved may want to insert the words “Without Prejudice” as a header to ensure that those emails are not produced in court unless and until permitted by law.
  • It’s good practice to use the word ‘Draft’ as a watermark until a document is in final form. That way, it acts as a caution to employees to not send that version, but, if it gets inadvertently sent ‘ahead of finalisation’ the recipient will know that the document is a work-in-progress and, may be made obsolete or updated by subsequent documents.
  • You may want to include copyright information in a footer designating that the contents of the document are protected by copyright laws.
  • Listed companies may wish to ring-fence board minutes and communications and, to this end, could include “Board Communicatons – Highly Confidential” as a header or footer.

Label now – specify policies later:  Even if you don’t know the protection settings you want to apply straight away, labelling documents or emails now means you can specify policies at a later stage.

Use labels to track activity:  You can also monitor usage and/or activity related to those documents or emails.  Label activity reports may prove essential when demonstrating compliance with GDPR.

Sensitivity labels also enable organisations to encrypt content in Office apps on Windows, Mac, iOS and Android. In doing so, content owners can determine usage, access and sharing permissions at the user, group or organisation level and can control permissions allocated to external recipients.

When electing to encrypt content, you can define those permissions to be attached to that label. Permissions may be pre-defined as part of a role, such as author or reviewer. Alternatively, permissions can be individually allocated, and these include viewing, saving, printing, copying, replying, replying to all and forwarding.

In addition, organisations have the flexibility to specify when permissions relating to labelled files expire and whether they can be accessed offline.

This is handy if you need to share sensitive documents with vendors to enable them to provide a service. In this situation, you can allocate vendor viewing permissions to continue only for the duration of the project.

Optional extras

The devil is in the detail with Microsoft functionality and licencing, however.  By this I mean you will find that certain additional functionality is only available to those on higher license tiers or with additional subscriptions.

For example, by licensing Microsoft Intune you can prevent sensitive content on any device running Windows from leaving the organisation via an external USB drive or a third-party application such as Twitter. This is exceptionally helpful to prevent e.g. proprietary information being leaked to competitors.

In addition, by using Microsoft Cloud App Security, you can ensure that only labelled and protected content is downloaded onto or uploaded from third-party applications such as DropBox, Box and AWS.

The Microsoft Information Protection SDK also extends the ability to read and apply sensitivity labels and associated protection settings to third-party applications running on Windows, Mac and Linux.

Preparing to adopt sensitivity labels

With the increase in the availability of sensitivity labels (and convenience of applying them), we hope that a lot more organisations are going to start leveraging these versatile security and compliance tools.

Planning your labels and educating users on how to apply them requires effort…

However, introducing sensitivity labels for the first time (or refining existing policies) can be a complicated process that requires a lot of thought and planning to do well.

Look out for our next blog article on the creation of sensitivity labels and the definition of label taxonomies.

In the meantime, get in touch to find out more about how Cloud Essentials can assist in the planning and implementation process, both from a legal advice and a technical perspective.

Ask about our free*, 1 hour Data Governance Essentials Briefing by enquiring about our workshop, or simply by visiting the our Data Governance Essentials: 1-Hr Briefing entry in Azure Marketplace

*Terms and conditions apply.


  1. Post comment

    My brother recommended I might like this website. He was totally right.
    This post actually made my day. You can not imagine
    just how much time I had spent for this info! Thanks!

    Take a look at my page: free shipping coupon (Stella)

  2. Post comment

    I simply desired to thank you so much all over again. I do not
    know what I would have made to happen in the absence of these ideas provided by you directly on such a problem.
    It had been an absolute scary issue in my opinion, but being able to
    see a specialized style you processed that took me to weep with delight.

    I’m thankful for your support and in addition hope you really know what an amazing job your are getting into training many
    people using your web site. I’m certain you haven’t
    met any of us.

    Here is my web blog … career coaching

  3. Post comment

    You: Sure, I have tons of tricks you can use to build up a community. I’ll write up a series of posts to address just that. I think it’s great you’re willing to try new things. Speaking of which, have you considered…
    So the next time you write, pay attention to your headline—and then pay just as much attention to your conclusion. Wrap things up in a way that encourages conversation,

  4. Post comment

    Don’t you think it just might make a difference? Yes or no, let me know.Good job, bro! You done made the bigtime! And thank you Brian, this is great.
    comments and discussion. Get your readers involved. Learn about their experiences. Ask open-ended questions. Have them talk about themselves.

  5. Post comment

    I love your blog.. very nice colors & theme.
    Did you make this website yourself or did you hire someone to do it for you?
    Plz answer back as I’m looking to construct my own blog and
    would like to know where u got this from. appreciate it

    Look into my site; free pmp practice exam (Ernie)

  6. Post comment

    Oh my goodness! Awesome article dude! Thank you so much, However I am
    encountering troubles with your RSS. I don’t know the reason why I can’t join it.
    Is there anybody getting the same RSS issues? Anyone who knows the
    solution will you kindly respond? Thanks!!

    My page; california bar exam (

  7. Post comment

    Hello there, just became aware of your blog through Google, and found
    that it is really informative. I?m gonna watch out for brussels.
    I will appreciate if you continue this in future. Lots of people will be benefited from your writing.

    Also visit my webpage study guide (Lupita)

  8. Post comment

    Консультация психолога онлайн.
    Консультация у психолога Цены на услуги и консультации
    психолога. Консультация по Skype. Психотерапия онлайн!
    Консультация психолога онлайн.

    Услуги консультации психолога.
    Консультация и лечение психотерапевта (психолога)

  9. Post comment

    Admiring the persistence you put into your website and
    in depth information you present. It’s great to come across a blog every once in a while that isn’t the same
    outdated rehashed material. Wonderful read! I’ve saved your site and I’m adding your RSS feeds to my
    Google account.

    Feel free to surf to my blog: phlebotomy training

  10. Post comment

    Post writing is also a excitement, if you be acquainted with after that you can write or else it
    is difficult to write.

    My web-site pmp exams – Luella

  11. Post comment

    I think the admin of this web page is actually
    working hard in support of his web page, as here every
    stuff is quality based material.


Join the Discussion