Demystifying Labels in Microsoft 365 - Part 1

 Hello All

This series consist of two parts belongs to Demystifying Labels in Microsoft 365

Part 1  covers the in and out of labels in M365 and Part 2 will cover the troubleshooting the labels in M365

This part 1 will articulate the difference kinds of labels and interplay within them. 3 type of labels which we come across

1. Retention Labels

2. Azure Information Protection Labels

3. Sensitivity / Unified Labels

In this Series,  we are going to see, the below information of each labels , like

where does an end user see the label

What is interplay with other labels

As a admin, where to be  label created

What is the good thing to know about each labels

label policies 

Retention Labels

Like the name implies, the primary responsibility of this label to apply the retention's to a piece  of contents 

example : Emails, Documents, files and Items

Retention Label Can do one of the three things below

• Retain the content for a predetermined period of time
• Retain the content and ten delete it after predefined period of time
• Straightly delete the content after the predetermined period of time

Where does an end user see this label

It’s a piece of metadata for a document which means you can see it/modify it thru the document detail pane and in views.

Apply retention labels to files in SharePoint or One Drive

Apply a label in One Drive or SharePoint

1. Select the item. 

2. In the upper-right corner, select Open the details pane  

   

3. Under Apply label, select Choose a label to open the list of options.

       

Where is the label created? 

These labels are created in the  Compliance Center in Office 365 at https://compliance.microsoft.com/

Azure Information Protection Labels ( AIP)

These labels are used to apply the protection rights management and visual markings to an email and documents, Apply an water mark, header and footer to documents, Encrypt an document based on the label

Allow only specific team in org to view, edit, print and download the documents based on the labels 

Its more important, and different than share point permission

Prevent any external user accessing the emails and forward for documents, if sent to them

AIP labels are align to data classifications, scheme

AIP labels align to a data classification scheme your organisation must define to describe the handling and protection controls for your organisation's content.

Each label will have corresponding settings configured to implement the controls. This is an example of a data classification scheme and the controls for each:

Where does an end-user see this label? 

An end-user will see the label in the following clients/apps when working with the content:

• Word, Excel, PowerPoint, Outlook apps (desktop clients) (image) – an Information Protection bar will be shown

Sensitivity is a property automatically added to any list/library in SharePoint, however an AIP label value will not populate this column.

Once an AIP label is applied, it is stored in clear-text in a document’s properties under the ‘sensitivity’ property for Word, Excel, and PowerPoint files (image) and in the email header on an email. This is important because other applications can then read the label and take action based on it. (Data Loss Prevention, SharePoint search, mail flow rules, etc.)

in Email we can find in message header 

What’s the interplay with the other labels? 

These labels are being replaced with sensitivity labels and there’s an option to migrate them to sensitivity labels right from within the Azure portal. You can have both a retention label and an AIP label on the same document or email. Even if an AIP label encrypts a document (uses Azure Rights management), you can still apply a retention label on it. 

Where is the label created?

usually the AIP labels was creating in Azure portal. now its been depreciated from Azure cloud portal. we cannot create it, its read only mode now

  What are good things to know about this label?

An AIP label can override SharePoint permissions! If you have a document in a SharePoint library and 1 of the documents is protected with an AIP label with rights management limited to a few select individuals, other people won’t have access to the document even if they have access to the SharePoint document library.

Sensitivity Labels or Unified Labels 

These are the new and recommended way of applying protection to documents and emails on a go-forward basis.

Licensing Sensitivity Labels

Sensitivity labels are part of the Microsoft Purview Information Protection product. Anyone with an Office 365 license can read documents or emails protected by labels. Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5 or the Microsoft 365 E5 compliance licenses.

 Where does an end-user see this label? 

Old School method 

To see the sensitivity labels, you need to either have migrated your AIP labels from the Azure Portal to the Compliance Center (if you were previously using AIP labels) OR created net new Sensitivity labels in the Compliance Center. now its called Purview portal

Whichever way your sensitivity labels were created, end-users must be using 1 of 2 clients to see the sensitivity label:

• Unified label AIP client Office add-in
• Native labeling built into the Office Pro-plus install

There is a difference between the user experience depending on which of the above client options you’ve gone with. The key difference end-users will notice is with the version built-in, you will no longer see the Information Protection bar in the Office clients, you will only see the Sensitivity button on the toolbar.

In Modern days

Sensitivity Label Clients

The biggest change for sensitivity labels over the past few years is native mode support for labels within applications. Native mode means that an application includes code built using the Microsoft Information Protection SDK to apply, read, and respect sensitivity labels. As noted above, originally, labeling depended on a separate client (the AIP client and later the unified labeling client). Now, the Microsoft 365 enterprise desktop apps (Word, Excel, and PowerPoint), their online equivalents, and the paid-for version of Adobe Acrobat can interact with sensitivity labels directly. Support extends to protecting PDFs generated by Office applications.

What are good things to know about this label? 

Sensitivity labels can use sensitive information types to be auto-applied (just like Data Loss Prevention and Retention),

Sensitivity labels can be applied to an Office 365 Group, Teams, SharePoint site, or PowerBI workspace

Data Loss Prevention can use sensitivity labels to take action

What’s the interplay with the other labels? Once you migrate your labels from the Azure portal to the  Compliance Center

We can administrate then from either the Compliance Center or the Azure Portal and the label changes are synced to the other portal. 

Similar to retention labels and AIP labels, you can have both a retention label and a sensitivity label on the same document, even if the document is encrypted.

Sensitivity label can be created in Microsoft purview portal [compliance ]

Label policies for retention

Making retention labels available to people in your organization so that they can classify content is a two-step process:

1. Create the retention labels.

2. Publish the retention labels by using a retention label policy.

When retention labels become available to apply : If you publish retention labels to SharePoint or OneDrive, those labels typically appear for users to select within one day. However, allow up to seven days.

If you publish retention labels to Exchange, it can take up to seven days for those retention labels to appear for users. As with all retention settings for Exchange, the mailbox must contain at least 10 MB of data.

please see the important information below screenshot 

In next part 2- We will see , how to troubleshoot the Labels and policies in Microsoft 365.