Sensitivity labels, like retention labels, are metadata that helps users and the M365 platform classify content. While retention labels are used to protect and manage the content’s data lifecycle (and consequently, its overall existence in the M365 ecosystem), sensitivity labels are used to classify, protect, and manage data from a risk or value perspective.
Sensitivity labels have evolved since their first introduction as part of Azure Information Protection in 2018 as a cloud -based successor to Active Directory Rights Management Services (originally introduced as part of Windows Server 2003) and Azure AD Rights Management Services (originally introduced in 2013).
Modern sensitivity labels have the following protection features and capabilities:
• Content marking (such as markings in headers, footers, or body watermarks)
• Content encryption, allowing it to only be opened by specified recipients
• Apply permissions restricting what others can do with a document (edit, save, comment, print, export/save as, forward, have full control, reply, reply all, view/open/read, copy/extract, view rights, or change rights)
• Allow or prevent offline access
• Assign an expiration date to content
• Content classification
As part of a deployment, you can also force users to apply a label to content they create (a feature called mandatory labeling) and organize sensitivity labels in a hierarchical structure (a parent/child relationship sometimes referred to as sublabels).
Note
Once you create a sublabel, the sublabel’s parent label can no longer be used to label content.
In the next section, you’ll look at configuring sensitivity label prerequisites along with some basic labels.
Implementing sensitivity labels
Sensitivity labels are available to both M365 E3 and E5 subscriptions. Like retention labels, the auto-apply features of sensitivity labels require either the M365 E5, EMS E5, or Advanced Compliance subscription. One additional licensing caveat: applying labels to meetings requires Teams Premium licensing.
Enabling sensitivity labels for Teams, M365 groups, and SharePoint sites
By default, sensitivity labels can’t be applied to container objects such as Teams, SharePoint sites, or M365 groups. If you don’t go through the prerequisite setup steps, you’ll see this warning notification when you create labels or sublabels under the Information Protection section:
Figure 10.30 – Notice displayed when creating a sensitivity label
To ensure that you can apply labels to all locations (including container-level objects) inside the M365 environment, follow these steps to enable the feature:
- Launch an elevated PowerShell window.
- If not already installed, download and install the Azure AD Preview module:
Install-Module AzureADPreview
- Connect to Azure AD using the Preview module:
AzureADPreview\Connect-AzureAD
- Configure a directory settings template that enables labels:
$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ)
$Setting = $grpUnifiedSetting
$grpUnifiedSetting.Values
if ($null -eq $grpUnifiedSetting.Values)
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value
$TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
$Setting[“EnableMIPLabels”] = “True” New-AzureADDirectorySetting -DirectorySetting $Setting} else
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
$Setting[“EnableMIPLabels”] = “True”Set-AzureADDirectorySetting -DirectorySetting $Setting -Id $grpUnifiedSetting.Id}
- Connect to the Security & Compliance PowerShell endpoint using the following command:
Connect-IPPSSession
- Run the Execute-AzureAdLabelSync command to ensure sensitivity labels can be used with Azure AD container objects (such as M365 groups, Teams, and group-connected SharePoint sites):
Execute-AzureADLabelSync
The cmdlet does not return any data to the screen but should trigger a task that synchronizes labels to Azure AD for use with group container objects.