Microsoft 365: Microsoft Purview – Information Protection – Sensitivity Label – Securing Email Communication with Information Protection Sensitivity Labels: A Step-by-Step Guide – Data Governance

It is never too late to be what you might have been

Hello Everyone,  

Hope you all are doing well.  

Today, our focus is on Microsoft Purview Information Protection, specifically how it enables us to secure our email communications using Sensitivity Labels. We’ll explore how these labels help us classify and protect sensitive information, ensuring that our data remains secure and compliant. So, let’s dive into the world of information protection and email security.

Key takeaways from this article

At the end of this article we will understand

• We will explore Sensitivity Labels and their functionality within Microsoft Purview.
• We’ll learn how to create Information Protection Sensitivity Labels in Microsoft Purview.
• We’ll discover how to publish Information Protection Sensitivity Labels in Microsoft Purview.
• Learn how to enhance email security using Information Protection Sensitivity Labels in Microsoft 365.

Here’s a real-world example of using information protection labels to encrypt an email message:

• Scenario: Imagine you work for a financial services company, and you need to send a sensitive financial report to a client. This report contains confidential financial data that should only be accessible by the intended recipient.
• Label Selection: You open your email client, and before composing the email, you select an information protection label that your organization has configured. Let’s call it “Confidential – Financial Report.”
• Composing the Email: You compose the email as usual, attaching the financial report to the message.
• Label Activation: After attaching the report, you activate the “Confidential – Financial Report” label. This label carries encryption settings defined by your organization.
• Sending the Email: When you send the email, the information protection label automatically encrypts the message and its attachments. This means that even if someone intercepts the email, they won’t be able to read the content without the appropriate decryption key.
• Recipient Access: The recipient receives the email and opens it. They are prompted to authenticate their identity (usually through their email or a one-time code) to access the encrypted content.
• Secure Access: Once authenticated, the recipient can access the financial report securely. The information protection label ensures that only authorized individuals can decrypt and view the sensitive information.

In this example, information protection labels are used to encrypt the email and its attachment, adding an extra layer of security to ensure that confidential financial data remains confidential and only accessible by the intended recipient. This safeguards sensitive information during transit, reducing the risk of data breaches.

What Are Sensitivity Labels?

Sensitivity labels are metadata tags or labels that we can apply to documents, emails, and other types of content in Microsoft 365. These labels serve two primary purposes:

• Data Classification: Sensitivity labels allow us to classify data according to its sensitivity or importance level. For example, we can label content as “Confidential,” “Internal Use Only,” or “Public.”
• Data Protection: Sensitivity labels enable us to apply specific protection and encryption settings to labelled content, ensuring that it’s handled appropriately in terms of security and compliance.

How Do Sensitivity Labels Work?

Here’s how sensitivity labels work in Microsoft 365:

• Label Creation: We create sensitivity labels in the Microsoft 365 Compliance Center. These labels are typically defined with a name, description, and sensitivity level (e.g., low, medium, high).
• Label Configuration: For each sensitivity label, we can configure various settings, including:
• Protection Settings: We can define how content labelled with this sensitivity label should be protected. This may involve encryption, rights management, and access restrictions.
• Visual Markings: We can set visual markings such as watermarks, headers, or footers that appear on documents and emails to indicate their sensitivity.
• Label Application: Users or administrators can apply sensitivity labels to documents, emails, or other content manually. Additionally, we can create policies to automatically apply labels based on content characteristics or location.
• Protection Enforcement: When a sensitivity label is applied, the associated protection settings are enforced. For example, if we apply a “Confidential” label, the document may be encrypted, and access might be restricted to specific users or groups.
• Access Control: Sensitivity labels can include access control settings. For instance, a “Confidential” label might allow only authorized personnel to access and edit the content.
• Monitoring and Auditing: Microsoft 365 provides tools for monitoring the usage and application of sensitivity labels. We can track who accessed labelled content, when, and what they did with it.
• Integration with Office Apps: Sensitivity labels are integrated with Microsoft Office applications (e.g., Word, Excel, PowerPoint). Users can easily apply labels from within these applications.

If you’re looking to explore Information Protection and Sensitivity Labels further, I recommend checking out the previous article through the provided link for an in-depth understanding –https://knowledge-junction.in/2023/10/10/microsoft-365-microsoft-purview-information-protection-sensitivity-label-securing-business-data-with-sensitivity-labels-and-information-protection-in-microsoft-365/

Configuring and customizing sensitivity labels in Microsoft 365 involves several steps to tailor them to our organization’s specific needs. Here’s a high-level overview of the process:

Step 1: Access the Microsoft 365 Compliance Center

We have the detailed article for navigate to Microsoft Purview compliance portal– Microsoft 365 – Navigate to Microsoft Purview compliance portal – https://knowledge-junction.in/2023/05/04/small-tricks-and-tips-microsoft-365-administration-microsoft-purview-portal-how-to-navigate/

• Go to the Microsoft Purview compliance portal at https://compliance.microsoft.com/homepage

Step 2: Create a New Sensitivity Label

• In the Compliance Center, go to Information protection and select Sensitivity labels.

• On the Labels page, locate the option to create a new sensitivity label. It’s typically labelled as + Create a label. Click on this option to start configuring our new sensitivity label for email encryption.

• Give the label a Name and Description that clearly reflects its purpose.

• The choices we make on the Define the scope for this label page dictate where and how the sensitivity label we’re creating will be applied and visible once it’s published. This step helps determine the label’s scope and its reach across our organization’s settings and systems.

• On the Choose protection settings for labelled items page, be sure to choose whether we want to apply or remove encryption for items labelled with this sensitivity label.

• Define visual markings, such as watermarking, headers, or footers, to indicate the label’s sensitivity.

Step 3: Configure Protection Settings

• Determine how we want to protect content labelled with this sensitivity label. Options may include encryption, rights management, and access restrictions.

• Set up encryption settings, like specifying who can decrypt the content.

• When Configuring encryption settings for a sensitivity label, we have two options:
• Assign permissions now: This allows us to specify which users have what permissions for content with the label applied. We have full control over access.
• Let users assign permissions when they apply the label: With this option, users can determine permissions when applying the label. It provides flexibility for collaboration within our organization.

• To allow users to assign permissions when applying a sensitivity label:
• In Outlook, users can choose restrictions like Do Not Forward or Encrypt-only for specific recipients.
• Do Not Forward is widely supported, but Encrypt-Only is newer and supported only in built-in labelling, not the Azure Information Protection client.
• Ensure users have the minimum versions of Outlook apps that support Encrypt-Only by referring to the capabilities table for Outlook.

• Visual markings, such as watermarks and labels, play a vital role in helping users swiftly identify the confidentiality of content within Microsoft Purview Information Protection.
• They serve as visual cues, making it clear whether the information is highly confidential, internal use only, or public.

• By using these markings, users can adhere to organizational data protection policies more effectively, ensuring that sensitive data is handled appropriately and securely.

• If our label includes Sensitive information types in the configured conditions, we’ll have the option to automatically create an auto-labelling policy with the same settings at the end of the label creation or editing process.
• However, if our label uses Trainable classifiers as conditions:
• If only Trainable classifiers are used, we won’t have the option to create an auto-labelling policy automatically.
• When both Trainable classifiers and Sensitivity information types are used as conditions, an auto-labelling policy will be generated, but it will specifically apply to the Sensitive information types within the label.

• Review all our label settings to ensure they align with our organization’s security and compliance requirements.
• Once we’re satisfied, click on Create label to create the label.

Step 4: Define Label Policies

• In the Microsoft Purview compliance portal, go to Solutions, then Information protection, and select Label policies.

• On the Label policies page, click on Publish label to initiate the configuration process for creating a policy.

• Go to the Choose sensitivity labels to publish page.
• Click on the Choose sensitivity labels to publish link.
• Select the labels we want to make available in apps and services.
• Click Add to confirm our selections.

• Regarding the assignment of administrative units in Microsoft Purview Information Protection:
• If our organization uses administrative units in Azure Active Directory, we can choose to automatically limit the label policy to specific users by selecting these administrative units. If our account has been assigned to specific administrative units, we’ll need to pick one or more of them.
• However, if we prefer not to restrict the policy by using administrative units, or if our organization hasn’t configured administrative units, we can leave it at the default option of Full directory. This allows the policy to apply across the entire organization without specific administrative unit restrictions.

• Next, choose which groups or users should have the label available. Again, click Done and Next.

• Require a justification for changing a label: To enhance security, users must provide a reason when changing a label on items, except for teams and groups. If they try to remove or replace a label with a lower-order one, a justification is required. For Office apps, this prompt appears once per session with built-in labelling or per file with the Azure Information Protection client. Administrators can review these justifications in activity explorer to track label changes.
• Require users to apply a label: Mandatory labelling in Microsoft Purview Information Protection enforces the requirement for users to apply a sensitivity label before saving documents, sending emails, creating groups or sites, or using unlabelled content in Power BI. This ensures data is consistently classified and protected.

• Using a default label in Microsoft Purview Information Protection can provide a basic level of protection for your content.
•  However, it’s important to be cautious, especially when selecting a label that applies encryption as a default for email.
• This can lead to challenges when sharing with external users who may not have compatible apps or authorized accounts.
• User training and additional controls are essential to avoid inaccurate labelling in such cases.

• When setting up a policy, you should provide a clear and descriptive name along with a detailed description. This helps users and administrators understand the purpose and scope of the policy, making it easier to manage and implement effectively.

Step 5: Review and Publish

• Review all our label settings to ensure they align with our organization’s security and compliance requirements.
• Once we’re satisfied, click on Submit to publish the label.

Step 6: Deploy the Sensitivity Labels

• Once tested and validated, deploy the sensitivity labels across your organization.
• Encourage all users to utilize the labels as needed.

By following these steps, we can configure and customize sensitivity labels in Microsoft 365 to enhance data protection and compliance within our organization. Keep in mind that these steps may vary slightly depending on the specific features and settings available in our Microsoft 365 subscription.

Applying sensitivity labels to email messages in Microsoft 365 is a straightforward process. Follow these step-by-step instructions:

Step 1: Compose Your Email

• Open our email client (e.g., Outlook) and start composing our email message as we normally would.

Step 2: Locate the Sensitivity Label Option

• In the email composition window, we should see an option related to sensitivity labels. The location of this option may vary depending on our email client and configuration. It’s typically found in the message options or ribbon toolbar.

Step 3: Choose a Sensitivity Label

• Click on the sensitivity label option. A dropdown menu should appear, displaying a list of available sensitivity labels. These labels are predefined by our organization.

Step 4: Select the Appropriate Label

• From the dropdown menu, select the sensitivity label that best corresponds to the content and intended level of protection for our email. For example, we might choose Highly Confidential for highly sensitive information.

Step 5: Review and Confirm

• After selecting the label, review our email to ensure that it contains the appropriate content and that the chosen label aligns with our intentions.

Step 6: Send the Email

• Once we’re satisfied with the email content and the selected sensitivity label, click the Send button to send the email.

Step 7: Protection and Encryption (If configured)

• Depending on our organization’s configuration, the sensitivity label we applied may trigger specific protection and encryption settings. For example, if we applied a Confidential label, the email and its attachments might be encrypted.

Step 8: Recipient Access

• The recipient of our email will receive it with the applied sensitivity label. Depending on the label’s settings, they may need to authenticate or meet certain criteria to access and view the email’s content.

• By following these steps, we can apply sensitivity labels to our email messages, helping to classify and protect sensitive information while ensuring compliance with our organization’s data protection policies.

I hope that this article has given you valuable insights into Information Protection, particularly how it empowers us to enhance the security of our email communications through Sensitivity Labels in Microsoft 365.

Also get my article updates on my social media handles. 

LinkedIn – https://www.linkedin.com/in/prajyot-yawalkar-093716224/ 

Twitter – https://twitter.com/PrajyotYawalkar?t=oovP0r9FnDtz5nNSJGKO0Q&s=09 

Have a wonderful day.  

Thanks for reading.