Organizations and individuals are constantly seeking more effective ways to safeguard their sensitive information. Microsoft's suite of tools offers a robust solution in the form of Sensitivity Labels. Designed to empower users with the ability to protect and manage their most critical data, these labels are instrumental in enforcing protection settings, such as encryption and content markings, ensuring that your information remains secure and confidential.
In this article, we'll learn about the Sensitivity Labels in Microsoft Office on Windows, exploring their role, functionality, and the unparalleled benefits they bring to the realm of data security.
Table of Contents:
What are Sensitivity Labels?
Sensitivity labels are tags that you can apply to your documents and emails. When applied, these labels provide visual cues (like headers, footers, or watermarks) and enforce protection settings (like encryption or content marking) on your content. These labels can be applied manually by users, automatically by administrators based on content inspection, or a combination where users are given recommendations.
Opening a New Document: When you open a new document, the sensitivity bar will be visible alongside the file name at the top of the application. This bar is where you can see and change the sensitivity label of your document.
Existing Labels: If your document is already labeled or is assigned a default label by your organization’s policies, that label will show up in the sensitivity bar the first time you open the document. This allows you to know at a glance what level of sensitivity has been applied to your document.
Required Labels: If a label is required by your organization’s policies, you will see a prompt in the sensitivity bar to select a label when you open a new document. You won’t be able to save or share your document until a label has been applied.
Optional Labels: If applying a label is optional, you will see the label “No label” in the sensitivity bar when you open a new document. You can choose to apply a label if you want, but it’s not required.
Role of Sensitivity Labels in Data Protection
The primary role of sensitivity labels is to protect sensitive data in your organization. They do this in several ways:
Classification: Sensitivity labels allow you to classify data based on its sensitivity. This classification is embedded in the content metadata and stays with the content, regardless of where it’s stored or with whom it’s shared.
Protection: After classification, sensitivity labels can enforce protective actions such as encryption, access restrictions, visual markings (like a watermark), and more. For example, a document labeled as “Confidential” might be encrypted and accessible only to specific groups within your organization.
Persistent Protection: The protection settings enforced by sensitivity labels stay with the data even when it leaves your organization’s boundaries. This means if a protected document is sent outside of your organization, the document remains protected.
Regulatory Compliance: By using sensitivity labels, organizations can better comply with industry regulations by ensuring sensitive data is adequately protected.
Requirements for using the sensitivity features
The requirements for using sensitivity features in Microsoft Word are as follows:
Microsoft 365 Subscription: You need to have an active Microsoft 365 subscription.
Work Account: The Sensitivity feature is not available if your Office account isn’t a work account with an Office 365 Enterprise E3 or Office 365 Enterprise E5 license assigned.
Azure Information Protection Add-in: If you need to use the AIP add-in rather than built-in labeling, you can configure a new setting to override the default. However, Microsoft recommends that you use built-in labeling whenever possible. If you have previously used the AIP add-in as the default labeling client in Office apps, and you are using a version of Office that is later than the ones listed above, the AIP add-in will be automatically disabled and replaced by built-in labeling.
License for Sensitivity Labels: In general, users who need to be able to create, edit, or delete sensitivity labels will need a license that includes the Microsoft Purview Information Protection service. Users who only need to be able to read or apply sensitivity labels may be able to use a less expensive license. To see the options for licensing users to benefit from Microsoft Purview features, you can refer to the Microsoft 365 licensing guidance for security & compliance.
Different Sensitivity labels and their uses.
Sensitivity labels in Microsoft Word are a kind of digital stamp added to your business document or email in order to secure it. They are customizable and specific to your organization and business needs. Here are some examples of sensitivity labels and their uses:
Public: This label could be used for content that is intended for public distribution.
General: This is usually the default label for content that doesn’t contain sensitive information.
Confidential: This label could be used for content that should be kept confidential within the organization. For example, applying a “Confidential” label to a document or email can encrypt the content and apply a “Confidential” watermark.
Highly Confidential: This label could be used for content that contains highly sensitive information, such as trade secrets or personal data.
These labels can provide protection settings that include encryption and content markings. They can protect content in Office apps across different platforms and devices, and even in third-party apps and services by using Microsoft Defender for Cloud Apps. They can also protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites.
How to add a Sensitivity Label to a Document?
When a user saves a new file, the sensitivity bar will check if the user has a default sensitivity label configured. If the user does have a default label, the sensitivity bar will remind the user of the default label. If the user does not have a default label, the sensitivity bar will give the user the opportunity to set a label for the file at the time it is created.
This helps to ensure that users are aware of the sensitivity of the information they are creating and that they are applying the appropriate sensitivity label to their files.
Hover over the sensitivity label with your mouse to see your organization's description of the label.
The sensitivity bar is always visible in the title bar, so you can easily apply or change a sensitivity label whenever you're editing an existing document. Simply click the label or filename in the title bar.
Customize Sensitivity Labels
Compliance admins can configure the following customizations:
Sensitivity bar visibility: Admins can configure the sensitivity bar to show only the label icon.
Sensitivity label color: Admins can assign a color to each label.
Sensitivity bar visibility: By default, the sensitivity bar shrinks to show only the parent label name after the initial document load or when the label is changed.
Admins can configure a setting in PowerShell to reduce the sensitivity bar to show only the label icon.
The Set-LabelPolicy cmdlet is a PowerShell command used to modify sensitivity label policies in your organization. It’s available only in Security & Compliance PowerShell.
The cmdlet has several parameters that allow you to specify different settings for the sensitivity label policy. Here are some of the key parameters:
Identity: Specifies the identity of the sensitivity label policy that you want to modify.
AddLabels: Allows you to add labels to the policy.
RemoveLabels: Allows you to remove labels from the policy.
AdvancedSettings: Allows you to specify advanced settings for the policy.
AddExchangeLocation, AddModernGroupLocation, AddOneDriveLocation, AddPublicFolderLocation, AddSharePointLocation, AddSkypeLocation: These parameters allow you to add different locations (like Exchange, Modern Groups, OneDrive, Public Folders, SharePoint, Skype) to the policy.
RemoveExchangeLocation, RemoveModernGroupLocation, RemoveOneDriveLocation, RemovePublicFolderLocation, RemoveSharePointLocation, RemoveSkypeLocation: These parameters allow you to remove different locations from the policy.
PowerShell Command to modify a Sensitivity Lebel policy:
Set-LabelPolicy [-Identity] <PolicyIdParameter> -RetryDistribution [-AddLabels <MultiValuedProperty>] [-AdvancedSettings <PswsHashtable>] [-Confirm] [-MigrationId <String>] [-NextLabelPolicy <PolicyIdParameter>] [-PreviousLabelPolicy <PolicyIdParameter>] [-RemoveLabels <MultiValuedProperty>] [<CommonParameters>]
PowerShell Command to Add and Remove locations (like Exchange, Modern Groups, OneDrive, Public Folders, SharePoint, Skype) to/from the policy:
Set-LabelPolicy [-Identity] <PolicyIdParameter> [-AddExchangeLocation <MultiValuedProperty>] [-AddExchangeLocationException <MultiValuedProperty>] [-AddLabels <MultiValuedProperty>] [-AddModernGroupLocation <MultiValuedProperty>] [-AddModernGroupLocationException <MultiValuedProperty>] [-AddOneDriveLocation <MultiValuedProperty>] [-AddOneDriveLocationException <MultiValuedProperty>] [-AddPublicFolderLocation <MultiValuedProperty>] [-AddSharePointLocation <MultiValuedProperty>] [-AddSharePointLocationException <MultiValuedProperty>] [-AddSkypeLocation <MultiValuedProperty>] [-AddSkypeLocationException <MultiValuedProperty>] [-AdvancedSettings <PswsHashtable>] [-Comment <String>] [-Confirm] [-MigrationId <String>] [-NextLabelPolicy <PolicyIdParameter>] [-PolicyRBACScopes <MultiValuedProperty>] [-RemoveExchangeLocation <MultiValuedProperty>] [-RemoveExchangeLocationException <MultiValuedProperty>] [-RemoveLabels <MultiValuedProperty>] [-RemoveModernGroupLocation <MultiValuedProperty>] [-RemoveModernGroupLocationException <MultiValuedProperty>] [-RemoveOneDriveLocation <MultiValuedProperty>] [-RemoveOneDriveLocationException <MultiValuedProperty>] [-RemovePublicFolderLocation <MultiValuedProperty>] [-RemoveSharePointLocation <MultiValuedProperty>] [-RemoveSharePointLocationException <MultiValuedProperty>] [-RemoveSkypeLocation <MultiValuedProperty>] [-RemoveSkypeLocationException <MultiValuedProperty>] [<CommonParameters>]
PowerShell Command to include -Force parameter which forces the command to run without asking for user confirmation:
Set-LabelPolicy [-Identity] <PolicyIdParameter> [-AddLabels <MultiValuedProperty>] [-AdvancedSettings <PswsHashtable>] [-Comment <String>] [-Confirm] [-Force] [-MigrationId <String>] [-NextLabelPolicy <PolicyIdParameter>] [-PreviousLabelPolicy <PolicyIdParameter>] [-RemoveLabels <MultiValuedProperty>] [-Setting <PswsHashtable>] [-Settings <PswsHashtable>] [-WhatIf] [<CommonParameters>]
Sensitivity label color: Compliance admins can assign a color to each label. The assigned color will show up in Word, Excel, and PowerPoint alongside the labels, allowing users to differentiate labels at a glance. In the compliance admin center, a label color can be chosen from 10 presets or can be customized using PowerShell.
The following preset colors are available in the compliance admin center:
Sensitivity labels play a crucial role in protecting sensitive information by classifying data, enforcing protective measures, ensuring persistent protection, and aiding in regulatory compliance. By leveraging these features in Microsoft Office for Windows, organizations can significantly enhance their data security posture and ensure compliance with various regulatory standards.