The Microsoft 365 Blog

Top 5 Microsoft 365 Sensitivity Labels for Data Protection

Dec 15, 2024
Bearded guy with his arms crossed with text on his right hand side

It’s no secret that data protection is one of the most overlooked parts of most small business IT strategies. But, why?

With Microsoft 365, you already have all of the data protection tools at your disposal! One of the best tools for data protection is called Sensitivity Labels, and that’s what I’d like to talk to you about today.

Before we explore this topic in the blog below, for a full walk-through, be sure to head over to my YouTube channel to check out the video for Sensitivity Labels.

Let’s crack on with it.

 

What Are Sensitivity Labels in Microsoft 365?

Most businesses are familiar with protecting users with tools such as multi-factor authentication and anti-virus software. What lots of businesses don’t do though is protect their data.

Very rarely, I see businesses utilising Sensitivity Labels in Microsoft 365, probably because they don’t know what they are.

Essentially with Sensitivity Labels, you can create virtual labels which can then be applied to files, emails, and even entire Sharepoint size. To help you understand more about what a Sensitivity Label is, let’s look at a couple of examples…

Sensitivity Label Example

One day, you create a couple of Word documents, the first one contains a chocolate brownie recipe that you plan to make, who knows? You might even publish it on your personal blog. In terms of privacy and security for this document, you’re not really worried.

The second document you create is a bit more serious. It’s aimed towards your job management team and it’s a list of all the people that you plan to make redundant in the next 6 months.

With the chocolate brownie recipe, you can attach a Sensitivity Label called ‘Public’, as if it gets into the public domain, it’s really no big issue. For your second document, security is a must, so why don’t we attach a label called ‘Management Team Only’. This Sensitivity Label ensures that our word document is encrypted and can only be seen by the members of your management team.

Sensitivity Label Mistakes 

I often see businesses using Sensitivity Labels making the same two mistakes. Firstly, they create too many labels, secondly, the naming convention of these labels can sometimes be too confusing.

So, what’s the solution?

Stick to the five sensitivity labels I’m going to show you in the next steps, that every business should implement and start using today.

 

How to Create 5 Sensitivity Labels

 

‘Public’ Label

  1. Login to the Microsoft 365 Admin Centre, click into ‘Admin centres and compliance’. Go to ‘Solutions’ and ‘Information protection’, click ‘Labels’. 
  2. Click on ‘+Create a label’. The first label you’re going to create is going to be called ‘Public’. This label will be applied to documents that are fine for the public domain. You can add in a description to help users to understand when to use the label.

  3. Click on ‘Next’, this will take you to a page titled ‘Define the scope for this label’. Tick all of the relevant boxes and then choose ‘Next’.
  4. You will then be brought to another page titled ‘Choose protection settings for the types of items you selected’. You can leave these ones blank as it is a public label. Again, click ‘Next’. Skip the auto-labelling page by clicking ‘Next’ again.
  5. The next page will be ‘Define protection settings for groups and sites’. I suggest checking the first two boxes: ‘Privacy and external user access’ and ‘External sharing and Conditional Access’. Click ‘Next’.
  6. The next page is titled ‘Define privacy and external user access settings’, since this is a public label, I tick the ‘public’ box and the box for ‘Let Microsoft 365 Group owners add people outside your organization to the group as guests’. Click ‘Next’.

  7. The next page that shows is titled ‘Define external sharing and conditional access settings’. I tick the box for ‘Content can be shared with - Anyone’ and leave the ‘Use Microsoft Entra Conditional Access to protect labeled SharePoint sites’ unchecked. Click ‘Next’, then ‘Create Label’.

‘General’ Label

  1. Follow the same steps as above for naming the label, for the description I write ‘Information can be shared internally and with trusted partners but isn’t for general public viewing’. I give the label a green color, this time.
  2. Follow the same steps as above until you reach the ‘Define privacy and external user access settings’ page, instead of ‘Public’, select ‘None’. Make sure that ‘External user access’ is still checked.
  3. On the ‘Define external sharing and conditional access settings’ page, select the ‘New and existing guests’ under the ticked ‘Control external sharing from labeled SharePoint sites’. Click ‘Next’ and then ‘Create Label’.

‘Confidential - External’ Label

  1. Name the label ‘Confidential - External’, I use the description ‘Sensitive information intended for specific people inside or outside of the organization’, give the label an amber colour to indicate it is a ‘cautious’ label to be using. 
  2. Apply the same checked boxes for ‘Define the scope’ and then when you reach the ‘Choose protection settings’ page, check the ‘Control access’ and ‘Apply content marking’ boxes. This will bring you to a ‘Access control’ page with further settings for the label. Ensure that the ‘Configure access control settings’ box is ticked, you can then choose to assign permissions now or at a later date, I prefer to assign permissions then and there.
  3. Choose your preferences for ‘User access to content expires’ and ‘Allow office access’. I choose ‘Add any authenticated users’ for the ‘Assign permissions to specific users and groups’ setting. After clicking ‘Next’, you’ll be brought to a ‘Content marking’ settings page, you can choose to add a footer, header, and a watermark if necessary.
  4. When you reach the ‘Define protection settings for groups and sites’ page, I check the ‘Private’ box and ‘External user access’ boxes. On the ‘Define external sharing and conditional access settings’ page, I select ‘New and existing guests’ then create the label.

‘Confidential - Internal’ Label

  1. Name the label ‘Confidential - Internal’. For the description, I write ‘Sensitive information intended for people WITHIN our organization’. I color the label orange.
  2. In the scope definition settings, keep the boxes checked as before before clicking ‘Next’ and ticking the boxes that appear on the ‘Choose protection settings for the types of items you selected’ page.
  3. For ‘Access control’, I choose the same settings as for the previous label, but in the ‘Assign permissions’ section, I select ‘All users and groups in your organization’. Turn on content marketing and the relevant settings for you.
  4. Make sure auto-labelling is off, then in the ‘Define protection settings’ page, select the same two settings as the previous label before clicking ‘Next’. Choose ‘Private’ on the privacy settings page and don’t tick the ‘External user access’ box.
  5. Check the ‘Control external sharing from labeled SharePoint sites’ box and select ‘Only people in your organization’ option, then ‘Next’, and create the label.

‘Confidential - View Only’ Label

  1. Name the label ‘Confidential - View Only’. Add in the descriptor ‘Use to communicate sensitive information but don’t want it to be printed, forwarded, or copied. I chose red for this label’s colour, since it’s the highest level of sensitivity. 
  2. For the label’s scope, deselect ‘Groups & sites’. Tick the boxes for ‘Control access’ and ‘Apply content marketing’. Leave the boxes on the ‘Access control’ page as previously. For ‘Access control’, choose the same settings as before, too.
  3. When assigning permissions, I select ‘Add any authenticated users’ and then click ‘Choose permissions’, choose ‘Custom’ and select the security permissions for users.
  4. When assigning permissions, I select ‘Add any authenticated users’ and then click ‘Choose permissions’, choose ‘Custom’ and select the security permissions for users.

 

Label Policies 

Now that you’ve created and published all of the relevant labels, it’s time to create label policies. Label policies allow you to add even more in-depth data security layers to the way in which users interact with and allocate labels.

I recommend ticking the first box here. For the second, this is entirely your choice, but without it being checked, I don’t think the label usage system is very effective. Personally, I like to make it a requirement that users apply a label to documents and emails at all times.

I leave the other two boxes unchecked, generally. On the next page, you’ll have the option to choose your default settings for documents. You’ll then be able to name your policy before creating it!

 

User Experience and Final Thoughts 

Now that you have created 5 Sensitivity Labels, it’s time to put user experience to the test. In my YouTube tutorial video, I show you a complete walkthrough of how the labels are configured in real-time. Be sure to check it out before applying labels in 365, if you’d like to see Sensitivity Labels in action.

And, there you have it! Sensitivity Labels in Microsoft 365 are essential for data protection and can really enhance the way your business operates. Don’t forget to subscribe to my YouTube channel for more useful videos and contact us at [email protected] or visit www.integral-it.co.uk if you’re looking for an IT partner.