Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them

With the rise of fully remote and hybrid work environments, team collaboration across various channels, apps, and devices has become imperative to completing daily tasks. All sorts of information flows across different departments and teams in companies. Therefore, it’s more important than ever to understand what data you can share internally and externally, and what should stay confidential. To be able to do that effectively, without compromising productivity and creating more hustle, Microsoft 365 Compliance introduced Sensitivity labels. These labels allow to classify all information shared within a company. In this article, we will try to understand what the sensitivity labels are. We will also make a distinction between them and Teams classification labels. And lastly, we will discuss how you can use them.

What are sensitivity labels?

Every organization has a classification system for its internal documentation that helps to sort documents into separate groups – public, internal, and confidential. Sensitivity labels are a real-life translation of this classification. They help companies apply a specific policy to certain documents depending on their classification.

Sensitivity labels are a means to classify your organization’s data in a way that shows how sensitive the data is. This helps you reduce risks in sharing information that shouldn’t be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily. 

Sensitivity labels appear to users as tags applied to a document or email, and they are:

Customizable: Based on your organization’s specific needs, you can create categories for various levels of sensitivity when it comes to your data. An example of those levels can be Personal, Public, General, Confidential and Highly Confidential.

Clear text: Labels are stored in clear text format in the metadata for your content – files and emails, so third-party apps and services can read it and, if required, apply their protective actions.

Persistent: Because labels are essentially a part of the metadata for your files and emails, they roam with the content. In other words, once you apply a sensitivity label, it remains with its assigned content. That includes the protection settings regardless of where it’s stored or saved, serving as the basis for enforcing your configured policies.

As already mentioned, to users, sensitivity labels appear as tags on emails and documents while using Office apps. So the labels seamlessly integrate into users’ workflows without extra work. It’s also important to know that each item can have both a separate sensitivity label applied to it and a retention label.

Sensitivity labels vs. Teams classification labels

Sensitivity labels and classification labels, known as Azure Active Directory group classification, are not the same. The latter is a text string that can be associated with a Microsoft 365 group, but it doesn’t have an actual policy connected to it. These classification methods are used as metadata and in order to enforce any policy associated with a specific label, you need to use additional tools and scripts. Sensitivity labels, on the contrary, automatically enforce the policies connected with each label. They do it through the 365 Groups platform, the compliance center, and Teams services. 

If your organization is now using classification labels, the following documentation – Classic Azure AD group classification – will help you migrate those to sensitivity labels.

How can you use sensitivity labels?

When you configure a sensitivity label for a file or email, any protection setting you set for that specific content will be enforced on end-users. You can apply sensitivity labels to:

●      Encrypt and protect your data from being accessed by unauthorized parties. You can also set and choose permissions for all. For example, accessing the file, editing them or apply labels themselves. Similarly, you can forbid access to a certain file after some time. 

●      Mark content: based on your needs, you can apply watermarks, headers and footers to documents and emails.

●      Apply sensitivity labels automatically or recommend applying them: you can decide how to identify sensitive information and either apply a sensitivity label automatically or recommend users to do so themselves. 

You can use Teams sensitivity labels in your organization to set privacy levels: public or private. For example, you can configure a “Confidential” sensitivity label for team creation, which keeps the team private. When selected by users, these teams can only be Private teams, meaning that users will need permissions to enter it. You can do the same for the opposite case scenario. Create a sensitivity label named “General” with the configuration set to Public and Org-wide team options.

You can configure sensitivity labels in Teams to also control and limit guest access. This allows you to prevent important confidential information from being visible to anyone outside your organization. Configuring and applying similar sensitivity labels within your organization will ensure higher data security for your company without compromising team-wide efficiency and collaboration.

How to set up labels for files and emails? 

To set up, publish and manage sensitivity labels, make sure you have access to Microsoft 365 Security & Compliance Center. 

  1. Open Microsoft 365 Security & Compliance Center, go to Classification and select Sensitivity labels from the dropdown.
Microsoft 365 Security and Compliance center
  1. Click Create a label and fill in all the necessary information as shown in the pictures below
  1. Next, you need to define the scope for your sensitivity label to determine where this specific sensitivity label will be visible.
  1. Now you need to configure the protection settings for files and emails using encryption and/or content marking.
  1. If encryption is one of your configuration settings, you can choose to assign permissions to users or user groups. You can also set time restrictions to files that have this label assigned. 

Similarly, follow the guidelines on content marking if you want to add a specific watermark, header, or footer to your files.

If you want to automatically label or recommend users to label certain files with this sensitivity label, you can enable auto-labeling. By doing so, you choose conditions on when/in which cases they should apply a sensitivity label to a document. You can choose conditions from existing or trainable sensitive information types to set your classifiers. 

  1. Follow the steps to define protection settings and accesses for internal and external users. You can also control the external sharing and device accesses to ensure these classified files are not available to unauthorized parties.
  1. Finally, review your settings and click Create label when you’re ready.

 If you see the below screen after submitting, your sensitivity label was successfully created.

Expedite the process with Collaboration templates 

Going through these steps for every single one of your teams can be really time consuming. To save your time and energy, you can use the SalesTim app. It allows you to create a template team with all the configurations that you need including sensitivity labels. When you set up the sensitivity labels at the template level, whenever you create new teams from the template, the files shared in those teams will have the sensitivity label specified during the template creation. 

Sensitivity labels are crucial when it comes to ensuring privacy and avoiding any types of data breaches. All organizations deal with information flow from a number of channels, apps, services and devices. It’s important to set forth actions that can prevent the unauthorized access to your organization’s internal data. Office Sensitivity labels are by far one of the most straightforward and effective ways to accomplish that.

Feature image created by pch.vector – www.freepik.com

Read Related Blog Posts