Microsoft 365. Protecting and managing sensitive information

Microsoft 365 users may need to create and access information from different physical locations via different apps running on different devices. Protecting sensitive information while maintaining collaboration capabilities becomes a key consideration.

Microsoft Information Protection (MIP) is a framework of products, services, and features such as Azure Information Protection, Cloud App Security and Windows Information Protection that help provide information protection. There have been – and continue to be – many developments in MIP. We will start with an understanding of what is meant by classifying documents and emails before moving on to look at some of these new developments.

Classifying documents and emails

One of the key areas of information protection is sensitivity labels in Office 365. When an organisation deploys sensitivity labels in Office 365, users can manually classify documents and emails using these labels. For example, in the figure below, a user is assigning a sensitivity label named ‘General’ to a document in Microsoft Word via the ‘Sensitivity’ button on the ribbon.

Sensitivity labels are customisable; an organisation defines its sensitivity labels based on its needs. It is possible to configure sensitivity labels to apply classifications only, or to include protection as well as classification. The protection for each label is also customisable. For example, say a label named ‘Confidential’ restricts a document to be accessible to company employees only. It does this by applying encryption to the document. The classification and protection stay with the document, even if the document leaves the organisation.

Sensitivity labels can include visual markings in the document if required. These come in the form of headers, footers, and watermarks. More advanced scenarios can consider the automatic or recommended application of sensitivity labels. For example, suppose that an organisation determines that information regarding ‘Project X’ is sensitive information and configures a sensitivity label accordingly. Microsoft Word detects the sensitive information text ‘Project X’ in the document and recommends that the user classifies the document accordingly.

Microsoft provides features and licensing information for Azure Information Protection in its topic titled Azure Information Protection pricing.

Protecting information in Exchange Online

Email has historically been a common way to send information outside of the organisation. Although sharing files externally from SharePoint Online or OneDrive for Business is possible in Office 365, controlling file attachments in email may also still be a consideration for organisations.
Transport rules in Exchange Online can help control the flow of information in specific scenarios. For example, suppose there exists a need to prevent users from sending emails marked with the ProjectX sensitivity label to external recipients. Exchange Online transport rules can help achieve this requirement as shown below.

What about SharePoint Online and information protection?

Previously it has been possible to configure information rights management in SharePoint Online document libraries. However, there have been limitations with this approach. For example, features such as document co-authoring, search, and eDiscovery did not work with encrypted files in SharePoint Online. Therefore, uploading unprotected (non-encrypted) documents to a document library was typical to support these features. By configuring information rights management against a document library, the action of downloading documents from this document library applied the protection and encryption.

A new feature currently in preview aims to solve these challenges. SharePoint Online now recognises sensitivity labels applied to Office files. Furthermore, when downloading documents that contain sensitivity labels, those sensitivity labels remain with the items and settings enforced.
Further good news is that with this preview feature the web versions of Word, Excel, and PowerPoint now support sensitivity labels too.

And there’s more good news! Another new feature currently in preview gives the ability to apply sensitivity labels to Microsoft Teams, Office 365 Groups and SharePoint sites. When defining sensitivity labels, options are available to control privacy, external user access and unmanaged device access settings. Choosing the label against an Office 365 group or SharePoint site will cause these settings to apply.

For example, the user below selects a new team to contain confidential material. The label configuration means that the new team must be a private team.

Extending information protection capabilities to other services is possible too. Microsoft Cloud App Security for example.

In a future article, we will look at information protection integration with other services as well as how to approach deploying information protection across the organisation.

Microsoft 365 and Microsoft Information Protection (MIP). Want to know more?

Please feel free to use the form below to contact us if you wish to speak to one of our experts.

We host regular events so please do check our schedule of current seminars, webinars and events.  We also post regular blogs on the latest updates and expert advice on Microsoft 365, Cloud and Hybrid IT, User Adoption and the Power Platform, so please do follow us.