How to classify data using labels in Microsoft 365

Information protection labels are a great way to add an additional layer of security to certain files, SharePoint sites, and emails. After the document or email is labeled the label can encrypt or apply a watermark. A label can be manually applied to documents or emails or automatically based on a sensitive info type. For example, you can configure a label to be automatically applied if the document contains a credit card number.

But let's dig in and start the setup.

Enable labeling for Teams, SharePoint sites, and Microsoft 365 Groups

Before you can apply labels to Teams, SharePoint sites, or Microsoft groups you first need to do some one-time configuration of your Microsoft 365 tenant.

1. Open PowerShell on your computer as an administrator.

2. Run the following command in PowerShell: "Install-Module ExchangeOnlineManagement". If prompted to install NuGet click Y then enter. When prompted to Install from the 'PSGallery' click A then enter.

Install-Module ExchangeOnlineManagement

3. Run the following command in PowerShell: "Install-Module AzureADPreview". When prompted to Install from the 'PSGallery' click A then enter.

Install-Module AzureADPreview

4. Run the following command in PowerShell: "Connect-AzureAD". Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-AzureAD

5. Copy and paste the following PowerShell to configure the settings:

$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting
if ($grpUnifiedSetting.Values) {
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting
} else {
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
$Setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting
}
Set Group Settings for labels

6. Run the following command in PowerShell: "Connect-IPPSSession". Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-IPPSSession

7. Run the following command in PowerShell: "Execute-AzureAdLabelSync".

Execute-AzureAdLabelSync

8. Run the following command in PowerShell: "Install-Module Microsoft.Online.SharePoint.PowerShell". When prompted to install the modules from 'PSGallery' type A then press enter.

Install-Module Microsoft.Online.SharePoint.PowerShell

9. Run the command "Connect-SPOService -Url https://gruber14-admin.sharepoint.com/" but first replace gruber14 with your own tenant name. You can get the proper URL by grabbing the URL from your SharePoint admin center. Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-SPOService

10. Run the following command "Set-SPOTenant -EnableAIPIntegration $true". When prompted to confirm type Y then click Enter.

Set-SPOTenant -EnableAIPIntegration $true

 11. Go to the Microsoft Compliance admin center in the browser. Then go to Information protections > Labels. Click Turn on.

Azure purview

12. Click Yes.

Turn on labeling for Azure Purview

Setting up a label

Before we begin setting up the label you'll need to know 1 more thing. There are two parts to setting up the label. The first is the label configuration. This includes the name, details the users see, and what happens when something is marked with the label. The next part is publishing the label. This includes who can use the label.

How to create a label

1. Go to the Microsoft Compliance admin center > Information protection > Labels > Create a label.

Create a label in Microsoft 365

2. Enter a name for the label, the display name, description for users. Then click Next.

Name the label and provide a description

3. Leave all three scopes checked. Click Next.

Scope the labels

4. Click Encrypt files and emails. Click Next.

Encrypt-files-and-emails

5. Click Assign permissions > Add all users and groups in your organization > Save > Next.

Assign permissions to all internal users in Microsoft 365

6. Click the auto-labeling for files and emails switch. Click Add > Sensitive info types. Scroll down and click the checkbox next to Credit Card Number. Click Add > Next.

Auto label everything with a credit card

7. Click the Checkbox next to Privacy and external user access settings. Click the checkbox next to External sharing and Conditional Access settings. Click Next.

protection settings for groups and sites

8. Click Private. Click Next.

Define privacy and external user access settings

9. Click Control external sharing from labeled SharePoint sites checkbox. Click Only people in your organization radio box. Click Next.

Define external sharing and conditional access settings

10. Click Create label. Then click Done.

Publish the label

1. Go to the Compliance admin center > Information protection > Label policies > Publish label.

Publish label

2. Click Choose sensitivity labels to publish > Company employees only > Add > Next.

Choose sensitivity labels to publish

3. Click Next until you are on the Name your policy page.

4. Enter the name of Company internal only. Click Next.

Name your policy

5. Click Submit.

That's it. Wait 24 hours for your label to be published. Or you can skip the wait time...

Skip the 24-hour delay and use your labels immediately

So you just published a label or maybe you made a change to a label and you need to make the label available immediately. What do you do? Have no fear, PowerShell is here!

1. Open PowerShell as an admin.

2. Run the following command in PowerShell: "Install-Module ExchangeOnlineManagement". If prompted to install NuGet click Y then enter. When prompted to Install from the 'PSGallery' click A then enter.

Install the Exchange Online PowerShell Module

3. Run the following command in PowerShell: "Connect-ExchangeOnline". Enter your global admin username and click Next. Enter your password and click Sign in. If MFA is required, complete the MFA.

Connect-ExchangeOnline

4. Run the following PowerShell Command: "Get-Mailbox -ResultSize unlimited | ?{$_.Name -notlike "DiscoverySearchMailbox*"} | %{ Start-ManagedFolderAssistant $_.UserPrincipalName }"

Start-ManagedFolderAssistant

5. Wait a couple of minutes and close and re-open your Office app.

Manually apply the label

So now we've published the label but how do we manually apply it to a document? Well, it's pretty easy.

1. Open Word on a computer that is connected to your Microsoft 365 tenant.

2. Click Sensitivity > Company employees only.

Apply sensitivity label

Automatically applied labels

Remember earlier when we created the label we set up the "Auto apply the label" if the content contained a credit card? Let's test it out now.

1. Open a new Microsoft Word document.

2. Type the following in.

Margie's Travel,
I have received updated credit card information for Spencer.
Spencer Badillo
Visa: 4111 1111 1111 1111
Expires: 2/2012
Please update his travel profile.

3. Save the document to your OneDrive

You should automatically see the following:

your organization automatically applied the sensitivity label

Review the settings

Now that we've created our first label let's go back and review some of the settings.

1. Go to the Microsoft 365 Compliance admin center > Information protection > Labels > click the label you just created. Click Edit label.

Edit the label

Name and create a tooltip for your label

Name and create a tooltip for your label

The Display name is what appears to users in the Sensitivity drop-down. The Description for users is what appears when a user hovers over the label with their mouse. Click Next.

Label display name and description

Define the scope for this label

Define the scope for this label

On the Define the scope for this label page you can see three options. Files & emails being checked make the label available in Word, Excel, PowerPoint, and Outlook. Groups & sites make the label available in Groups and sites. Lastly, Schematized data assets make the label available in Azure. Click Next.

Define the scope for this label

Choose protection settings for files and emails

On the Choose protection settings for files and emails page, you can see two options. These options define what happens when a document or email is marked with the label. You can either encrypt the document/email or mark the content. By marking the content you can add a watermark, text in the header, or text in the footer. Click Mark the content of files check box and click Next.

Encryption

Encryption options

On the encryption page, you have a number of options.

First, you can add or remove encryption. If you're removing encryption that's the only option.

If you're adding encryption then you have a whole list of options.

  • Assign permissions now or let users decide: This setting allows you to choose who specifically can access the content assigned to this label or allow the person assigning the label to decide.
    • Assign Permissions: This is where you can set who can access the content. You can set it to all users and groups which includes only users inside your organization. You can set it to authenticated users which means external users can still access the content but they'll need to authenticate first. The users, emails, and domains options are a bit more obvious.
  • User access to content expires: You can decide to automatically remove permissions on a date or a number of days after the label is applied. In short, if you want the label to grant users access to the content for X days or until a specified date set this.
  • Allow offline access: Do you want to allow users to access the content while they aren't connected to the internet? If you do, you have additional options of how long they can access the content offline until they need to check back into Microsoft 365.
  • Assign permissions: Here is where you can choose who has access to the content the label is encrypting. You can choose to add All users in your organization, any authenticated users, or specific users/groups. Lastly, you can choose specific email addresses or domains.
  • Use Double Key Encryption: Double key encryption requires another service to provide the second key. These files aren't even accessible by Microsoft.

Note: if an external user receives an email with the following error you'll need to resend the email without a label or update the label to use the authenticated users assign permissions.

The message you tried to open is protected with Information Rights Management. The sender didn't give you the rights necessary to view the message. To open this message on behalf of another user, use Outlook.

Click Next.

Content marking

Content marking

On the content marking page, you can choose what types of markings you want on the documents. You can choose a watermark, which will go across every page. A header that will show up at the top of every page. Finally, a footer will appear at the bottom of every page. Click Next.

Auto-labeling for files and emails

Auto-labeling for files and emails

The auto-labeling is exactly how it sounds. It will automatically apply the label based on the sensitive info type. The sensitive info types are the same types that can be used in data loss prevention (DLP) policies. There are a number of options here so let's dig in.

  • Detect content that matches these conditions: In this section, you are deciding what content type to look for. For example, you can choose credit card numbers, passport IDs, banking information, addresses, etc. You can also choose how many instances are required to apply the auto-labeling. For example, you may choose to allow users to send 1 credit card number in an email or file but after that, you require the label. Next, you can choose multiple sensitive info types and you may choose if you want one sensitive info type or to find all info types. For example, you may create a label that requires encryption for any credit card number or social security number. Or you may choose to require encryption for any person's name AND any U.S. addresses.
  • When content matches these conditions: In this section, you have two options. First, you can choose to automatically apply the label or recommend the label be applied. The next box is what message is displayed to the user when the content matches the sensitive info types. You can leave this box blank and have a default message appear if you want.

Click next.

Define protection settings for groups and sites

Define protection settings for groups and sites

The next part is about how the label applies to Microsoft Teams, Microsoft 365 groups, and SharePoint sites. Don't worry about not seeing many options here. In short, this page is saying "What options do you want to see?" If you check the "Privacy and external user access settings" checkbox you'll see another page about configuring it and the same thing goes for "External sharing and Conditional Access settings". For now, let's leave both checkboxes checked and jump into the settings on the next couple of pages. Click Next.

Define privacy and external user access settings

Define privacy and external user access settings

You'll only see this page if you had "Privacy and external user access settings" checked on the page before. On this page, you have the option of how the Team or group is shared. Note: this page doesn't affect SharePoint sites. In the privacy section, you can define you can join the team, group, or site. For example, you can let anyone in your organization join the team, group, or site or you can lock it down so team owners have to add the members. In short, should only users that are invited to the group see the content or can anyone in your organization see the content? Finally, you have the External user access checkbox. you can set to allow the group owners to add people as guests outside your organization. In short, should teams with this label allow sharing with people that aren't in your organization? Click Next.

Define external sharing and conditional access settings

You'll only see this page if you had "External sharing and Conditional Access settings" checked on the "Define protection settings for groups and sites" page. Note: this page only affects SharePoint sites. This page will set the external sharing allowed on SharePoint sites flagged with this label. In short, you can force a SharePoint site to only be allowed to be shared with specific users. Note: these settings won't stop someone from attaching a document to an email and sending it out that way. It works similarly to how the privacy and external user settings worked on the previous page.

SharePoint sites have one other option though: you can set them to only be accessible by computers that are hybrid Azure AD joined to your environment. In short, you can make SharePoint sites only accessible by domain-joined computer. By checking the Use Azure AD Conditional Access to protect labeled SharePoint sites checkbox you are able to set up what devices can access the SharePoint site.

Label policies

Next, let's go over all the policy options for a label. Go to Microsoft Compliance admin center > Information protection > label policies. Click the label policy you created earlier and click Edit policy.

How to edit a label policy

Choose sensitivity labels to publish

Choose sensitivity labels to publish

On the first page, you'll see one option. Sensitivity labels to publish. This is simply asking what labels is this policy applying to? Click Next.

Publish to users and groups

Publish to users and groups

The Publish to users and groups page is simply asking what users will the label be available to? If you add a user here they will be able to set the label on their sites, documents, and emails.

Important: You can publish labels to users but only to certain groups. Groups that have email addresses (Distribution groups, Microsoft 365 groups, and mail-enabled security groups). You can't publish a label to a security group. They can have dynamic membership.

Click Next.

Policy settings

Information protection label Policy settings

On the policy settings page, you have a number of options.

  • Users must provide a justification to remove a label or lower its classification​: This setting will require a user to enter some text in a text box every time they remove the label. A user can type anything but typically they'll put things like "Document no longer contains credit card information" or something like that.
  • Require users to apply a label to their emails and documents​: Here is where you can require a user to label all of their emails and documents. If you use this setting make sure to have a couple of different labels the users can apply.
  • Require users to apply a label to their Power BI content: Same as above but for Power BI content.
  • Provide users with a link to a custom help page: This is a great way to help share information about the labels when to use the labels, and why to apply the labels. You can easily create a SharePoint site that's accessible to everyone in your organization and put the URL here.

Click Next.

Apply a default label to documents

Apply a default label to documents​

The only option on this page is the Apply this default label to documents​. It's exactly how it sounds. It will automatically apply the label to every Office document saved in your Microsoft 365 environment by the users you selected on the "Publish to users and groups" page. Also, the dropdown will only contain the labels you selected on the "Choose sensitivity labels to publish" page. Click Next.

Apply a default label to emails

Apply a default label to emails

There are two options on this page. The Apply this default label to emails option is exactly how it sounds. It allows you to automatically apply a label to any emails sent from your Microsoft 365 environment. Another option for emails is to Require users to apply a label to their emails which will require a user to select one of the labels every time they send an email. If you check that box make sure you have a couple of labels available for the users to choose from. Click Next.

Policy settings for sites and groups

Policy settings for sites and groups

I won't waste your time. These settings are the exact same as the Apply a default label to emails as above except they affect SharePoint sites and Microsoft 365 groups. Click Next.

Apply a default label to Power BI content (preview)

Apply a default label to Power BI content

I won't waste your time. These settings are the exact same as the Apply a default label to documents as above except they affect Power BI content like reports, dashboards, and datasets. Click Next.

Name your policy

Name your policy

On this page, you'll see the policy name but it's greyed out. In short, you can't change the name of a label policy once it's set up. You can set the description though.

Label Priority

The last thing you'll need to know about information protection labels is the label priority. The first thing you need to know is a piece of content can only have one label. In short, it's because the labels will "fight" each other. What if you had one label encrypting a document and another decrypting the document? It would be a nightmare.

Second, default labels will always take priority over mandatory labels. In short, setting a label as the default will be applied before the sensitivity info automatically applies a label so the default label will be applied first and won't be automatically removed.

Lastly, order matters. If you look at the labels you'll notice they all have an Order. The labels at the bottom of the list have higher priority than those at the top. Let's take an example. Let's say someone uploads a document with a higher priority label to a site that is defined with a lower sensitivity label. What happens? Well, the action isn't prevented but the user that made the move and the owners of the site will both get emails. The users can then work to remediate the issue. In short, put your least restrictive labels at the top and the most restrictive labels at the bottom.

How to change the label priority

1. Go to the Compliance admin center > Information protection > Labels page.

2. Click the ellipsis (...) next to the label. Click Move up or Move down.

How to change the label priority

See how labels are applied

Reporting on how labels are applied

Lastly, auditing. Let's take a look at who's applying labels and how many labels are being automatically applied. From the Compliance admin center > Reports. From this page, you can see a number of reports. Typically, the reports will take 24 hours to populate though so you may need to wait a day or so before you see any data. To see if labels are being applied manually or automatically click "How Labels Were Applied".

That's it. That's all there is to information protection labels!