This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Manage Sensitivity Labels” section:
- Configure and use label analytics
- Use sensitivity labels with Teams, SharePoint, OneDrive and Office apps
Configure and Use Label Analytics
To get started, navigate to the “Data Classification” section of the Microsoft 365 Compliance Center. From here, we can view insights into Sensitivity and Retention Labels applied throughout the organization along with Sensitive Information Types and DLP matches that have been detected. For legacy Azure Information Protection Labels we can also follow the steps provided to create a Log Analytics workspace to track AIP usage if it is in use.
We can also view more details of each of the dashboards to get insights into where labels are applied.
Content Explorer
To get insights into the data in the organization without relying on labelling, we can use the “Content Explorer” tab. From here we can view both labels and sensitive information types by location, drilling down to individual items. To use the content explorer, the “Content Explorer List Viewer” or “Content Explorer Content Viewer” are required to view a summary of results or details respectively.
Use Sensitivity Labels with Teams, SharePoint, OneDrive and Office Apps
To use Sensitivity labels within the different applications there are a few prerequisites that need to be in place depending on where we want to enable labelling.
In the previous post we looked at publishing Sensitivity labels to provide site / group classification and user classification. To ensure users can use sensitivity labels with Microsoft Teams / Office 365 Groups etc, follow the instructions in my previous post to update the Azure AD directory settings, enabling the “EnableMIPLabels” setting on the “Group” Directory Setting.
To enable Sensitivity Labels for SharePoint and OneDrive (Web Apps), we can either run the Powershell Command: “Set-SPOTenant -EnableAIPIntegration:$true” in the SharePoint Online Management Shell, or turn on using the below dialog in the Compliance Center.
To enable in the Office suite, there are two methods. The easiers is to ensure you have deployed the Microsoft 365 Apps for Business/Enterprise suite and that it is up to date. Functionality may differ between older versions, check out the below tables from Microsoft which detail the versions and functionality.
Sensitivity label capabilities in Word, Excel, and PowerPoint
The numbers listed are the minimum Office application version required for each capability.
Footnote:
* Currently, doesn’t include justification text to remove a label or lower the classification level
Sensitivity label capabilities in Outlook
The numbers listed are the minimum Office application version required for each capability.
| Capability | Outlook for Windows | Outlook for Mac | Outlook on iOS | Outlook on Android | Outlook on the web |
|---|---|---|---|---|---|
| Manually apply, change, or remove label | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Apply a default label | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Require a justification to change a label | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Provide help link to a custom help page | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Mark the content | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Dynamic markings with variables | Under review | Under review | Under review | Under review | Under review |
| Assign permissions now | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Let users assign permissions | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
| Require users to apply a label to their email and documents | Preview: Current Channel (Preview)) | 16.43+ | Under review | Under review | Yes |
| View label usage with label analytics and send data for administrators | Preview: Current Channel (Preview) | Preview: Current Channel (Preview) | Under review | Under review | Yes |
| Apply a sensitivity label to content automatically | 2009+ | 16.44+ | Under review | Under review | Yes |
To make Sensitivity Labels available to standalone Office suite installations, we need to also install the Unified Labelling Client to provide the functionality.
Summary
We’ve now looked at creating Sensitivity Labels, deploying them, Monitoring their application and making them available to users. Sensitivity Labels also play a part in other aspects of Microsoft 365 such as DLP which we will visit in another post. For more information on Sensitivity Labels, check out the below documentation.
Learn about sensitivity labels – Microsoft 365 Compliance | Microsoft Docs
Get started with sensitivity labels – Microsoft 365 Compliance | Microsoft Docs
Sean McAvinue 
Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue
Pingback: Deploying Office 365 Sensitivity Labels for the First Time – Keep It Simple, Stupid! – Sean McAvinue