Study Guide Series: Exam MS-500 – Manage Sensitivity Labels (Part 2)

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

This post will cover the following exam topics listed under the “Manage Sensitivity Labels” section:

  • Configure and use label analytics
  • Use sensitivity labels with Teams, SharePoint, OneDrive and Office apps

Configure and Use Label Analytics

To get started, navigate to the “Data Classification” section of the Microsoft 365 Compliance Center. From here, we can view insights into Sensitivity and Retention Labels applied throughout the organization along with Sensitive Information Types and DLP matches that have been detected. For legacy Azure Information Protection Labels we can also follow the steps provided to create a Log Analytics workspace to track AIP usage if it is in use.

We can also view more details of each of the dashboards to get insights into where labels are applied.

Content Explorer

To get insights into the data in the organization without relying on labelling, we can use the “Content Explorer” tab. From here we can view both labels and sensitive information types by location, drilling down to individual items. To use the content explorer, the “Content Explorer List Viewer” or “Content Explorer Content Viewer” are required to view a summary of results or details respectively.

Use Sensitivity Labels with Teams, SharePoint, OneDrive and Office Apps

To use Sensitivity labels within the different applications there are a few prerequisites that need to be in place depending on where we want to enable labelling.

In the previous post we looked at publishing Sensitivity labels to provide site / group classification and user classification. To ensure users can use sensitivity labels with Microsoft Teams / Office 365 Groups etc, follow the instructions in my previous post to update the Azure AD directory settings, enabling the “EnableMIPLabels” setting on the “Group” Directory Setting.

To enable Sensitivity Labels for SharePoint and OneDrive (Web Apps), we can either run the Powershell Command: “Set-SPOTenant -EnableAIPIntegration:$true” in the SharePoint Online Management Shell, or turn on using the below dialog in the Compliance Center.

Turn on now button to enable sensitivity labels for Office Online

To enable in the Office suite, there are two methods. The easiers is to ensure you have deployed the Microsoft 365 Apps for Business/Enterprise suite and that it is up to date. Functionality may differ between older versions, check out the below tables from Microsoft which detail the versions and functionality.


Sensitivity label capabilities in Word, Excel, and PowerPoint

The numbers listed are the minimum Office application version required for each capability.

CapabilityWindowsMaciOSAndroidWeb
Manually apply, change, or remove label1910+16.21+2.21+16.0.11231+Yes – opt-in
Apply a default label1910+16.21+2.21+16.0.11231+Yes – opt-in
Require a justification to change a label1910+16.21+2.21+16.0.11231+Yes – opt-in
Provide help link to a custom help page1910+16.21+2.21+16.0.11231+Yes – opt-in
Mark the content1910+16.21+2.21+16.0.11231+Yes – opt-in
Dynamic markings with variables2010+16.42+2.42+16.0.13328+Under review
Assign permissions now1910+16.21+2.21+16.0.11231+Yes – opt-in
Let users assign permissions2004+16.35+Under reviewUnder reviewUnder review
View label usage with label analytics and send data for administratorsPreview: Current Channel (Preview)Preview: Current Channel (Preview)Under reviewUnder reviewYes *
Require users to apply a label to their email and documentsPreview: Rolling out to Current Channel (Preview)Preview: Rolling out to Current Channel (Preview)Under reviewPreview: Beta ChannelUnder review
Apply a sensitivity label to content automatically2009+Rolling out: 16.44+Under reviewUnder reviewYes – opt-in
Support AutoSave and coauthoring on labeled and encrypted documentsUnder reviewUnder reviewUnder reviewUnder reviewYes – opt-in

Footnote:

* Currently, doesn’t include justification text to remove a label or lower the classification level

Sensitivity label capabilities in Outlook

The numbers listed are the minimum Office application version required for each capability.

CapabilityOutlook for WindowsOutlook for MacOutlook on iOSOutlook on AndroidOutlook on the web
Manually apply, change, or remove label1910+16.21+4.7.1+4.0.39+Yes
Apply a default label1910+16.21+4.7.1+4.0.39+Yes
Require a justification to change a label1910+16.21+4.7.1+4.0.39+Yes
Provide help link to a custom help page1910+16.21+4.7.1+4.0.39+Yes
Mark the content1910+16.21+4.7.1+4.0.39+Yes
Dynamic markings with variablesUnder reviewUnder reviewUnder reviewUnder reviewUnder review
Assign permissions now1910+16.21+4.7.1+4.0.39+Yes
Let users assign permissions1910+16.21+4.7.1+4.0.39+Yes
Require users to apply a label to their email and documentsPreview: Current Channel (Preview))16.43+Under reviewUnder reviewYes
View label usage with label analytics and send data for administratorsPreview: Current Channel (Preview)Preview: Current Channel (Preview)Under reviewUnder reviewYes
Apply a sensitivity label to content automatically2009+16.44+Under reviewUnder reviewYes

To make Sensitivity Labels available to standalone Office suite installations, we need to also install the Unified Labelling Client to provide the functionality.

Summary

We’ve now looked at creating Sensitivity Labels, deploying them, Monitoring their application and making them available to users. Sensitivity Labels also play a part in other aspects of Microsoft 365 such as DLP which we will visit in another post. For more information on Sensitivity Labels, check out the below documentation.

Learn about sensitivity labels – Microsoft 365 Compliance | Microsoft Docs

Get started with sensitivity labels – Microsoft 365 Compliance | Microsoft Docs

Restrict access to content using sensitivity labels to apply encryption – Microsoft 365 Compliance | Microsoft Docs

Automatically apply a sensitivity label to content in Microsoft 365 – Microsoft 365 Compliance | Microsoft Docs

Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites – Microsoft 365 Compliance | Microsoft Docs

2 thoughts on “Study Guide Series: Exam MS-500 – Manage Sensitivity Labels (Part 2)

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

  2. Pingback: Deploying Office 365 Sensitivity Labels for the First Time – Keep It Simple, Stupid! – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s