Ignite 2018 update – consistent labels

From the day Azure Information Protection was released,
I got a lot of questions on the relationship with Office 365 (retention) labels. Microsoft has since been working on bringing the two platforms together. During Ignite 2018 a tip of this iceberg was revealed. Estimated reading time: 6 minutes, 15 seconds.
Consistent labeling. It’s a subject that has been discussed for at leased a year now. Many organisations that use Office 365 and are implementing or considering Azure Information Protection are wondering how these two platforms work together.

And this makes sense. It’s somewhat of a no-brainer that documents stored in a (confidential) SharePoint site are protected using Azure Information Protection as-well. And also, let’s try to keep the terminology in-sync…. Two types of labels which act quite different are not easy to explain.

Some background

Some time ago I wrote this blog. It was about how you can create a cohesive and secure environment using the tools that Microsoft offers. Some of these components are the site-classifications, retention labels and Azure Information Protection. But the downside of these tools were that they were not quite ready to work together.

*** Update ***

Please note a little update (Oktober 16th 2018). To use these new sensitivity labels you will need a new client! This client (available this month) pulls the labels from the security & compliance center. The current client (for AzureIP) will also still be available. But this client does not access these new sensitivity labels.

*** Update ***

Ignite 2018

And now it’s here. 🙂 During Ignite we finally got a glimpse of the direction Microsoft is taking Office 365 governance labels, site-classifications and Azure Information Protection. The information in this blog is a reflection on this Ignite session, which I highly recommend you watch.

Please note that the screenshots in this blog are from my tenant and differ from the ones in the Ignite video. I really like that new look & feel by the way!

Disclaimer alert

Talking about the new look & feel, check out the new native integration of Azure Information Protection. Microsoft being Microsoft, they have changed the name of the option to “Sensitivity”. Which makes sense and you will notice this name in other (admin) screen as-well.

Most of the information in this blog is based on the (private) preview and the information from Ignite. Most of these features are scheduled for General availability (GA) release in the first half of 2019. Targeted release tenants should be able to use the features from December 2018. The new sensitivity labels and native Office experience are only possible using the preview versions of Office. Members of the Office Insider program can access these. I cannot and therefore this is not part of the blog.

Just to make this clear 🙂 I haven’t been able to check out all the functions of these consistent labels. I understand the concept and that’s part of this blog. When I get the change, I will do a follow-up article.

I’ve provided some links to the Ignite session and the Microsoft documentation pages at the end of this article.

Highlights

The consistent labels function allows us to bring the functionality of Azure Information Protection into Office 365. Labels (both retention and sensitivity) are now manageable from the Office 365 Security and Compliance Center (or SCC for short). The main focus is Office 365.

You can still use your Azure Information Protection (or AzureIP for short) policies and labels without Office 365 of-course. This does not change – you still have your AzureIP labels and policies.

Here are the highlights of this new function.

There are separate labels for retention and protection

Yep. This answers one of my initial question directly. “Will the AzureIP labels be combined with the retention labels and if so: how?”. Well the answer is No. In the SSC you will see both types of labels.

Both labels can be managed from the SCC

Please note the word Sensitivity. That’s the name for the AzureIP labels in Office 365 and Office. You’ll notice this when you go the Classification section of the SCC. A clear overview which shows you any AzureIP labels you already have.

Please note that you will need to convert these labels to consistent labels. Please refer to the links at the end of this article.

If you need to add a label to an AzureIP policy, you still need the AzureIP admin console.

Labels are applied to containers (sites, groups, teams) and/or content

This is great. The sensitivity label works with SharePoint sites, Office Groups and Microsoft Teams. Which means three things.

1. You get site-classifications which actually work 🙂 You can set restrictions for accessing the site based on the sensitivity label. In short, it’s using site-collection conditional access policies (see this article on this) – by simply adding a label.
2. You can set the label when creating the new site. Notice the nice (new) SharePoint admin-page (by the way)?
3. You can adjust the privacy setting for the site (Private/Public) based on the label. Cool!

But you can also connect labels to specific users and Office Groups, so they can use them in Office or using the AzureIP client.

Sensitivity label shows up in SharePoint list as “Sensitivity” column.

As yes. This one is nice. This already worked some time ago (remember this), but it was a hassle to configure. Now it simply works. When you add a protected document to a SharePoint library, it will show you the sensitivity.

I haven’t been able to test things like SharePoint IRM and real-time collaboration or search. But keep posted.

Data loss prevention

Alas – no Office 365 DLP. Instead, you will be able to use a Windows endpoint (Windows 10) to protect labeled content. More functions will probably be added soon.

In action

All right. How does this work in practise? Again, please note that I’m using the current interface for the SCC. Also note that not all options from the AzureIP admin-console are available. The documentation on the Microsoft site gives a good overview.

Do note that a sensitivity label can be used for protecting the container and content. But you can also choose to do either of these two. 

Create a label

Like the retention labels, sensitivity labels need to be created and published. THese are two different phases. Let’s create a sensitivity label called “GDPR – Privacy sensitive”. You are going to notice that a lot of AzureIP settings are recognizable. Additional options are the Windows 10 DLP and site/group settings.

Encryption is the same as with the AzureIP admin console. Keep in mind that these are encryption settings for content! And that “content expiration” is not the same as content retention. You will need the retention labels for that 🙂

Data loss prevention is based on Windows endpoints. But do note the message in yellow.

Content marking is as easy as in the AzureIP admin-console.

The for-last setting are for protecting a site/group or Teams site. Here you can change the privacy setting, set external access and set the conditional access options. These are optional.

I haven’t set any option for auto-labeling. So my label is done. After I save the label, it is available for publishing. But the nice thing is, it’s also available in the AzureIP admin-console. Here’s the same label, from this console.

Some options are only available from this console. For example, changing the color of the label and adding the label to a policy.

Publish

Ok. The label can now be used from the SharePoint admin-console to use with sites/groups and teams. But if I want the label to be presented to my users, I will need to publish it.  This is also done from the SCC. I can add users or groups and set the settings needed. THese are the same settings I would use for an AzureIP policy.

Wrapping up and more information

I was looking forward to this new function and I will have to take some closer looks in the time to come. I really like the way that a sensitivity label can be used to protect your SharePoint site (or group/teams). I’m really interested in seeing the labels work with Office as-well. But I haven’t been able to do so, yet.

If you want more information, then I recommend these articles/sessions.

• https://myignite.techcommunity.microsoft.com/sessions/65755
• https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/What-s-new-in-security-compliance-amp-administration-for/ba-p/255768
• https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels

The roadmap for these functions was presented at Ignite as-well.