Microsoft Purview Information Protection – Q1 2023

Reading time: 2 minutes

Introduction

Developments in the cloud can be very hard to keep track of. In this blog article, I want to focus on the developments for Microsoft Purview Information Protection, in the 1st quarter of 2023. Most of the features described are either rolling out or in preview. Private preview or NDA components are not covered, of course 🙂

First off – the Microsoft Purview Compliance center now shows the options for Information protection in the left-hand side menu, instead of in the dashboard. This can be handy but needs some getting used to.

Features

One of the most important changes this quarter is the disabling of the AIP Unified Labeling client add-in for Office/Microsoft 365 apps. Beginning with version 2302 of these apps, the Unified Labeling client will be deactivated and we will need to start using the built-in client. To read more, see this blog article.

The other important development was the arrival of Teams Premium. And Information Protection is part of this solution in multiple ways. To read more, see this blog article.

In the meantime, one addition is added for restricting copying chat in protected meetings for external users and users who join a chat but weren’t invited to the meeting. Don’t you just hate it when that happens, by the way 🙂

From a functional perspective, Microsoft spends more time on the feature parity between the Unified Labeling client and the built-in client. This makes perfect sense as we are moving away from the add-in part of the Unified Labeling client. Many features that have been available only for the Unified Labeling client are becoming available for the built-in client. And as the Unified Labeling client is in maintenance mode, this client will not receive any more new functionality.

The ability to label PDF documents has been included in the Adobe Acrobat (not Reader!) applications for some time. Adobe Acrobat Reader and Microsoft Edge can now open labeled and protected PDFs. And with the built-in client, a labeled Office document will retain its label when it is saved to PDF.  A new Office setting does allow you to disable this pdf function if needed.

General Available

Some of the General Available functions, as per Microsoft Learn:

• For Windows, the sensitivity bar and label colors are now generally available for Word, Excel, PowerPoint, and Outlook.
• Both Outlook for Windows and Outlook for Mac are rolling out in general availability for protected meetings.
• Now in general availability for built-in labeling for Windows, support for a default sublabel for a parent label as a parity feature for the AIP add-in.
• For labeling built into Windows, macOS, iOS, and Android, auditing actions for sensitivity labels include encryption details such as a change in the encryption status and settings, and the Rights Management owner.
• For Windows, built-in labeling supports organization-wide custom permissions as a parity feature for the AIP add-in.

Preview

There are some functions we still need to wait for or need to try out. Or, in other words: preview functions. One of these functions is scoped labels. At present, you can scope a sensitivity label to either items (which are documents and emails), sites/groups, and schematized data assets (using the other Microsoft Purview).

You might notice that the item part does not differentiate between documents and emails. And this is somewhat of a bummer. Sometimes you might need labels that are specifically aimed at email messages. But at this moment, Outlook will also show document-based labels.

In this example, we can see the Highly Confidential labels. Most are scoped to documents and emails. The labels Financial information and Revoke access 1 day have not been scoped to email and this is the result in Word and Outlook:

Word

Outlook

So, one of the new preview functions is to enable differentiation. In other words: you can now create labels that are specifically used and selected in the specific app. So in Outlook, you will see the email labels and not the document labels. And visa versa.

Other current preview functions that can be used or requested, are to enable more feature parity with the Unified Labeling client. These include:

The implementation of pop-up messages to warn, justify or block email messages in the Outlook app. This was possible in the Unified Labeling client but required an advanced setting using PowerShell. Be aware that this is configured in Microsoft Purview Data Loss Prevention, in the “Policy tips” and “Allow overrides” sections of the DLP policy. In this policy, you need to use the sensitivity label in the condition.

Also, label inheritance from email attachments is in preview. This feature will check the label on email attachments and apply the highest label to the email itself. This is configured in the Information Protection policy.

Other preview functions, per Microsoft Learn:

• The sensitivity bar and label colors should become available in all Microsoft 365 Apps and for Windows/MacOS;
• Azure AD Administrative Units are supported. Please see this blog article;
• Auditing actions for sensitivity labels include encryption details such as a change in the encryption status and settings, and the Rights Management owner.

Other news

This is not really new, but still worth mentioning. The so-called AIP Scanner can no longer be configured using the Azure Portal. Instead, you will need to go to the Purview Compliance portal and Settings. Here you will find the new Information protection scanner GUI..

A sensitivity label can be configured to set the default sharing link in SharePoint Online. When a document that has been labeled with this sensitivity label is shared, this setting will configure the default label. To configure this, you do not need (or can) use the GUI. This configuration requires the use of PowerShell. This is the specific cmdlet:

Set-Label -Identity <labelid> -AdvancedSettings @{DefaultSharingScope="SpecificPeople"}

In this case, the default link will be for Specific People.

Well – I hope this article helps. I will try to create another article on other Purview components, and for the next quarter(s) of the year as well.