Compliance / Information protection / Information Rights Management / Microsoft Information Protection / Microsoft Purview / Sensitivity labels

Information Protection news

Posted by

Reading time: 5 minutes

Introduction

Due to some personal health issues, I’ve been quit silent on this blog. But now I have finally got some time and energy to write some things down. So in this post I will share some new (and some not so new) changes for Microsoft Purview Information Protection [MPIP]. Hope you enjoy these.

Show sensitive content

To be honest, I have been waiting in my EU tenant for this function for quite some time now. This functions is great for awareness on working with classified or sensitive information. Normally, when MPIP detects sensitive information, it will simply suggest a sensitivity label or provide a suggestion. But without any context as to what triggered this. No longer!

When sensitive information is detected that is part of an auto-labeling setting in the label, Office shows where the information is and why this triggered the labeling. This is a very subtle, but very powerful new function.

New client

Wait, what??? Microsoft released a new Information Protection client? But the client was in non-maintenance mode and the Office add-in was already deprecated? What is this about a new client?

Well, yes – there is a new client available if you need to have the functions (classify, label, protect) available in the Windows desktop. This includes the MPIP Viewer client and the relevant PowerShell cmdlets.

To be fair – I think it makes sense to release the client as many organizations still have the requirement to use the MPIP functions from the Windows File Explorer. And as the Unified Labeling client (2.x) has been put into non-maintenance mode, this new client has the 3.x version number.

And good news: the client works great from the Windows 11 File Explorer. You no longer need to go to the More options | Classify and Protect. Now, the option is available directly and the description makes more sense, when compared to the “Classify and protect” of the 2.x version.

Other changes to the new client include a renaming of some PowerShell cmdlets. In short: the “AIP” has been dropped. So the Get-AIPFileStatus cmdlet is now the Get-FileStatus cmdlet. Also, this client does not include any Office add-in. Which is somewhat of a no-brainer.

GUI changes

The major GUI change has to be the new Purview portal (https://purview.microsoft.com). It is sleek, I love the fonts and (in my opinion) the navigation is easy to follow. I love that both auto-labeling and publishing policies are now grouped together.

Microsoft has placed the data classification (Classifiers) and insights (Explorers) in both the Information Protection and Data Lifecycle Management portals. Which makes sense and allows for easy navigation. As we all know, data classification is one of the core principles for both solutions, right? 🙂

In the Reports section you will notice the concept of Protection policies. This is a great (preview) feature that works on non-Microsoft 365 data sources (for now only Amazon S3 buckets | Azure SQL databases | Azure Blob storage | Azure Data Lake Storage Gen2. This is great and I cannot wait to take a more closer look. But then again – must watch my health as-well 🙂 More information: https://learn.microsoft.com/en-us/purview/how-to-create-protection-policy

Getting back to sensitivity labels and going a bit deeper and into the settings for a sensitivity label, you will notice that the Encryption option in now (rightly) called Access control. This makes sense. but beware that controlling the access still implies using encryption 🙂

In the label policy for groups and sites, you will notice the new Private team discoverability and shared channel settings. And also the option to set a specific label to channel meetings, when the Team has been labeled using this sensitivity label. This last option is for Teams Premium only.

The ability to discover private teams might sound somewhat weird, but makes sense. Sometimes new Teams are created, because people were unaware of the existence of a similar or nearly similar Team. This setting allows for Teams to be discovered.

The last option controls what type of Teams can be added to shared channels. Do not the subtle mention that these settings do not affect teams that were invited before the label was applied!

Email inheritance

This option is not new. There are PowerShell cmdlets to apply this settings and these cmdlets have been around for quite some time. But the GUI also allows you to set this setting. Again: not new, but I did want to mention this as-well.

Things to look forward to

There are multiple thing I am looking forward to. The new portal, as described, is one of these. But also some NDA/private preview functions which will be rolling out in the near future. I am particularly interested in the “Guaranteed SharePoint permissions“. This brings the concept of User Defined Permissions in line with permissions on the SharePoint Online site level. No more dedicated labels for every (project)site you provision? Can be; I cannot wait to start looking at this.

Any other news can be found here of course: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection

Final thoughts

I hope you enjoyed this post. As a final thought, just look at the screen I got when I followed the link to “create an account” from the new 3.x client…. Still some work to do in Redmond…

Leave a comment