Posted by Reading time: 2 minutes
Introduction
When classifying information, the classification levels’ order (or priority) is important. This is quite self-explanatory: Secret is higher than Confidential and Confidential is higher than Public. And Microsoft Purview Information Protection supports this by using a label hierarchy.
It also allows organizations to require employees to give a justification when information is declassified or the current label is replaced by a label that is lower in the hierarchy. By the way: label actions are also logged in the Microsoft 365 Unified Audit log.
But there is one other reason why the label hierarchy becomes more important. And this is when we also start to use sensitivity labels on the Groups & sites level. This type of label does not influence the documents within these groups & sites (you can use the default label on the document library for this – E5 function). However, there is an integration between the two functions.
This is most noticeable when our employees receive email messages like these.
What happened here? Well, I believe the message itself is self-explanatory. The label on the document is higher in the hierarchy than the label on the SharePoint Online site level. And let’s check this out in Purview. Quick note: this is an demo environment that does not reflect a real production-like environment 🙂
As we can see, the message is correct. The Teams confidential label has a lower priority than the Interne onderzoeken label. Note that this priority works from 0 – lowest to highest and not vice versa.
In this example, my labels are part of a parent-label/sublabel hierarchy. But sometimes organizations only use the parent-level hierarchy. And this is when it becomes more tricky. Let’s take a look at two scenarios.
Scenario 1
In this scenario, all site labels are lower than any item-level labels. When a document labeled with any item label is placed on a site with any of these site labels, the e-mail message will be sent. Not a very good place to be.
Scenario 2
In this scenario, all site labels have a higher priority than any item label. In this case, you will never get an email. But more importantly (I believe): the check for a mismatch will never function correctly.
What to do?
I have read people suggesting to suppress the e-mail notifications using DLP or Exchange Online e-mail rules. And I can understand that Microsoft should or could offer tenant admins the option to opt out of these messages. But I do think this falls under the “don’t shoot the messager” analogy. User awareness for working with sensitive information is a good thing and this notification only helps. But you do need to explain this of course.
Also, ensure that your Groups and sites (site-)labels are part of the hierarchy. These labels are also meant to indicate a specific level of sensitivity, so make them a part of this. So make sure the labels you use have the correct priority.
This will require you to start using sublabels. And this means that you will not be able to use the parent label for classification once this parent label has sublabels.
Rearranging the priority
You can edit the priority of the labels in the Microsoft Purview portal. You can either move them up or down (or top/bottom) and assign the priority.
I am not sure if assigning the new priority works for any tenant. I think this does require additional licensing, as I noticed an error when trying this in an E3-type tenant.
In all
Although I understand when organizations want to use a “parent-labels only” approach, I have some reservations about this. For one: you will end up in the situation described above. Also, parent labels with a higher priority are mostly used to protect (very) sensitive content. To be able to differentiate between the different types of sensitive content, you will need to start using sub-labels.
But you can start out with the parent-label hierarchy. But beware of the messaging when you enable the Groups & sites labels later.
Information security and compliance 