This article is contributed. See the original author and article here.

Ensure secure collaboration in scalable way with Microsoft Information Protection


Microsoft Information Protection is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. Microsoft Information Protection provides a unified set of capabilities to know your data, protect your data, and prevent data loss across Microsoft 365 apps (e.g. Word, PowerPoint, Excel, Outlook) and services (e.g. Teams, SharePoint, and Exchange).


Microsoft Information Protection’s sensitivity labels are central to how your business-critical data is protected, in a persistent way, throughout its lifecycle. Labels can be applied to protect documents (e.g. to encrypt an Excel file) and to containers (e.g. to restrict access to a confidential team or site from unmanaged devices).


We recently announced the general availability of both manual labeling in Office apps across all platforms and of automatic labeling for documents stored in SharePoint and Teams.


Today, we are excited to announce the general availability of sensitivity labels for Teams, SharePoint sites, and Microsoft 365 Groups. You can now associate a sensitivity label with policies related to privacy, external user membership, and unmanaged device access.


With users constantly creating and sharing sensitive data in Teams and on SharePoint sites, this capability allows for holistically securing sensitive content whether it is in a file or in a chat by managing access to these containers. This powerful capability, along with manual and auto-labeling of documents on SharePoint and Teams, helps you scale your data protection program to meet the proliferation of data and the challenge of secure collaboration while working remotely.


The first step to securing sensitive content in teams, sites and groups is to create sensitivity labels with policies. For example, you can create a sensitivity label called “Confidential” and specify that any team, site, or group created with this label will be private, that even a team or site owner cannot add users external to the organization and that unmanaged devices will be allowed web access only.


Figure 1: Admin specifying access policies during label creationFigure 1: Admin specifying access policies during label creation


Now a user creating a team, or a site can choose from your published labels, and all the underlying policies will apply automatically to that team or site. For example, if a user selects the “Confidential” label during a team creation, this new team will automatically restrict access to approved members in the organization and prevent addition of people external to the organization.


Figure 2: When team owner applies “Confidential” label, team and associated site are automatically set as privateFigure 2: When team owner applies “Confidential” label, team and associated site are automatically set as private


After a user creates the team, this “Confidential” label will appear in the upper-right corner of all channels within this team. Now, if users visit the SharePoint site associated with this team, they will also see the “Confidential” label, and all applied policies.


This capability enables you to protect sensitive content in a team or SharePoint site by managing people and device access to these containers. If you want to apply label-based encryption to protect individual documents stored in a team or SharePoint site, you can use auto-labeling or manual labeling. Together these powerful Microsoft Information Protection capabilities enable organizations to scale their data protection programs across a vast amount of data.


We are continuously expanding the capabilities of Microsoft Information Protection. You can see in this recent blog a summary of some of the investments we’ve made in the last two months. To learn more about the capability covered in this blog:

  • Read our online documentation with instructions to opt-in, configuration details, and links to a webinar with demos.
    • If you are using AAD classification, read this documentation for next steps
    • To see which apps and services support this capability, read this documentation page. To apply these labels on OneDrive, start here
  • This capability is included with Microsoft 365 E3 and Office 365 E3 plus AAD Premium P1 and above. Learn more about required licensing. If you are new to Microsoft 365, learn how to try or buy a subscription.
  • Please note that auto-labeling individual documents stored in team or SharePoint site requires either Microsoft 365 E5 or Compliance E5 or Information Protection & Governance E5 add-on SKU.

As you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site.


We’re here to help in any way we can.


Thank you!


Sesha Mani, Principal Group Program Manager, Microsoft 365 services


Tony Themelis, Principal PM Manager, Microsoft Information Protection


Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: