Once published users can apply them to content created in SharePoint Online, OneDrive and Exchange Online. The focus of this blog is to highlight some of the features and benefits of Auto-Labelling in M365.
Depending on the configuration of the Sensitivity Labels, there is an element of reliance upon end users to classify the content appropriately. Alternative options would be to either have a default label configured or use the Auto-Labelling feature. Since the default label will not always match the content being generated, it is a good idea to let M365 label the content based on the content created.
Auto-Labelling allows a user to focus on content creation. No end user training is required, and your organisation can be confident content is classified appropriately. Appropriate classification also helps to improve the security and compliance policies which can be implemented based on the label applied. Auto-Labelling will not override a user applied label unless it is of a lower priority than the one identified by M365.
CLIENT-SIDE AUTO LABELLING
There are couple of ways in which Auto-Labelling can be implemented. Notably Client-side and Service-side labelling. With client-side, a label can be recommended or automatically applied, however the user may choose to reject the recommended label and apply their own, providing flexibility.
The unified labelling client in Office applications like Word, Excel, PowerPoint, Outlook and Azure Information Protection, support the client-side Auto-Labelling feature. With emails, Auto-Labelling also comes in to play when a user replies to or forwards an email. The client side Auto-Labelling has no delays as the content is labelled even before it is saved or sent. It is worth noting not all the client-side applications support the Auto-Labelling feature.
SERVICE-SIDE AUTO-LABELLING
Unlike client-side, the service-side labelling is applied by services rather than an application, so the user is unaware of the classification/ labelling process. It is configured by the IT Administrator and is applied organisation wide. Hence it does not matter which application or version of an application is in use by the end user.
There is no label recommendation feature with service-side Auto-Labelling as there is no client interaction. The service-side Auto-Labelling feature is applied to documents and emails in transit, i.e., as the documents are created and saved in SharePoint Online or OneDrive and in emails sent through Exchange Online. Service-side Auto-Labelling can be implemented retrospectively on documents stored in SharePoint Online and OneDrive only; however, they cannot be applied to existing emails in a user’s mailbox which haven’t previously been classified or labelled. The following table from Microsoft outlines the differences between client-side or service-side implementation of the Auto-Labelling feature in M365.
Feature or behaviour | Label setting: Auto-labelling for files and emails | Policy: Auto-labelling |
Application dependency | Yes (minimum versions) | No |
Restrict by location | No | Yes |
Conditions: Exact Data Match for custom sensitive info types | Yes | No |
Conditions: Trainable classifiers | Yes | No |
Conditions: Sharing options and additional options for email | No | Yes |
Conditions: Exceptions | No | Yes (email only) |
Recommendations, policy tooltip and user overrides | Yes | No |
Simulation mode | No | Yes |
Exchange attachments checked for conditions | No | Yes |
Apply visual markings | Yes | Yes (email only) |
Override IRM encryption applied without a label | Yes, if the user has the minimum usage right of Export | Yes (email only) |
Label incoming email | No | Yes |
Limitations to keep in mind when using the auto-labelling feature:
- 25,000 Auto-Labelled files per day in the tenancy
- 1,000,000 matched files per Auto-Labelling policy
- 100 Auto-Labelling policies per tenant
This information will hopefully make it easy to decide how the Auto-Labelling feature could be incorporated into your organisation.
Curious how the CIA Triad framework could be used to augment your security posture, check out this blog by my colleague Rahul Singh.