Indrajit (Freddie) Bulsara - 08.11.202120211108

Sensitivity Labels (Auto-Labelling)

Once published users can apply them to content created in SharePoint Online, OneDrive and Exchange Online. The focus of this blog is to highlight some of the features and benefits of Auto-Labelling in M365.

Depending on the configuration of the Sensitivity Labels, there is an element of reliance upon end users to classify the content appropriately. Alternative options would be to either have a default label configured or use the Auto-Labelling feature. Since the default label will not always match the content being generated, it is a good idea to let M365 label the content based on the content created.

Auto-Labelling allows a user to focus on content creation. No end user training is required, and your organisation can be confident content is classified appropriately. Appropriate classification also helps to improve the security and compliance policies which can be implemented based on the label applied. Auto-Labelling will not override a user applied label unless it is of a lower priority than the one identified by M365.

CLIENT-SIDE AUTO LABELLING

There are couple of ways in which Auto-Labelling can be implemented. Notably Client-side and Service-side labelling. With client-side, a label can be recommended or automatically applied, however the user may choose to reject the recommended label and apply their own, providing flexibility.

The unified labelling client in Office applications like Word, Excel, PowerPoint, Outlook and Azure Information Protection, support the client-side Auto-Labelling feature. With emails, Auto-Labelling also comes in to play when a user replies to or forwards an email. The client side Auto-Labelling has no delays as the content is labelled even before it is saved or sent. It is worth noting not all the client-side applications support the Auto-Labelling feature.

SERVICE-SIDE AUTO-LABELLING

Unlike client-side, the service-side labelling is applied by services rather than an application, so the user is unaware of the classification/ labelling process. It is configured by the IT Administrator and is applied organisation wide. Hence it does not matter which application or version of an application is in use by the end user.

There is no label recommendation feature with service-side Auto-Labelling as there is no client interaction. The service-side Auto-Labelling feature is applied to documents and emails in transit, i.e., as the documents are created and saved in SharePoint Online or OneDrive and in emails sent through Exchange Online. Service-side Auto-Labelling can be implemented retrospectively on documents stored in SharePoint Online and OneDrive only; however, they cannot be applied to existing emails in a user’s mailbox which haven’t previously been classified or labelled. The following table from Microsoft outlines the differences between client-side or service-side implementation of the Auto-Labelling feature in M365.

Feature or behaviour	Label setting: Auto-labelling for files and emails	Policy: Auto-labelling
Application dependency	Yes (minimum versions)	No
Restrict by location	No	Yes
Conditions: Exact Data Match for custom sensitive info types	Yes	No
Conditions: Trainable classifiers	Yes	No
Conditions: Sharing options and additional options for email	No	Yes
Conditions: Exceptions	No	Yes (email only)
Recommendations, policy tooltip and user overrides	Yes	No
Simulation mode	No	Yes
Exchange attachments checked for conditions	No	Yes
Apply visual markings	Yes	Yes (email only)
Override IRM encryption applied without a label	Yes, if the user has the minimum usage right of Export	Yes (email only)
Label incoming email	No	Yes