Sensitivity labels and policies are core components of the Microsoft Information Protection framework. Their main function is to classify and protect sensitive data across your organization. The disposition of data, whether it resides within documents or emails, is defined using these sensitivity labels. Additionally, the policies guide how to apply these labels. In essence, through the establishment and implementation of sensitivity labels and policies, organizations can effectively protect their critical data.
The MS-101 exam “Microsoft 365 Mobility and Security”, which is part of the Microsoft 365 Certified: Enterprise Administrator Expert certification, has specific focus on how to plan and implement these sensitivity labels and policies.
Sensitivity Labels Configuration Overview
Sensitivity labels consist of two basic components
- Metadata – This defines the characteristics of the label such as the label’s name, its tooltip, its description, among others.
- Policy Settings – This sets the behavior of the label such as the encryption settings, content marking, endpoint data loss prevention etc.
The labels once created can then be published via a sensitivity label policy to specific users or groups within the organization. The policy settings include options like the following:
- Label Policy Settings – User scope specification, default label for documents and emails, label recommendations based on content, etc.
- Advanced Settings – Enforcing label usage, assigning permissions for using protected data, etc.
Example:
New-LabelPolicyRule -Name "Sensitive Information" -Condition '{Sensitivity_Label_Eq 'Sensitive'}' -Action '{BlockAccess}' -Assign '{Name[System_Users_Eq 'Contractors']}'
To implement a sensitivity label policy, you navigate from the Microsoft 365 compliance center to Information protection and create a new policy that includes user or group scope, settings for content marking, and more.
Another method to implement sensitivity labels is via PowerShell. In following example, a label and policy are created and applied to the applicable users or groups.
New-Label -Name "Contoso Confidential" -DisplayColor "#FF0000"
New-LabelPolicy -Name "Contoso Label Policy" -AddLabels "Contoso Confidential"
Add-LabelPolicyDistribution -Identity "Contoso Label Policy" -Distribution "All"
While planning and implementing the sensitivity labels and policies, it’s advisable to consider the following key points:
- Identify your sensitive data: Your labeling should reflect the type and degree of sensitivity of your data. You should determine your data classification model before creating your labels.
- Define your label taxonomy: Your labels must match your data, users, and organizational needs while being intuitive and easy to understand.
- Plan the use of protection settings: Your labels may include Protection settings to apply encryption or content marking. It should be defined clearly to which kind of sensitive data these settings will apply.
- Create a pilot group: Test the performance of new policies with small user groups before rolling them out to the entire organization.
- Plan for label changes: Keep in mind that over time, your sensitivity labels may change, needing an effective strategy for handling these changes without user disruption.
- Provide proper training and documentation: Ensure the users in your organization understand the purpose and usage of these labels.
In conclusion, sensitivity labels and policies enable organizations to have granular control over their sensitive data. Planning and implementing them efficiently is an integral part of being competent in managing Microsoft 365 Mobility and Security, and a key component in passing the MS-101 certification exam. Practical experience and comprehensive understanding of the functionalities will ensure you excel in both your exam and in managing your organizational data effectively.
Practice Test
True or False: Sensitivity labels can be used in SharePoint and OneDrive.
- True
- False
Answer: True.
Explanation: With sensitivity labels, you can classify and protect your sensitive content across multiple Microsoft 365 services, including SharePoint and OneDrive.
Which of the following is NOT correct about sensitivity labels?
- A) They can be used to classify data
- B) They can be used to protect data
- C) They can be used to duplicate data
- D) All of the above are correct
Answer: C) They can be used to duplicate data
Explanation: Sensitivity labels are tools aimed to classify and protect data, not to duplicate it.
True or False: Once a sensitivity label is deleted, it gets removed immediately from everywhere, where it was previously applied.
- True
- False
Answer: False
Explanation: After you delete a sensitivity label, it continues to persist wherever it was previously assigned. Deleting a label removes it only from the list of labels that can be assigned.
Which among these services does NOT support sensitivity labels?
- A) Outlook
- B) SharePoint
- C) Teams
- D) Word
- E) Excel
Answer: E) Excel
Explanation: Excel supports sensitivity labels. All listed MS services supports sensitivity labels.
True or False: Sensitivity labels can be auto-applied using keywords.
- True
- False
Answer: True
Explanation: The auto-labeling feature allows sensitivity labels to be applied to content automatically based on certain conditions or keywords.
Sensitivity labels can protect data in which of the following ways?
- A) Encryption
- B) Watermarking
- C) Applying access restrictions
- D) Adding header/footer
- E) All of the above
Answer: E) All of the above
Explanation: Sensitivity labels can be used to apply various types of data protection methods including encryption, watermarking, access restrictions, and adding header and footer details to documents.
True or False: Sensitivity labels and policies are independent and do not impact each other.
- True
- False
Answer: False
Explanation: Sensitivity labels and policies are interdependent. Labels define the classification and protection for sensitive data while policies define how these labels are applied to the data.
What is a crucial aspect of implementing Sensitivity Labels?
- A) Regular reviews and updates
- B) Ignoring user errors
- C) Limiting its use to some applications only
- D) All of the above
Answer: A) Regular reviews and updates
Explanation: As the nature of data and corresponding threats evolve, it’s important to regularly review and update sensitivity labels to ensure effective data protection.
True or False: Sensitivity labels can help organizations meet compliance requirements.
- True
- False
Answer: True
Explanation: Sensitivity labels can help organizations to classify and safeguard sensitive data, helping them to meet compliance requirements.
What happens if a sensitivity label is renamed?
- A) The label will get a new ID
- B) The label will lose its prior associations
- C) The changes are reflected in aligning with relationships and dependencies
- D) The label needs to be manually updated everywhere it was assigned
Answer: C) The changes are reflected in aligning with relationships and dependencies
Explanation: When a sensitivity label is renamed, its ID doesn’t change and it doesn’t lose its previous associations. The renamed label and its new name get reflected in the locations where it was used, forming new relationships and dependencies.
Interview Questions
What is the key function of sensitivity labels in Microsoft 365?
Sensitivity labels in Microsoft 365 allow organizations to classify and protect sensitive content through encryption, visual markings, and access restrictions.
What is the main purpose of a sensitivity policy in Microsoft 365?
A sensitivity policy in Microsoft 365 helps in enforcing the application of sensitivity labels to documents and email throughout an organization, ensuring protection of sensitive information.
What are the primary components that make up a sensitivity label?
The primary components of a sensitivity label include the label name, protection settings like encryption or marking, and the conditions or rules that trigger the label.
In which Microsoft applications can you apply sensitivity labels?
You can apply sensitivity labels in Microsoft applications such as Outlook, Word, Excel, PowerPoint, SharePoint, and Teams.
Can you apply sensitivity labels to containers such as Teams, Office 365 groups, and SharePoint sites?
Yes, you can apply sensitivity labels to containers like Teams, Office 365 groups, and SharePoint sites to control privacy and access levels.
How do you publish a sensitivity label to users or groups?
You can publish a sensitivity label to users or groups by creating a label policy in the Microsoft 365 compliance center or Security and Compliance Center and then specifying the users or groups the policy applies to.
Can sensitivity labels be automatically applied to content?
Yes, sensitivity labels can be automatically applied to content based on defined conditions such as content containing specific types of sensitive information.
How do you modify or update a sensitivity label?
A sensitivity label can be modified or updated from the Microsoft 365 compliance center by selecting “Sensitivity Labels” under “Classifications” and choosing the label you want to modify.
How can you ensure users must provide a justification when changing or removing a sensitivity label?
To ensure users must provide a justification when changing or removing a sensitivity label, set the “Users must provide justification to remove a label or lower classification” setting to ‘on’ when creating the label.
What’s the impact of a sensitivity label on emails?
A sensitivity label on emails can protect sensitive data by enforcing encryption and defining who can access the content, thereby preventing unauthorized access and disclosure.
Can sensitivity labels be used in Power BI?
Yes, sensitivity labels can be used in Power BI. They preserve the applied labels when exporting data from Power BI to Excel, PowerPoint, and PDF formats.
Does a sensitivity label classify content as soon as it is created or modified?
Yes, a sensitivity label can be automatically applied to classify content as soon as it is created or modifies if auto-labeling policies are in place.
How does sensitivity labeling integrate with Microsoft Information Protection?
Sensitivity labeling is a part of Microsoft Information Protection which manages and protects data, both inside and outside the organization, and ensures the data adheres to compliance rules.
What happens when a sensitive label is applied to a Office 365 group or Teams?
When a sensitivity label is applied to an Office 365 group or Teams, it can enforce privacy settings, regulate guest access, and define data encryption requirements.
Can sensitivity labels utilize Azure Information Protection classifications?
Yes, sensitivity labels can utilize Azure Information Protection classifications to define custom policies for data loss prevention and access control.