question

johnwilliams-4177 avatar image
0 Votes"
johnwilliams-4177 asked JoeThach-8587 commented

Azure Information Protection Watermark Visability

After a watermark is applied to word document by the azure information protection scanner, will that watermark be visible to someone that doesn't have the unified labeling client installed?
Does the label have to be published to a user for the watermark to be visible?

azure-information-protection
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm checking with the AIP team on this one to confirm the expected behavior. I would think that it would be but this very old feature request makes me uncertain: https://feedback.azure.com/forums/34192--general-feedback/suggestions/18672193-azure-information-protection-watermark

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered

The scanner doesn't apply visual markings to documents. See the following from https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide#when-office-apps-apply-content-marking-and-encryption

Solutions that apply sensitivity labels to files outside Office apps do so by applying labeling metadata to the file. In this scenario, content marking from the label's configuration isn't inserted into the file but encryption is applied.

When those files are opened in an Office desktop app, the content markings are automatically applied by the Azure Information Protection unified labeling client when the file is first saved. The content markings are not automatically applied when you use built-in labeling for desktop, mobile, or web apps.

Scenarios that include applying a sensitivity label outside Office apps include:

  • The scanner, File Explorer, and PowerShell from the Azure Information Protection unified labeling client

  • Auto-labeling policies for SharePoint and OneDrive

  • Exported labeled and encrypted data from Power BI

  • Microsoft Cloud App Security

For these scenarios, using their Office apps, a user with built-in labeling can apply the label's content markings by temporarily removing or replacing the current label and then reapplying the original label.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

johnwilliams-4177 avatar image
0 Votes"
johnwilliams-4177 answered JoeThach-8587 commented

"The scanner doesn't apply visual markings to documents." So are you saying that the information scanner does not apply published sensitivity labels that could be configured to apply watermarks?

Doesn't this statement contradict:

Scenarios that include applying a sensitivity label outside Office apps include:
The scanner, File Explorer, and PowerShell from the Azure Information Protection unified labeling client

What am I missing?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My understanding is that the AIP scanners can apply the sensitivity labels to the files (by updating the meta data, and encrypt the files as per the pre-configured policy). However, if the associated sensitivity label also contains content marking (header, footer, watermarking), the content marking will only be applied after the files are opened in an O365 application (Word, Excel, PowerPoint...) on a machine with the unified labeling client installed, and the file is then saved.
If you open a file labelled by the AIP scanner on a computer without unified labeling client, you can see the correct sensitivility label (with encryption if applied), but content marking won't be visible, unless the file has been opened and saved on a computer with the client installed. I hope it helps.

0 Votes 0 ·