Enable sensitivity labels for files in SharePoint and OneDrive
Data is one of the most valuable assets for any organization, and it needs to be protected and managed properly. Data can contain sensitive or confidential information, such as personal data, financial data, intellectual property, trade secrets, or regulatory data. To protect and manage data, organizations can use sensitivity labels, which are tags that indicate the level of sensitivity of the data. Sensitivity labels can also apply encryption and access policies based on the sensitivity of the data. For example, a document that contains customer data might have a sensitivity label of 'Confidential,' which means the document is encrypted and only authorized users can access it. Sensitivity labels can help organizations comply with data protection regulations, prevent data leakage, and control data access.
Microsoft Purview is a unified data governance service that helps you discover, catalog, and understand your data across sources. Purview can scan and classify data in various data sources, including SharePoint and OneDrive, which are popular cloud storage and collaboration platforms. However, some data in SharePoint and OneDrive might have encrypted sensitivity labels applied, which means the data is protected with encryption and access policies based on the sensitivity of the data. This training unit explains how Purview can process content in SharePoint and OneDrive that has encrypted sensitivity labels applied. It also provides instruction on how to process encrypted sensitivity labels in SharePoint and OneDrive using Microsoft Purview.
Why do you need to enable sensitivity labels for SharePoint and OneDrive?
There are two primary reasons why an organization must enable sensitivity labels for supported Office files and PDF files in SharePoint and OneDrive:
- So that its users can apply the company's sensitivity labels in Office for the web.
- So that SharePoint and OneDrive can process the contents of Office files and PDF documents that were encrypted by using a sensitivity label. The label can be applied in Office for the web or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable sensitivity labels for SharePoint and OneDrive, these services can't process encrypted files. As a result, collaborative features such as coauthoring, eDiscovery, data loss prevention, and search won't work for these files.
After organizations enable sensitivity labels for these files in SharePoint and OneDrive, the following conditions apply to new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Key Encryption):
- For Word, Excel, and PowerPoint files, and uploaded PDF files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file.
- When users download or access these files from SharePoint or OneDrive, the sensitivity label and any encryption settings from the label are enforced and remain with the file, wherever it's stored. However, you should ensure that you provide user guidance to use only labels to protect documents. For more information, see Information Rights Management (IRM) options and sensitivity labels.
- When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least View usage rights to those files. For example, they can open the files outside SharePoint. If they don't have this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents.
- Use Office for the web (Word, Excel, PowerPoint) to open and edit Office files that have sensitivity labels that apply encryption. The permissions that were assigned with the encryption are enforced. You can also use autolabeling for these documents.
- External users can access documents that are labeled with encryption by using guest accounts. For more information, see Support for external users and labeled content.
- eDiscovery supports full-text search for these files and data loss prevention (DLP) policies support content in these files.
Warning
If encryption has been applied with an on-premises key (a key management topology often referred to as "hold your own key" or HYOK), or by using Double Key Encryption, the service behavior for processing the file contents doesn't change. So for these files, coauthoring, eDiscovery, data loss prevention, search, and other collaborative Microsoft 365 features won't work. The SharePoint and OneDrive behavior also doesn't change for existing files in these locations that are labeled with encryption using a single Azure-based key. For these files to benefit from the new capabilities after you enable sensitivity labels for Office files in SharePoint and OneDrive, the files must be either downloaded and uploaded again, or edited.
After you enable sensitivity labels for Office files in SharePoint and OneDrive, three new audit events are available for monitoring sensitivity labels that are applied to documents in SharePoint and OneDrive:
- Applied sensitivity label to file
- Changed sensitivity label applied to file
- Removed sensitivity label from file
Note
You can always disable sensitivity labels for Office files in SharePoint and OneDrive at any time.
Supported file types
After you enable sensitivity labels for SharePoint and OneDrive, the following Office file types are supported for sensitivity labeling scenarios:
- Applying a sensitivity label in Office on the web or in SharePoint:
- Word: .docx, .docm
- Excel: .xlsx, .xlsm, .xlsb
- PowerPoint: .pptx, .ppsx
- Uploading a labeled document, and then extracting and displaying that sensitivity label:
- Word: doc, .docx, .docm, .dot, .dotx, .dotm
- Excel: .xls, .xlt, .xla, .xlc, .xlm, .xlw, .xlsx, .xltx, .xlsm, .xltm, .xlam, .xlsb
- PowerPoint: .ppt, .pot, .pps, .ppa, .pptx, .ppsx, .ppsxm, .potx, .ppam, .pptm, .potm, .ppsm
You can enable support for PDFs for the following scenarios:
- Applying a sensitivity label in Office on the web.
- Uploading a labeled document, and then extracting and displaying that sensitivity label.
- Search, eDiscovery, and data loss prevention.
- Autolabeling policies and default sensitivity labels for SharePoint document libraries.
Important
Be aware that enabling PDF support can increase the number of files that get automatically labeled with existing auto-labeling policies, which support a maximum of 25,000 files a day.
As with all tenant-level configuration changes for SharePoint and OneDrive, it takes about 15 minutes for the change to take effect.
Enable sensitivity labels for SharePoint and OneDrive using the Microsoft Purview compliance portal
This option is the easiest way to enable sensitivity labels for SharePoint and OneDrive. However, it does require that you sign in as a Global administrator for your tenant.
- From the Microsoft 365 admin center, select Compliance in the navigation pane.
- In the Microsoft Purview compliance portal, select Information Protection in the navigation pane, and then select Labels.
Note
If you have Microsoft 365 Multi-Geo, you must use PowerShell to enable these capabilities for all your geo-locations. See the next section for details.
Enable sensitivity labels for SharePoint and OneDrive using PowerShell
As an alternative to using the Microsoft Purview compliance portal, you can enable support for sensitivity labels by using the Set-SPOTenant cmdlet from SharePoint Online PowerShell. If you have Microsoft 365 Multi-Geo, you must use PowerShell to enable this support for all your geo-locations.
Before you run the PowerShell command to enable sensitivity labels for Office files in SharePoint and OneDrive, ensure that you're running SharePoint Online Management Shell version 16.0.19418.12000 or later.
If your organization installed a previous version of the SharePoint Online Management Shell from PowerShell gallery, then perform one of the following steps to update the module:
You can update the module by running the following Windows PowerShell cmdlet:
Update-Module -Name Microsoft.Online.SharePoint.PowerShellAlternatively, you can perform the following steps to uninstall your current version and then download and install the latest version from the Microsoft Download Center:
- Go to Add or remove programs and uninstall your current version of the SharePoint Online Management Shell.
- In a web browser, go to the Microsoft Download Center page and Download the latest SharePoint Online Management Shell.
- Select your language and then select Download.
- Choose between the x64 and x86 .msi file. Download the x64 file if you run the 64-bit version of Windows or the x86 file if you run the 32-bit version. If you don’t know, see Which version of Windows operating system am I running?
- After you download the file, run the file and follow the steps in the Setup configuration.
When you have the SharePoint Online Management Shell version 16.0.19418.12000 or later installed, then perform the following steps to enable support for sensitivity labels using PowerShell:
Connect to the SharePoint Online Management Shell using a work or school account that has Global administrator or SharePoint administrator privileges in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell
Note
If you have Microsoft 365 Multi-Geo, use the -Url parameter with Connect-SPOService, and specify the SharePoint Online Administration Center site URL for one of your geo-locations.
At the command prompt, run the following command and press Y to confirm:
Set-SPOTenant -EnableAIPIntegration $trueIf you have Microsoft 365 Multi-Geo, repeat steps 1 and 2 for each of your remaining geo-locations.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”