Sensitivity labels in Office apps

This article describes:

  • Requirements for your environment before you apply sensitivity labels to email, files, and attachments.
  • Which sensitivity label capabilities are supported by each Office app.
  • What happens when you combine sensitivity labels with other Microsoft security and compliance technologies that work with Office apps.
  • How people in your organization can use sensitivity labels when they work with Office apps for Windows and Office apps for the web.
  • Where to go to get people in your organization started with sensitivity labels.

Subscription and licensing requirements for sensitivity labels

Users must have at least one of the following licenses assigned:

The Office built-in labeling client supports sensitivity labels with a subscription version of Office. The client doesn't support standalone versions, for example, Office 2016 or Office 2019.

To use automatic or recommended sensitivity labeling, your users need one of the following licenses:

Support for sensitivity label capabilities in Word, Excel, and PowerPoint

For each capability, the following table lists the minimum version you need for that app. TBD means that you can't use that capability on that platform.

Capability Windows Desktop Mac Desktop iOS Android Web
Manually apply, change, or remove label 1910+ 16.21+ 2.21+ 16.0.11231+ Preview
Apply a default label 1910+ 16.21+ 2.21+ 16.0.11231+ TBD
Require a justification to change a label 1910+ 16.21+ 2.21+ 16.0.11231+ Preview
Provide help link to a custom help page 1910+ 16.21+ 2.21+ 16.0.11231+ Preview
Mark the content 1910+ 16.21+ 2.21+ 16.0.11231+ Preview
Assign permissions now 1910+ 16.21+ 2.21+ 16.0.11231+ Preview
Let users assign permissions TBD TBD TBD TBD TBD
View label usage with label analytics and send data for administrators TBD TBD TBD TBD TBD
Require users to apply a label to their email and documents TBD TBD TBD TBD TBD
Apply a sensitivity label to content automatically Preview: In roll-out to Office Insider TBD TBD TBD Preview
Support AutoSave and coauthoring on labeled and protected documents TBD TBD TBD TBD Preview

Support for sensitivity label capabilities in Outlook

For each capability, the following table lists the minimum version you need for that app. TBD means that you can't use that capability on that platform.

Capability Outlook on Windows Desktop Outlook on Mac Desktop Outlook on iOS Outlook on Android Outlook on the web
Manually apply, change, or remove label 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Apply a default label 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Require a justification to change a label 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Provide help link to a custom help page 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Mark the content 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Assign permissions now 1910+ 16.21+ 4.71+ 4.0.39+ Yes
Let users assign permissions 1910+ 16.21+ 4.71+ 4.0.39+ Yes
View label usage with label analytics and send data for administrators TBD TBD TBD TBD TBD
Require users to apply a label to their email and documents TBD TBD TBD TBD TBD
Apply a sensitivity label to content automatically TBD TBD TBD TBD Preview: In roll-out to Targeted release

About the Office built-in labeling client

The Office built-in labeling client downloads labels and policy settings from the following admin centers:

  • Office 365 Security & Compliance Center

  • Microsoft 365 security center

  • Microsoft 365 compliance center

To use the Office built-in labeling client, you must have one or more label policies published to users from one of the listed admin centers.

However, if users have one of the Azure Information Protection clients installed (unified labeling client or classic client), by default, the built-in labeling client is disabled in their Office apps. To use built-in labeling rather than the Azure Information Protection client for Office apps, disable or uninstall the Office add-in for Azure Information Protection:

  1. Complete one of these options:

    • For multiple computers: Configure the Use the Sensitivity feature in Office to apply and view sensitivity labels Group Policy setting. Find this setting under User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings. Deploy this setting through group policy, or by using the Office cloud policy service.

    • For a single computer: See "View, manage, and install add-ins in Office programs" for information about how to permanently disable or remove the Azure Information Protection add-in on a single computer.

  2. Restart all Office applications.

When you disable or uninstall this Office add-in, the Azure Information Protection client remains installed so that you can continue to label files outside your Office apps. For example, by using File Explorer, or PowerShell.

For information about which features are supported by the Azure Information Protection clients and the Office built-in labeling client, see Choose which labeling client to use for Windows computers from the Azure Information Protection documentation.

Protection templates and sensitivity labels

Administrator-defined protection templates, such as those you define for Office 365 Message Encryption, aren't visible in Office apps when you're using built-in labeling. This simplified experience reflects that there's no need to select a protection template, because the same settings are included with sensitivity labels that have encryption enabled.

If you need to convert existing protection templates to labels, use the Azure portal and the following instructions: To convert templates to labels.

Apply sensitivity labels to files, emails, and attachments

Users can apply just one label at a time for each document or email.

When you label an email message that has attachments, the attachments don't inherit the label. If the attachments had a label they keep that separately applied label. If the attachments didn't have a label, then the attachments remain without a label. However, if the label for the email applies protection, that protection is applied to Office attachments.

Sensitivity label compatibility

With RMS-enlightened apps. If you open a labeled and encrypted document or email in an RMS-enlightened application that doesn't support sensitivity labels, the app still enforces encryption and rights management.

With Azure Information Protection client. You can view and change sensitivity labels that you apply to documents and emails with the Office built-in labeling client with the Azure Information Protection client, and the other way around.

With other versions of Office. Any authorized user can open labeled documents and emails in other versions of Office. However, you can only view or change the label in supported Office versions or in the Azure Information Protection client. Supported Office app versions are listed in the tables in this article.

Support for SharePoint and OneDrive files protected by sensitivity labels

To use the Office built-in labeling client in Office on the web, the document must be located in a OneDrive for Business or SharePoint Online instance that has opted-in to the Enable sensitivity labels for Office files in SharePoint and OneDrive.

When Office 365 applies marks and encryption to content

Office 365 applies content marks or encryption with a sensitivity label differently depending on the application you use.

Application Content marking Encryption
Word, Excel, PowerPoint on all platforms Immediately Immediately
Outlook for PC and Mac After Exchange Online sends the email Immediately
Outlook on the web, iOS, and Android After Exchange Online sends the email After Exchange Online sends the email

More resources

Frequently asked questions about classification and labeling in Azure Information Protection

Apply sensitivity labels to your documents and email within Office