Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Restrict access to content by using sensitivity labels to apply encryption
In this article
When you create a sensitivity label, you can restrict access to content that the label will be applied to. For example, with the encryption settings for a sensitivity label, you can protect content so that:
When a document or email is encrypted, access to the content is restricted, so that it:
Finally, as an admin, when you configure a sensitivity label to apply encryption, you can choose either to:
The encryption settings are available when you create a sensitivity label in the Microsoft Purview compliance portal. Tip If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms. Understand how the encryption worksEncryption uses the Azure Rights Management service (Azure RMS) from Azure Information Protection. This protection solution uses encryption, identity, and authorization policies. To learn more, see What is Azure Rights Management? from the Azure Information Protection documentation. When you use this encryption solution, the super user feature ensures that authorized people and services can always read and inspect the data that has been encrypted for your organization. If necessary, the encryption can then be removed or changed. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery. Important prerequisitesBefore you can use encryption, you might need to do some configuration tasks. When you configure encryption settings, there's no check to validate that these prerequisites are met.
How to configure a label for encryption
What happens to existing encryption when a label's appliedIf a sensitivity label is applied to unencrypted content, the outcome of the encryption options you can select is self-explanatory. For example, if you didn't select Encrypt files and emails, the content remains unencrypted. However, the content might be already encrypted. For example, another user might have applied:
The following table identifies what happens to existing encryption when a sensitivity label is applied to that content:
In the cases where the new label encryption is applied or the original encryption is removed, this happens only if the user who applies the label has a usage right or role that supports this action:
If the user doesn't have one of these rights or roles, the label can't be applied and so the original encryption is preserved. The user sees the following message: You don't have permission to make this change to the sensitivity label. Please contact the content owner. For example, the person who applies Do Not Forward to an email message can relabel the thread to replace the encryption or remove it, because they're the Rights Management owner for the email. But except for super users, recipients of this email can't relabel it because they don't have the required usage rights. Email attachments for encrypted email messagesWhen an email message is encrypted by any method, any unencrypted Office documents that are attached to the email automatically inherit the same encryption settings. Documents that are already encrypted and then added as attachments always preserve their original encryption. Configure encryption settingsWhen you select Configure encryption settings on the Encryption page to create or edit a sensitivity label, choose one of the following options:
For example, if you have a sensitivity label named Highly Confidential that will be applied to your most sensitive content, you might want to decide now who gets what type of permissions to that content. Alternatively, if you have a sensitivity label named Business Contracts, and your organization's workflow requires that your people collaborate on this content with different people on an unplanned basis, you might want to allow your users to decide who gets permissions when they assign the label. This flexibility both helps your users' productivity and reduces the requests for your admins to update or create new sensitivity labels to address specific scenarios. Choosing whether to assign permissions now or let users assign permissions: Assign permissions nowUse the following options to control who can access email or documents to which this label is applied. You can:
Settings for access control for encrypted content: Recommendations for the expiry and offline access settings:
Only labels that are configured to assign permissions now support different values for offline access. Labels that let users assign the permissions automatically use the tenant's Rights Management use license validity period. For example, labels that are configured for Do Not Forward, Encrypt-Only, and prompt users to specify their own permissions. The default value for this setting is 30 days. Rights Management use license for offline accessNote Although you can configure the encryption setting to allow offline access, some apps might not support offline access for encrypted content. For example, labeled and encrypted files in Power BI Desktop won't open if you're offline. When a user opens a document or email that's been protected by encryption from the Azure Rights Management service, an Azure Rights Management use license for that content is granted to the user. This use license is a certificate that contains the user's usage rights for the document or email, and the encryption key that was used to encrypt the content. The use license also contains an expiration date if this has been set, and how long the use license is valid. If no expiration date has been set, the default use license validity period for a tenant is 30 days. For the duration of the use license, the user isn't reauthenticated or reauthorized for the content. This process lets the user continue to open the protected document or email without an internet connection. When the use license validity period expires, the next time the user accesses the protected document or email, the user must be reauthenticated and reauthorized. In addition to reauthentication, the encryption settings and user group membership is reevaluated. This means that users could experience different access results for the same document or email if there are changes in the encryption settings or group membership from when they last accessed the content. To learn how to change the default 30-day setting, see Rights Management use license. Assign permissions to specific users or groupsYou can grant permissions to specific people so that only they can interact with the labeled content:
Assigning permissions: Add users or groupsWhen you assign permissions, you can choose:
When you choose all users and groups in your organization or browse the directory, the users or groups must have an email address. As a best practice, use groups rather than users. This strategy keeps your configuration simpler. Requirements and limitations for "Add any authenticated users"This setting doesn't restrict who can access the content that the label encrypts, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access). However, the application opening the encrypted content must be able to support the authentication being used. For this reason, federated social providers such as Google, and onetime passcode authentication work for email only, and only when you use Exchange Online. Microsoft accounts can be used with Office 365 apps and the Azure Information Protection viewer. Some typical scenarios for any authenticated users setting:
Choose permissionsWhen you choose which permissions to allow for those users or groups, you can select either:
For more information to help you select the appropriate permissions, see Usage rights and descriptions. Note that the same label can grant different permissions to different users. For example, a single label can assign some users as Reviewer and a different user as Co-author, as shown in the following screenshot. To do this, add users or groups, assign them permissions, and save those settings. Then repeat these steps, adding users and assigning them permissions, saving the settings each time. You can repeat this configuration as often as necessary, to define different permissions for different users. Rights Management issuer (user applying the sensitivity label) always has Full ControlEncryption for a sensitivity label uses the Azure Rights Management service from Azure Information Protection. When a user applies a sensitivity label to protect a document or email by using encryption, that user becomes the Rights Management issuer for that content. The Rights Management issuer is always granted Full Control permissions for the document or email, and in addition:
For more information, see Rights Management issuer and Rights Management owner. Double Key EncryptionNote This feature is currently supported only by the Azure Information Protection unified labeling client. Select this option only after you've configured the Double Key Encryption service and you need to use this double key encryption for files that will have this label applied. After the label is configured and saved, you won't be able to edit it. For more information, prerequisites, and configuration instructions, see Double Key Encryption (DKE). Let users assign permissionsImportant Not all labeling clients support all the options that let users assign their own permissions. Use this section to learn more. You can use the following options to let users assign permissions when they manually apply a sensitivity label to content:
When the options are supported, use the following table to identify when users see the sensitivity label:
When both settings are selected, the label is therefore visible in both Outlook and in Word, Excel, and PowerPoint. A sensitivity label that lets users assign permissions must be applied to content manually by users; it can't be auto-applied or used as a recommended label. Configuring the user-assigned permissions: Outlook restrictionsIn Outlook, when a user applies a sensitivity label that lets them assign permissions to a message, you can choose the Do Not Forward option or Encrypt-Only. The user will see the label name and description at the top of the message, which indicates the content's being protected. Unlike Word, PowerPoint, and Excel (see the next section), users aren't prompted to select specific permissions. When either of these options are applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients automatically have restricted usage rights:
Unencrypted Office documents that are attached to the email automatically inherit the same restrictions. For Do Not Forward, the usage rights applied to these documents are Edit Content, Edit; Save; View, Open, Read; and Allow Macros. If the user wants different usage rights for an attachment, or the attachment isn't an Office document that supports this inherited protection, the user needs to encrypt the file before attaching it to the email. Word, PowerPoint, and Excel permissionsIn Word, PowerPoint, and Excel, when a user applies a sensitivity label that lets them assign permissions to a document, the user is prompted to specify their choice of users and permissions for the encryption. For example, with the Azure Information Protection unified labeling client, unless co-authoring is enabled, users can:
For built-in labeling, and for the Azure Information Protection unified labeling client when co-authoring is enabled, users see the same dialog box as if they selected the following options:
Support for organization-wide custom permissionsNow rolling out in preview for built-in labeling in Windows, users can specify a domain name that will apply to all users in an organization that owns the domain and it is in Azure Active Directory. This capability provides parity with the Azure Information Protection unified labeling client: For example, a user types "@contoso.com" (or "contoso.com") and grants read access. Because Contoso Corporation owns the contoso.com domain, all users in that domain and all other domains that the organization owns in Azure Active Directory will be granted read access. It's important to let users know that access isn't restricted to just the users in the domain specified. For example, "@sales.contoso.com" wouldn't restrict access to users in just the sales subdomain, but also grant access to users in the marketing.contoso.com domain, and even users with a disjoint namespace in the same Azure Active Directory tenant. Example configurations for the encryption settingsFor each example that follows, do the configuration from the Encryption page when Configure encryption settings is selected: Example 1: Label that applies Do Not Forward to send an encrypted email to a Gmail accountThis label displays only in Outlook and Outlook on the web, and you must use Exchange Online. Instruct users to select this label when they need to send an encrypted email to people using a Gmail account (or any other email account outside your organization). Your users type the Gmail email address in the To box. Then, they select the label and the Do Not Forward option is automatically added to the email. The result is that recipients can't forward the email, or print it, copy from it, or save the email outside their mailbox by using the Save As option.
Example 2: Label that restricts read-only permission to all users in another organizationThis label is suitable for sharing very sensitive documents as read-only, and the documents always require an internet connection to view them. This label isn't suitable for emails.
Example 3: Add external users to an existing label that encrypts contentThe new users that you add will be able open documents and emails that have already been protected with this label. The permissions that you grant these users can be different from the permissions that the existing users have.
Example 4: Label that encrypts content but doesn't restrict who can access itThis configuration has the advantage that you don't need to specify users, groups, or domains to encrypt an email or document. The content will still be encrypted and you can still specify usage rights, an expiry date, and offline access. Use this configuration only when you don't need to restrict who can open the protected document or email. See more information about this setting.
Considerations for encrypted contentEncrypting your most sensitive documents and emails helps to ensure that only authorized people can access this data. However, there are some considerations to take into account:
For the best collaboration experience for files that are encrypted by a sensitivity label, we recommend you use sensitivity labels for Office files in SharePoint and OneDrive and Office for the web. Next stepsNeed to share your labeled and encrypted documents with people outside your organization? See Sharing encrypted documents with external users. FeedbackSubmit and view feedback for Which form of authentication involves the exchange of a password like key that must be entered on both devices?50 Cards in this Set. Which procedure specifies what resources users can access?45 Cards in this Set. At what layer of the OSI model is a CRC error detected?Error detection in computer networks
CRC-4 checks for data transmission errors on E1 trunk lines at the data link layer (Layer 2) or transport layer (Layer 4) of the OSI model for how applications communicate over a network.
Which Windows domain based protocol provides mutual authentication between devices?EAP-TLS (Transport Layer Security)
EAP-TLS provides certificate-based, mutual authentication of the network and the client. Both the client and the server must have certificates to perform this authentication.
|