Microsoft 365 – Sensitivity Labels

UWM has implemented Sensitivity Labels in the Microsoft 365 environment, increasing the ability to protect sensitive information from unauthorized disclosure, and improve privacy controls within the Microsoft environment.

Index

Background Information

Types of Labels

Labeling Office Documents

Labeling Outlook Messages and Attachments

Labeling Teams, Microsoft 365 (Outlook) Groups, and SharePoint sites

Sharing Labeled Files with External Users via SharePoint (Team) Sites

High Risk Data Storage Requests

FAQ

Known Issues

Assistance


Background Information

UWM's use of sensitivity labels in Microsoft 365 apps, Outlook, and SharePoint sites includes two different label types: Sensitive and Restricted. The Sensitive label is the less restrictive of the two, allowing individuals to share sensitive information with both UWM accounts and external guests, so long as they are authenticated. The Restricted label is stricter and will prevent files from being shared outside of the UWM community. Authentication is required to access files or emails that have either label applied. When a file is marked as Restricted, only UWM staff given access to the file can open it.  

 

Microsoft will passively scan all files in the OneDrive, Teams, SharePoint, and Outlook environments for sensitive information types including:

  • U.S. bank account number
  • U.S. driver's license number
  • U.S. social security number (SSN)
  • U.S./U.K. passport number
  • Credit Card Numbers

When these fields are identified, a Sensitive label will automatically be applied to the document or email that was detected. This includes Microsoft Office documents and PDF documents stored in OneDrive and SharePoint and attachments in Outlook email messages. This label provides the user with additional functionality to restrict sharing and manage access to the document or email.

Labels can also be applied through manual configuration using the Sensitivity Bar in Office documents and emails. You can apply labels to documents you consider sensitive, within the document itself. You can also change labels to a less or more sensitive label type and can remove labels entirely - so long as you provide a justification for doing so. The following Microsoft link contains how-to information for applying sensitivity labels within Office documents: Microsoft Sensitivity Labels - Client Side Information.


Types of Labels

UWM's Microsoft 365 environment supports two different types of labels: Sensitive and Restricted.

Sensitive:

The Sensitive label is the less limiting of the two labels and is the default label applied by Microsoft’s auto-labeling feature when high-risk data types are detected in files and email. Data detected by the auto-labeling feature include:

  • U.S. bank account number
  • U.S. driver's license number
  • U.S. social security number (SSN)
  • U.S./U.K. passport number
  • Credit Card Numbers

Files that contain medium or high-risk data types, as outlined under UWSA 1031.A, should have the sensitive label applied. Examples of information that meets these criteria include:

  • Protected health information (PHI)
  • FERPA data
  • Personally identifiable data (PII)
  • Contractually protected data

If a document is auto-labeled by default, it can be removed with a justification of why it was incorrectly labeled. In addition to auto-labeling, you can also apply the Sensitive label manually as shown below.

Restricted:

The Restricted label is the more limiting of the two labels and should only be used for files and emails that are not intended to be shared outside of the UWM environment. The auto-labeling feature does not apply the Restricted label, which can only be applied manually by users within the file or email they want to label. Files containing high risk data, which is not intended to be shared outside of your team or organization should be labeled with the Restricted label. The Restricted label will prevent any form of external sharing. The Restricted label should be used situationally, depending on the needs of the individual or group that need to maintain the highest levels of privacy. Please consult with your manager or group leadership to determine when it is appropriate to apply these restrictions.


Labeling Office Documents

Microsoft 365 Web Apps

Auto-Apply:

  1. After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label in the following places:
    1. Your OneDrive file list – Notified by the red exclamation point. When you hover over the notification, you will see a Policy Tip displayed notifying you that the document was identified as Sensitive.

 Microsoft 365 OneDrive List with Sensitivity Label Applied

Microsoft 365 OneDrive Sensitivity Label Applied expanded view

    1. Your Document – Notified by the Policy Tip top of your document below the ribbon.

Microsoft 365 Policy Tip

    1. Your Document – You can also see the label by clicking the Sensitivity button in the Home ribbon.

Microsoft 365 Home Ribbon Sensitivity button

Manually Apply:

  1. If you need to manually apply a Sensitive or Restricted label to a document, click the Sensitivity button in the Home ribbon.

Microsoft 365 Home ribbon Sensitivity button

  1. Select your preferred option; Sensitive or Restricted.

Microsoft 365 Home Ribbon Sensitivity button

  1. If prompted, provide a justification and click Change.

Microsoft 365 Provide Justification

Change:

  1. Click the Sensitivity drop-down in the Home Ribbon.

Microsoft 365 Home ribbon Sensitivity button

  1. Select your preferred option; Sensitive or Restricted.

Microsoft 365 Home Ribbon Sensitivity button

  1. If prompted, provide a justification and click Change.

Microsoft 365 Provide Justification

Remove:

  1. Click the Sensitivity drop-down in the Home Ribbon.

Microsoft 365 Home Ribbon Sensitivity button

  1. Click the name of the label that is applied (Sensitive or Restricted).

Microsoft 365 Home Ribbon Sensitivity button

  1. Provide a justification for why the label should be removed and click Change.

Microsoft 365 Provide Justification

Windows

Auto-Apply:

  1. After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label next to the file name in your document window.

Windows Sensitivity auto-label

Manually Apply:

  1. If you need to manually apply a Sensitive or Restricted label to a document, click the drop-down arrow next to your file name.

Windows Sensitivity Label drop-down

  1. Click the Sensitivity drop-down arrow and select Sensitive or Restricted.

Windows Sensitivity Drop Down Manually Apply

  1. If prompted, provide a justification and click Change.

Windows provide justification

  1. You can also change the label by using the Sensitivity option in the Home ribbon.

Windows Sensitivity button

Change:

  1. Click the drop-down arrow next to your file name.

  2. Click the Sensitivity drop-down arrow and select Sensitive or Restricted.  

Windows Sensitivity label drop-down

  1. You can also change the label by using the Sensitivity option in the Home ribbon.

Windows Sensitivity button

Remove:

  1. Click the drop-down arrow next to your file name.

  2. Click the Sensitivity drop-down arrow and select Sensitive or Restricted.

 Windows Sensitivity drop-down

  1. Provide a justification for why the label should be removed and click Change.

Windows provide justification

  1. You can also remove the label by using the Sensitivity option in the Home ribbon.

Windows Sensitivity button

Mac

Auto-Apply:

  1. After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label next to the file name in your document window.

Mac Sensitivity label auto-applied

Please note: You may be prompted to enter a keychain password and authenticate with your UWM email address, password, and MFA upon opening a document labeled as Sensitive or Restricted. To open the document you must enter your keychain password and allow access. Then you must sign-in to your UWM account.

Keychain Password Prompt     Authenticate with email    Authenticate Password    Authenticate MFA         

Manually Apply:

    1. If you need to manually apply a Sensitive or Restricted label to a document, click the drop-down arrow next to your file name.

    Mac Sensitivity Label drop-down

    1. Click the Sensitivity drop-down arrow and select Sensitive or Restricted.

    Mac Sensitivity Labels Menu

    1. If prompted, provide a justification and click Change.

    Mac Sensitivity Justification

    1. You can also apply the label by using the Sensitivity option in the Home ribbon.

    Mac Sensitivity Home Ribbon

    Change:

    1. Click the drop-down arrow next to your file name.

    Sensitivity Label drop-down Mac

    1. Click the Sensitivity drop-down arrow and select Sensitive or Restricted

    Sensitivity Labels Menu

    1. You can also change the label by using the Sensitivity option in the Home ribbon.

    Mac Sensitivity Ribbon

    1. If prompted, provide a justification for the change.

    Sensitivity Justification Mac

    Remove:

    1. Click the drop-down arrow next to your file name.

    Sensitivity Label drop-down Mac

    1. Click the Sensitivity drop-down arrow and select Sensitive or Restricted

    Mac Sensitivity labels drop-down menu

    1. Provide a justification for why the label should be removed and click Change.

    Add justification Mac

    1. You can also remove the label by using the Sensitivity option in the Home ribbon.

    Mac Sensitivity ribbon


    Labeling Outlook Messages and Attachments

    When you apply a sensitivity label to a message in Outlook, the label will be automatically applied to any attachments added to the message. Labeling an Outlook message is appropriate if the body of the message contains sensitive or restricted content. If the body of the message does not contain sensitive or restricted content, but the attachments contain sensitive or restricted content, then attaching the labeled file will be sufficient.

    Outlook on the Web:

    1. Open Outlook and click the New Email button.

    2. Click the Insert button on the ribbon and attach the Sensitive or Restricted document you would like to share.

    Microsoft 365 Outlook Attach File

    1. Compose your email.

    2. If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.

    Microsoft 365 Outlook Message ribbon Sensitivity

    1. Click Send.

    2. Your recipient will need to sign in and authenticate to view the document.

    Outlook for Windows:

    1. Open Outlook and click the New Email button.

    Windows Outlook New Email

    1. Click the Insert button on the ribbon and attach the Sensitive or Restricted document you would like to share.

    Windows outlook attach sensitive document

    1. Compose your email.

    2. If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.

    Windows Outlook add Sensitivity label

    1. Click Send.

    2. Your recipient will need to sign in and authenticate to view the document.

    Outlook for Mac:

    1. Open Outlook and click the New Email button.

    2. On the toolbar, click Attach File and attach the Sensitive or Restricted document you would like to share.

    Mac Outlook attach file

    1. Compose your email.

    2. If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.

    Add Sensitivity label to Mac Outlook

    1. Click Send.

    2. Your recipient will need to sign in and authenticate to view the document.

    Please note: If you do not see the Sensitivity option in your toolbar, you can add it by:

    1. On the toolbar, click the …More Options button and select Customize Toolbar.

    Mac Outlook customize toolbar

    1. You can add the Sensitivity option to your toolbar by dragging and dropping it to your toolbar or clicking Reset Toolbar.

    Add Sensitivity to Mac Outlook Toolbar

    1. When you have finished, click Done, and Sensitivity will now be added to your toolbar.

    Labeling Teams, Microsoft 365 (Outlook) Groups, and SharePoint Sites

    Sensitivity labels allow Team, Group. and SharePoint site owners to protect and regulate access to sensitive organizational content. Sensitivity labels can be applied to Teams, Groups, and SharePoint sites upon creation or at any time by owners.

    Teams, Groups, and SharePoint sites labeled as Sensitive will automatically have their privacy option set to Private (private teams can only be joined if the team owner adds someone to them) and allow external users to be added as authenticated guest members. Teams and Groups labeled as Restricted will have their privacy option set to Private and do not allow external users to be added as guest members, including prohibiting files from being shared externally via associated Team sites. 

    Please note that applying a sensitivity label to a Team, Microsoft 365 Group, or SharePoint site does not cause the label to be automatically applied to documents that reside in the Team, Group, or site. 

    Applying a Sensitivity Label to a Team

    During the Team creation process, click the Sensitivity Label drop-down to label the Team as Restricted or Sensitive:

     

    A team owner can change the sensitivity label of an existing team at any time by managing the Team, going to the Settings menu section, and then clicking Edit under Team details and selecting the label:

    Applying a Sensitivity Label to a Microsoft 365 Group

    During the Group creation process in Outlook, click Edit next to Default settings:

    Then, select the sensitivity label:

    A Group owner can change the sensitivity label of an existing Group at any time by editing the Group settings and then selecting the label under Edit settings.

    Applying a Sensitivity Label to a SharePoint site

    During the site creation process from the SharePoint landing page, after naming your site in the creation dialogue, you can select a label for the site:

    Note: Since Teams and Microsoft 365 Groups both include Team sites, the label from the Team or Group will be applied to the associated Team site. 


    Sharing Labeled Files with External Users via SharePoint (Team) Sites

    If you share a "sensitive" labeled file from your Team site with an external user, they may see this error message when attempting to access it:

    To ensure that the external recipient can open the file successfully, they will first need to be added as an external guest member of a Team

    If you determine that you do not want to grant an external user guest membership of a Team, we recommend attaching a copy of the file to an email in Outlook using the steps in the "share" sections above.


    High Risk Data Storage Requests

    Faculty, staff, and students who need to store moderate or high risk data in the SharePoint environment should complete the High Risk Data Storage Request form and Information Security Office staff will provide a brief consultation to recommend an appropriate storage solution. 


    FAQ

    You can review a list of Sensitivity Labels Frequently Asked Questions here.


    Known Issues

    Microsoft maintains a list of known issues and workarounds. If you encounter an issue with the sensitivity labels, please refer to the Known issues with sensitivity labels in Office list.

    Viewing Labeled Adobe PDF files

    Currently, viewing labeled PDF files in-browser is limited to the Microsoft Edge browser. Also, please ensure that the Adobe Acrobat browser extension for Edge is either uninstalled or disabled.


    Assistance

    If you need assistance with Sensitivity Labels, please contact the UWM Help Desk.



    KeywordsMicrosoft, 365, M365, sensitive, sensitivity, label, labels, restrict, restricted, content, social, security, number, driver, license, passport, credit, card, numbers, information, bank, account, info, auto, apply, onedrive, sharepoint, teams, outlook, office, sensitive data   Doc ID133658
    OwnerMegan D.GroupUW-Milwaukee Help Desk
    Created2023-12-19 11:06:40Updated2024-09-11 10:48:51
    SitesUW-Milwaukee Help Desk
    Feedback  0   0