Topics Map > Microsoft 365
Microsoft 365 – Sensitivity Labels
Index
Labeling Outlook Messages and Attachments
Labeling Teams, Microsoft 365 (Outlook) Groups, and SharePoint sites
- Applying a Sensitivity Label to a Team
- Applying a Sensitivity Label to a Microsoft 365 Group
- Applying a Sensitivity Label to a SharePoint site
Sharing Labeled Files with External Users via SharePoint (Team) Sites
High Risk Data Storage Requests
Background Information
UWM's use of sensitivity labels in Microsoft 365 apps, Outlook, and SharePoint sites includes two different label types: Sensitive and Restricted. The Sensitive label is the less restrictive of the two, allowing individuals to share sensitive information with both UWM accounts and external guests, so long as they are authenticated. The Restricted label is stricter and will prevent files from being shared outside of the UWM community. Authentication is required to access files or emails that have either label applied. When a file is marked as Restricted, only UWM staff given access to the file can open it.
Microsoft will passively scan all files in the OneDrive, Teams, SharePoint, and Outlook environments for sensitive information types including:
- U.S. bank account number
- U.S. driver's license number
- U.S. social security number (SSN)
- U.S./U.K. passport number
- Credit Card Numbers
When these fields are identified, a Sensitive label will automatically be applied to the document or email that was detected. This includes Microsoft Office documents and PDF documents stored in OneDrive and SharePoint and attachments in Outlook email messages. This label provides the user with additional functionality to restrict sharing and manage access to the document or email.
Labels can also be applied through manual configuration using the Sensitivity Bar in Office documents and emails. You can apply labels to documents you consider sensitive, within the document itself. You can also change labels to a less or more sensitive label type and can remove labels entirely - so long as you provide a justification for doing so. The following Microsoft link contains how-to information for applying sensitivity labels within Office documents: Microsoft Sensitivity Labels - Client Side Information.
UWM's Microsoft 365 environment supports two different types of labels: Sensitive and Restricted.
The Sensitive label is the less limiting of the two labels and is the default label applied by Microsoft’s auto-labeling feature when high-risk data types are detected in files and email. Data detected by the auto-labeling feature include:
- U.S. bank account number
- U.S. driver's license number
- U.S. social security number (SSN)
- U.S./U.K. passport number
- Credit Card Numbers
Files that contain medium or high-risk data types, as outlined under UWSA 1031.A, should have the sensitive label applied. Examples of information that meets these criteria include:
- Protected health information (PHI)
- FERPA data
- Personally identifiable data (PII)
- Contractually protected data
If a document is auto-labeled by default, it can be removed with a justification of why it was incorrectly labeled. In addition to auto-labeling, you can also apply the Sensitive label manually as shown below.
The Restricted label is the more limiting of the two labels and should only be used for files and emails that are not intended to be shared outside of the UWM environment. The auto-labeling feature does not apply the Restricted label, which can only be applied manually by users within the file or email they want to label. Files containing high risk data, which is not intended to be shared outside of your team or organization should be labeled with the Restricted label. The Restricted label will prevent any form of external sharing. The Restricted label should be used situationally, depending on the needs of the individual or group that need to maintain the highest levels of privacy. Please consult with your manager or group leadership to determine when it is appropriate to apply these restrictions.
Labeling Office Documents
Microsoft 365 Web Apps
- After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label in the following places:
- Your OneDrive file list – Notified by the red exclamation point. When you hover over the notification, you will see a Policy Tip displayed notifying you that the document was identified as Sensitive.
- Your OneDrive file list – Notified by the red exclamation point. When you hover over the notification, you will see a Policy Tip displayed notifying you that the document was identified as Sensitive.
-
- Your Document – Notified by the Policy Tip top of your document below the ribbon.
-
- Your Document – You can also see the label by clicking the Sensitivity button in the Home ribbon.
- If you need to manually apply a Sensitive or Restricted label to a document, click the Sensitivity button in the Home ribbon.
- Select your preferred option; Sensitive or Restricted.
- If prompted, provide a justification and click Change.
- Click the Sensitivity drop-down in the Home Ribbon.
- Select your preferred option; Sensitive or Restricted.
- If prompted, provide a justification and click Change.
- Click the Sensitivity drop-down in the Home Ribbon.
- Click the name of the label that is applied (Sensitive or Restricted).
- Provide a justification for why the label should be removed and click Change.
Windows
- After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label next to the file name in your document window.
- If you need to manually apply a Sensitive or Restricted label to a document, click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- If prompted, provide a justification and click Change.
- You can also change the label by using the Sensitivity option in the Home ribbon.
- Click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- You can also change the label by using the Sensitivity option in the Home ribbon.
- Click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- Provide a justification for why the label should be removed and click Change.
- You can also remove the label by using the Sensitivity option in the Home ribbon.
Mac
- After creating a document with high-risk data, the auto-labeling feature will recognize this and auto apply the Sensitive Label. You will see the Sensitive label next to the file name in your document window.
Please note: You may be prompted to enter a keychain password and authenticate with your UWM email address, password, and MFA upon opening a document labeled as Sensitive or Restricted. To open the document you must enter your keychain password and allow access. Then you must sign-in to your UWM account.
- If you need to manually apply a Sensitive or Restricted label to a document, click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- If prompted, provide a justification and click Change.
- You can also apply the label by using the Sensitivity option in the Home ribbon.
- Click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- You can also change the label by using the Sensitivity option in the Home ribbon.
- If prompted, provide a justification for the change.
- Click the drop-down arrow next to your file name.
- Click the Sensitivity drop-down arrow and select Sensitive or Restricted.
- Provide a justification for why the label should be removed and click Change.
- You can also remove the label by using the Sensitivity option in the Home ribbon.
Labeling Outlook Messages and Attachments
When you apply a sensitivity label to a message in Outlook, the label will be automatically applied to any attachments added to the message. Labeling an Outlook message is appropriate if the body of the message contains sensitive or restricted content. If the body of the message does not contain sensitive or restricted content, but the attachments contain sensitive or restricted content, then attaching the labeled file will be sufficient.
Outlook on the Web:
- Open Outlook and click the New Email button.
- Click the Insert button on the ribbon and attach the Sensitive or Restricted document you would like to share.
- Compose your email.
- If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.
- Click Send.
- Your recipient will need to sign in and authenticate to view the document.
Outlook for Windows:
- Open Outlook and click the New Email button.
- Click the Insert button on the ribbon and attach the Sensitive or Restricted document you would like to share.
- Compose your email.
- If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.
- Click Send.
- Your recipient will need to sign in and authenticate to view the document.
Outlook for Mac:
- Open Outlook and click the New Email button.
- On the toolbar, click Attach File and attach the Sensitive or Restricted document you would like to share.
- Compose your email.
- If the body of your email message contains sensitive or restricted content, click the Message ribbon and click the Sensitivity option to select your preferred label for the message. If the body of the message does not contain sensitive or restricted content, then attaching the labeled file is sufficient.
- Click Send.
- Your recipient will need to sign in and authenticate to view the document.
Please note: If you do not see the Sensitivity option in your toolbar, you can add it by:
- On the toolbar, click the …More Options button and select Customize Toolbar.
- You can add the Sensitivity option to your toolbar by dragging and dropping it to your toolbar or clicking Reset Toolbar.
- When you have finished, click Done, and Sensitivity will now be added to your toolbar.
Labeling Teams, Microsoft 365 (Outlook) Groups, and SharePoint Sites
Sensitivity labels allow Team, Group. and SharePoint site owners to protect and regulate access to sensitive organizational content. Sensitivity labels can be applied to Teams, Groups, and SharePoint sites upon creation or at any time by owners.
Teams, Groups, and SharePoint sites labeled as Sensitive will automatically have their privacy option set to Private (private teams can only be joined if the team owner adds someone to them) and allow external users to be added as authenticated guest members. Teams and Groups labeled as Restricted will have their privacy option set to Private and do not allow external users to be added as guest members, including prohibiting files from being shared externally via associated Team sites.
Please note that applying a sensitivity label to a Team, Microsoft 365 Group, or SharePoint site does not cause the label to be automatically applied to documents that reside in the Team, Group, or site.
Applying a Sensitivity Label to a Team
During the Team creation process, click the Sensitivity Label drop-down to label the Team as Restricted or Sensitive:
A team owner can change the sensitivity label of an existing team at any time by managing the Team, going to the Settings menu section, and then clicking Edit under Team details and selecting the label:
Applying a Sensitivity Label to a Microsoft 365 Group
During the Group creation process in Outlook, click Edit next to Default settings:
Then, select the sensitivity label:
A Group owner can change the sensitivity label of an existing Group at any time by editing the Group settings and then selecting the label under Edit settings.
Applying a Sensitivity Label to a SharePoint site
During the site creation process from the SharePoint landing page, after naming your site in the creation dialogue, you can select a label for the site:
Note: Since Teams and Microsoft 365 Groups both include Team sites, the label from the Team or Group will be applied to the associated Team site.
Sharing Labeled Files with External Users via SharePoint (Team) Sites
If you share a "sensitive" labeled file from your Team site with an external user, they may see this error message when attempting to access it:
To ensure that the external recipient can open the file successfully, they will first need to be added as an external guest member of a Team.
If you determine that you do not want to grant an external user guest membership of a Team, we recommend attaching a copy of the file to an email in Outlook using the steps in the "share" sections above.
High Risk Data Storage Requests
Faculty, staff, and students who need to store moderate or high risk data in the SharePoint environment should complete the High Risk Data Storage Request form and Information Security Office staff will provide a brief consultation to recommend an appropriate storage solution.
FAQ
You can review a list of Sensitivity Labels Frequently Asked Questions here.
Known Issues
Microsoft maintains a list of known issues and workarounds. If you encounter an issue with the sensitivity labels, please refer to the Known issues with sensitivity labels in Office list.
Viewing Labeled Adobe PDF files
Currently, viewing labeled PDF files in-browser is limited to the Microsoft Edge browser. Also, please ensure that the Adobe Acrobat browser extension for Edge is either uninstalled or disabled.
Assistance
If you need assistance with Sensitivity Labels, please contact the UWM Help Desk.