In a previous article we discussed the advantage of using sensitivity labels to classify teams in Microsoft Teams. By using sensitivity labels, you enforce your governance policies. For this article, we are going to show you how you can classify and protect the data stored in your teams. Although people need to be added as a member to a team, to access the content, after that they basically can download the content and share with unauthorized people. We are going to show you how this can be prevented by working with sensitivity labels.
For this article, we are going to use a fictional company and business case. A company called Contoso is working on the development of their new console, codename Project Raven, and wants to protect the data related to the project.
Information classification policy
Before we dive deeper into the business case and the technology side of things, it is crucial that Contoso starts with defining their information classification policy. We use the following example with our customers:
These classifications are going to be the sensitivity labels. Once Contoso agreed upon the classification policy that works for their organization, it is time to create an information protection policy.
Information protection policy
This policy is aimed at deciding the appropriate configuration, such applying an encryption or watermark, for the content connected to the sensitivity labels. We added an example below:
The labels confidential and secret are going to use an encryption. This ensures only authorized people have access to the content. The encryption stays with the content, no matter the location where the content is stored.
Megan works as project manager for Contoso and is responsible for the project management of Project Raven. She wants to classify and protect (manually and automatically) all the data related to Project Raven. To support Megan, we are creating a new sensitivity label specifically for this important project.
The next step is defining the scope, we only want to apply the label to items:
After we defined the scope, we select our protection settings. We want to encrypt and mark the items:
After selecting the required protection settings, we need to configure the encryption settings. We are assigning all the members of Project Raven (this is a Microsoft 365 Group with Microsoft Teams) the co-owner permissions. This allows them to have complete control over the items:
For the content marking we only need a footer:
We want to detect Project Raven content in Microsoft 365 and automatically assign the label. The solution for this requirement? The auto label feature! We assign it to a sensitive information type (more about this later):
We are now done and publish the label to all the members of Project Raven.
Sensitive information type
The auto label feature detects content by connecting to a sensitive information type (SIT). What is this exactly? According to the official Microsoft documentation, a sensitive information type is a pattern-based classifier for sensitive content. For example:
- Social Security Number
- Passport Number
- International Banking Number
We created a custom SIT for Project Raven. The SIT looks for keywords in items:
Is a keyword detected? The label is automatically applied. For example:
Megan, and her fellow project members, manually assign the label by using the Sensitivity button in the ribbon:
Megan is happy with this solution and feels safer collaborating with her colleagues.
Wrap it up!
We hope you seen the advantage and power of applying sensitivity labels in your teams. You offer an additional layer of protection for the sensitive files in your team. Before you start implementing sensitivity labels in your own organization, we advise to start with a pilot before an organization wide implementation. Find a department with a business case around data classification. Make sure the employees become familiar with sensitivity labels, do a lot of testing and when successful, move to the next department.
The following resources contain relevant and importing information about working with sensitivity labels:
- Known issues with sensitivity labels in Office
- Apply a sensitivity label to content automatically
- Enable co-authoring for files encrypted with sensitivity labels
- Enable sensitivity labels for Office files – Microsoft Purview (compliance) | Microsoft Docs
If you want to learn more about keeping your data safe while managing Microsoft Teams I highly recommend the following whitepaper: Microsoft Teams governance best practices. The whitepaper helps understanding the pillars of successful Teams governance and offers a guide on creating a governance strategy to stay in control of Microsoft Teams.