This article describes how to use information protection labels to secure Office documents and emails with encryption and access controls.
Summary
Protection of Office documents (Excel, Word, and PowerPoint) and emails can be simplified by the use of sensitivity labels.
These labels control who can open a document or read an email. The labels may also put controls on other users can do with that document or email (copy, print, forward, and more). This is meant to eliminate the need for protecting Office documents with passwords or password protected external encryption and the accompanying overhead of sharing the password. It also extends access controls beyond the boundaries of our document containers, like OneDrive folders, so that access is limited regardless of where the file is sent or saved.
Sensitivity Labels
A small set of sensitivity labels are published which are intended to match a set of anticipated data sharing circumstances.
General
The General sensitivity label will be the default label. No special action to restrict access to documents or emails are taken when this label is applied. This label is meant to apply to common communication that doesn't have special security considerations. No special actions on the part of the user are necessary with this label.
Sensitive
The Sensitive label is intended to be used in situations where the document or email contains information that should not be shared with users that the company doesn't have a relationship with, and the audience of the document or email can be trusted with the contents.
Documents with this sensitivity label can be opened by any user that is logged into a Connor Group Office 365 account, any other organization's Office 365 account, a Microsoft Live account, or any account Microsoft has a federation with (Google, Yahoo, others) as long as their email address has been added to Connor Group's directory service as a guest or member. These files and emails have no restrictions on them for forwarding, printing, or copying the file / email. Any user that can open these files or emails can remove the encryption from the file or email in order to downgrade the sensitivity label.
CG Only
The CG Only label is intended to be used in situations where the document or email contains information that must be limited to users in Connor Group's organization(s).
Documents with this sensitivity label can only be opened by any user with an account in Connor Group's Office 365 organization(s). These files and emails have no restrictions on them for forwarding, printing, or copying the file / email. Connor Group users can remove the encryption from the file or email in order to downgrade the sensitivity label.
Confidential
The Confidential label is intended to be used in situations where the document or email contains information that must be limited to a specific audience.
This is an advanced option that requires an extra degree of understanding and forethought. The author of the document must choose who has access to the document. This is done through a series of prompts with Office desktop apps or by setting the recipient list with an email. Audience members can be any internal or external user that is authenticated to Connor Group's directory service. By default, selected audience members cannot print, copy, forward file / email contents (1)(2), remove the encryption or downgrade the sensitivity label. The author can select different sets of permissions for different audience members for Office documents. All of these permissions are configurable for each user / group granted access on Word, PowerPoint and Excel documents.
Label Priority
Label policies require the user to record a justification for changing an existing label to one with a lower priority.
1 - General (lowest)
2 - Sensitive
3 - CG Only
4 - Confidential (highest)
Label Selection
Labels are selected when authoring an email or working with an Office document by choosing a label from the Sensitivity menu in the ribbon.
Outlook desktop app:
Word, Excel or PowerPoint desktop app:
Outlook web app:
Office Web Applications
To select a label when working with Office applications in your web browser use the Sensitivity menu in the ribbon, just like with the desktop applications. The advanced "Confidential" label cannot be selected from Office web applications. That label is only available in the Office desktop applications.
Limitations / Side Effects
When a label other than General is applied, the document is encrypted. When a document is encrypted some features available for working with Office documents are not available.
- Co-authoring of Office documents is not currently possible
- File locks for documents saved in SharePoint or OneDrive spaces are rather slow to clear after a user with the document open and locked closes the document.
- No "auto-save"
- Documents can only be opened by Office applications. Google Sheets, Docs, or other applications cannot open these files
- Some external users will be shown a warning that encrypted attachments cannot be scanned for virus and present a security risk