TagUnifiedLabels

S for Security in EMS – Azure Information Protection

Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.

Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.

Why should you use Unified labels you say?

Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.

When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.

So!

Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.

Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label

CD 
Home 
Alerts 
Permissions 
— Classification 
Sensitivity labels 
Retention labels 
Sensitive info types 
https://protection.office.com/sensitivity?viewid=sensitivitylabels 
Office 365 Security & Compliance 
Home > sensitivity 
Labels Label policies 
Sensitivity labels are used to classify email messages, documents, sites, and more. 
encrypt files, add content marking, and control user access to specific sites. Learn 
+ Create a label Publish labels C) Refresh 
Name 
Classified - Web only from not compliant clients 
Highly classified - Block access from not compliant devices

Follow through with the wizard

New sensitivity label 
o 
o 
o 
o 
o 
Name & description 
Encryption 
Content marking 
Endpoint data loss prevention 
Site and group settings 
Auto-labeling for Office apps 
Review your settings 
Name your label 
The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever 
they go, whether they're saved in the cloud or downloaded to a computer. 
Name 
Classified 
Tooltip 
Enter text that helps users understand this label's purpose 
Description 
Enter a description that's helpful for admins who will manage this label

And when going through the Wizard you need to take some descisions on what the policy should do.

  • Encryption
    • Yes or no and what permissions should be set automatically to your files.
    • Should the access to the file expire on a givven date or days after encryption
    • Allow offline access to files could be convenient for some.
  • Should the content be watermarked?
  • Add DLP policy from the Entpoint (Windows Information protection WIP).
  • Use this label to protect Office365 groups (Teams and SharePoint sites also)
    • Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
  • Use Autolable based on conditions
    • This feature require E5
    • You can automatically lable documents with for example Norwegian passport number is written in a document.

Thats it! You have created your first label – quite easy.

But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.

My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Using the new Sensitivity labels in Teams and SharePoint

These days the preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out, and I got the new feature up and running in my tenant allready!

If you have been waiting on this feature you may have noticed that the rollout came in stages and is taking some time to be rolled out.

After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.

Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))

Basicly now you finally can block untrusted devices to gain access to higly confidential information stored within SharePoint or Teams – AND also prevent guests to be invited into the site.

For this to be working you need to be using Intune aswell so that company devices such as computers, laptops and mobile devices can be marked as compliant devices.

A usefull scenario also for this is when you only allow Limited, web only access to site or team then you block downloads from untrusted devices such as kiosk, home computers etc.

What do you think of this new feature?

I can`t wait to be going production with this!

© 2020 IdefixWiki

Theme by Anders NorénUp ↑