1. Taxonomy & Deployment Strategy

  • The Taxonomy: An enterprise should have a simple, universally understood taxonomy. The industry standard is usually four to five tiers: Public, General/Internal, Confidential, and Highly Confidential (often with sub-labels for specific departments or projects).
  • Publishing vs. Creating: Creating a label defines what it does (encrypts, watermarks). Publishing a label via a Label Policy determines who can see it and use it.
  • Default Labels: Applying a default label (e.g., General/Internal) to all new emails and documents is the most effective way to baseline tenant security. Ensure this is deployed via policy to a pilot group before tenant-wide enforcement.
  • Mandatory Labeling: Forcing users to choose a label before saving a document or sending an email. Often paired with a default label, but requires users to actively downgrade or upgrade the classification.

2. Item-Level vs. Container-Level Labels

This is the most common point of confusion for stakeholders. You must clearly differentiate these.

  • Item-Level Labels: Applied directly to a file (Word, Excel, PDF) or an email. The protection (encryption, watermarks) travels with the file, even if it leaves the organization.
  • Container-Level Labels: Applied to an M365 Group, Microsoft Team, or SharePoint Site.
    • They do not automatically encrypt the files inside the container.
    • They control the settings of the container: Privacy (Public vs. Private), External Guest Access (allow or block), and Unmanaged Device Access (web-only access).
  • Default Library Labels (The “Bridge”): This is a specific SharePoint Document Library setting, distinct from the site-level label.
    • It allows you to set a default sensitivity label for a specific library.
    • Any new or edited file in that library will automatically have that item-level label applied.
    • Note: This is the tool used to ensure all content in a “Confidential” site actually gets encrypted, as the Container-Level label alone cannot do this.

3. Encryption & Access Control (Azure RMS)

  • How it works: When a label applies encryption, the document is wrapped in Azure Rights Management (RMS). The user must authenticate against Entra ID to open the file.
  • Granular Permissions: You can define exactly what users can do (e.g., View Only, Edit, Print, Copy).
  • User-Defined Permissions (Do Not Forward): A specific label configuration where the IT admin lets the user define who gets access at the time of sending.
  • Co-Authoring: By default, heavily encrypted documents could not be co-authored in SharePoint/OneDrive. You must explicitly enable “Co-authoring for files with sensitivity labels” at the tenant level (in the Purview portal) to allow multiple users to edit a classified document simultaneously.

4. Auto-Labeling (Requires E5 / Purview Premium)

  • Client-Side Auto-Labeling: As the user types sensitive info (e.g., a credit card number) into Word or Outlook, a policy tip recommends applying a specific label, or applies it automatically.
  • Service-Side Auto-Labeling (Data at Rest/In Transit):
    • Scans SharePoint/OneDrive and Exchange in the background.
    • Crucial constraint: Service-side auto-labeling for data at rest can only process a maximum of 25,000 files per day per tenant. It is not an instant remediation tool for a massive legacy file share migration.

5. Troubleshooting & Client Behavior

  • Native Labeling vs. AIP Add-in: The legacy Azure Information Protection (AIP) unified labeling client is deprecated. Organizations must use the built-in labeling native to Microsoft 365 Apps (Word, Excel, Outlook).
  • Client Sync Delays: When you publish a new label or update a policy, it can take up to 24 hours to appear in a user’s desktop Office applications. Users can force a sync by signing out and back into the Office app, or closing all Office apps and renaming/deleting the following local caches:
    • %localappdata%\Microsoft\Office\CLP
    • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security\Labels
  • PDF Support: Native M365 apps can now read and apply labels to PDFs. Adobe Acrobat also natively supports Microsoft Purview Information Protection, but it must be enabled in the Adobe application settings.

6. Essential PowerShell Cmdlets (Security & Compliance)

  • Connection: Connect-IPPSSession
  • Label & Policy Management:
    • Get-Label (Lists all created sensitivity labels)
    • Get-LabelPolicy (Lists all published label policies)
    • Get-Label -Identity "Confidential" | Format-List (View the specific encryption/watermark configurations of a label)
  • File Diagnostics (SharePoint Online Management Shell):
    • Unlock-SPOSensitivityLabelEncryptedFile (Used by an admin to strip encryption from a file if the original owner leaves the company and the file is locked, assuming the admin has the correct eDiscovery/Compliance roles).