New labeling capabilities in Office apps helps you protect sensitive information

January 28, 2019
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

At the last Microsoft Ignite conference we announced several capabilities to help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent approach to discovering, classifying, labeling and protecting sensitive data. Today we’re announcing the general availability of sensitivity labeling built natively into Office apps on Mac, iOS and Android.  

Apps now supporting end-user driven sensitivity labeling includes:

  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

With these new capabilities, users can easily apply sensitivity labels to documents and emails – based on the labels defined by your organization. The experience is built directly into Office apps, with no need for any special plugins or add-ons. It looks and feels like the familiar Office experience, which makes it easy for workers to use.  

Applying sensitivity labels not only helps you protect company confidential information, but also plays an important role in addressing compliance obligations, such as GDPR. Suppose that someone in the HR department is working on an Excel file that contains personal information, such as employee mailing addresses. Knowing that this information should be protected and kept private, the worker can select a “Confidential-PII” sensitivity label while in Excel, and the label applies the appropriate protection settings as configured by the organization.

Simple and consistent experience for end-users

The screenshots below illustrate the end-user experience in Office apps on Mac. The Sensitivity drop-down menu makes it easy to view the available labels and select the appropriate option. The experience is similar across Word, PowerPoint, Excel and Outlook.

1 1 Word Mac label picker_1.pngApply sensitivity labels in Office apps on Mac – encryption, rights restrictions and visual markings can be applied, based on your label policy.

For Office mobile apps, the same set of sensitivity labels are available to users. No matter which device or platform they are working on, there is a consistent experience.

3 Labeling on iOS_3.pngEasily apply same sensitivity labels in Office mobile apps on iOS…

4 Labeling on Android_4.png…and in Office mobile apps on Android.

Once a sensitivity label is applied to a document or email, the label persists with the file, even if it travels to other locations, such as other devices, apps or cloud services. Your organization has the flexibility to customize its policy to apply different actions based on which label is selected, including encryption, restricting access to the file or applying visual markings to the document (such as headers/footers or a watermark indicating the file is confidential or contains sensitive information).

5 Outlook on Mac header and footer .pngAn email labeled “Highly Confidential” in Outlook for Mac get encrypted, and headers & footers are applied.

Administrators can also require users to provide a justification if they downgrade a previously applied sensitivity label – for example, changing a label from “Confidential” to “General”. This can be useful in keeping users accountable and maintaining an audit trail. You can also specify if a default label should be applied to new documents and emails. For example, you can set a “General Business” label to be applied by default, and then end-users can apply a different label based on the content they are authoring.

6 Justification_6.pngEnd-users can be prompted to provide a justification when downgrading a sensitivity label.

Sensitivity labels in documents and emails can also be understood by other apps and services. For example, if a “Highly Confidential” document resides on a Windows device, Windows Information Protection and Windows Defender ATP can work together to block the copying or sharing of content from that document to other locations on the device, such as personal email accounts or social accounts. Our growing ecosystem of partners using the Microsoft Information Protection SDK can also understand sensitivity labels and extend information protection to their own apps and services. 

Getting started and next steps

To use these new labeling experiences, you must first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center. Once configured, the labels become available in supported Office applications. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Security & Compliance Center, and then the labels can be used by the updated Office apps. You can find more information on migration steps here.

To learn more about sensitivity labels in Office apps, review the documentation, which provides more information on supported apps and version numbers. Office 365 customers have access to the updated apps now, as of the January update.   

We’re excited to release these new capabilities to help you better protect your sensitive information. In the coming months we’ll expand sensitivity labels to additional Office apps and platforms, including Outlook for iOS and Android, Outlook on the web, Office apps on Windows and Office Online apps . Please check the Microsoft 365 roadmap for the latest information.

We also look forward to hearing your feedback; you can also engage with us and the community on Yammer or Twitter and provide additional feedback on UserVoice.

Discuss this article in the Microsoft Technical Community.