Sensitive Data in Microsoft 365

We pose this question. Do you know where your organization’s sensitive and business critical data is located, how it is being accessed, and how it is being shared? As we speak with customers, we realize that most organizations can’t answer this question definitively. This represents a significant challenge as these very same organizations are also facing numerous worldwide compliance requirements that mandate not only understanding where this sensitive data lives, but also protecting it.

Companies today face a daunting task as they embark on their information protection journey. The amount of data they must find is enormous and is likely to be stored across varying devices and in multiple disparate locations from on-premises to the cloud.

Microsoft has spent several years working with our customers to better understand their challenges and develop Microsoft 365 solutions that leverage intelligence and machine learning to simplify an otherwise complex and manual process. They are excited to announce several capabilities rolling out in preview for Microsoft Information Protection to help organizations protect their information wherever it lives and wherever it travels.

Knowing your data

The first step in the journey for organizations to better protect their data is to get an understanding of their data landscape. The new Data Classification tab has an overview page that shows you the volume of sensitive data across your digital estate. Currently data across Exchange Online, SharePoint Online and OneDrive for Business, is categorized by sensitive information types or personally identifiable information (PII).

Keys to understanding where your sensitive data is in Microsoft 365

Activity Explorer shows document-level activities like label changes and label downgrades, such as from confidential to general, across various locations. Understanding these activities gives you the ability to identify the right policies for protection or data loss prevention (DLP) to ensure your most important data is secure.

Classifying your unique data

Not all data is created equal, and every organization on the planet has data that is unique to them, whether these are contracts, invoices, or customer records. You can use artificial intelligence and machine learning to intelligently classify data that is unique to your organization. Built-in classifiers will be able to intelligently detect resumes, offensive language, and using a combination of words and context, while build-your-own trainable classifiers let you train your own classifiers to look for data that is unique to your organization, such as customer records, HR data, contracts, etc.  Now in public preview, these trainable classifiers can be used in combination with retention labels to automatically label data and apply policies. Microsoft is just getting started! The ability to use these classifiers in combination with sensitivity labels will start rolling out into preview by the end of the year.

Data Protection

Once you understand your sensitive data landscape, you are in a stronger position to implement the protection policies to meet internal security goals and external compliance requirements. The following new capabilities rolling out that can help you intelligently protect your sensitive information:

  • Easily apply sensitivity labels in Office apps on Windows, Mac, iOS and Android
  • Automatically label using sensitive info types in Office on Windows, Office for the web, and Teams
  • Protect Power BI artifacts with sensitivity labels
  • Take advantage of support for protected PDF files in Microsoft Edge and Office 365 Message Encryption
  • Extend labeling and protection to third-party apps and services with new partner integrations

Natively applying sensitivity labels in Office

Outlook mobile

Earlier this year Microsoft released additional support for sensitivity labeling built directly into Office apps – on Windows, Mac, iOS and Android. We’ve recently expanded support for labeling experience, and now Outlook mobile (iOS and Android) and Outlook on the web also include sensitivity labeling capabilities. The experience is similar to labeling in other Office apps, making it familiar and consistent for end users, enabling them to stay productive while keeping sensitive data secure.

Office for the web

Sensitivity labels are now available in preview natively in Office for the web. The experience is similar to labeling in other Office apps wherein users can view and manually apply the label. You can also apply a label, which has encryption policies, to a file in Office for the web. And, you can get much richer modern productivity experiences like co-authoring for the encrypted files in the Office for the web. You can also govern these encrypted files in SharePoint and OneDrive with Data Loss Prevention and eDiscovery, much like any other files.

Auto-classification now built into Office ProPlus

Office 365 ProPlus on Windows now has the labeling experience built directly into the experience, without requiring any Azure Information Protection plug-ins. While someone is working in a document or an email, if sensitive information is detected – based on the policies defined by your organization – a sensitivity label is either automatically applied or recommended to the user. The preview of automatic labeling is rolling out for Word, PowerPoint, and Excel (Outlook preview coming soon) in Office 365 Office ProPlus on Windows, as well as Office for the web and Outlook on the web.

Extension to Microsoft Teams and Office 365 groups and SharePoint sites 

Outside of the clients we are extending support to Teams Office 365 Groups and SharePoint Sites. This allows users to create a Team or Group or Site and simply select the sensitivity label they want applied. The initial sites and groups policies that can be associated with labels are: privacy, user membership, and unmanaged device access policy. Learn more at

Beyond Microsoft 365

Other productivity tools such as Microsoft Power BI, a leader in self-service and enterprise business intelligence, now also support classification, labeling and protection policies. It’s easy to apply a sensitivity label to Power BI artifacts – including dashboards and  reports that are created from a single or multiple data sources, helping ensure persistent protection of the data – even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings.

Furthermore, integration with Microsoft Cloud App Security enables an additional level of control – for example, the ability to block the export of sensitive data if the user is accessing from an unmanaged machine. You can learn more in the Power BI blog.

While customers are often most concerned with protecting Office files, PDF files are also pervasive and often contain sensitive information, which is important to protect, such as when sending as an attachment in an email. When using Outlook along with Exchange Online, if you encrypt an email or apply a sensitivity label that results in protection settings, the attached PDF now automatically inherits the protection policy that’s been applied to the email. This helps ensure that both the email and the attachment are only accessible by authorized individuals.

In addition, viewing those labeled and protected PDFs directly from a browser is also important, which is why Microsoft Edge is the only browser to support the ability to view a protected PDF.

On-premises and third parties

To help customers manage sensitive information that resides in on-premises file repositories, an updated version of the Azure Information Protection scanner now supports unified labeling and enhancements to make it easier to manage and scale out your scanner deployments. This includes performance improvements and the ability to group scanners in clusters to make it easier to scale up or down your scanner deployments. Learn more about these updates in our blog.

Microsoft 365 for business. The full package, enhanced by us. Call us for more information on what the Microsoft 365 license can do for your organization. 877-788-1617

Was this article helpful?