SC-400 Microsoft Information Protection Administrator – Implementing and Managing Sensitivity Labels

  1. Configuring & Publishing Automatic Labeling Policies (excluding MCAS scenarios)

I now want to focus on publishing sensitivity labels automatically, okay? So to do this, we’re going to look at portal Microsoftcom. We’re going to click the Show All lip symbol. We’re going to go to the compliance center by clicking on the compliance blade, that’s going to bring us into compliancemicrosoftcom.

From there, we’re going to go down to information protection, all right? And we’re going to focus this time just on auto labeling, all right? So we’re going to go ahead and click on auto labeling and we’re going to click to create auto labeling policies, all right? From there we can choose what this auto label information is going to involve, whether it’s going to be financial, medical, and health privacy. You can also do custom, okay? So if you’ve got a custom information type that you want to point to, you can do that, right?

So I’m going to go ahead and click Next, and then I can give it a name. We’ll just call this business confidential demo. I’m just going to put the word demo on there, all right? Because I know I’ve got some other labels that I’ve been testing with this. But I’m going to click Next, and then from there I can choose my locations, whether it’s going to be Exchange, SharePoint OneDrive. I can go ahead and select those and then we’ll click Next. And by the way, of course you can set the groups the users and groups, the SharePoint sites or the OneDrive accounts, okay? We’ll click next. We can say define a set of common rules for all locations. Or if you want to do advanced rules, you can have different rules for each location.

All right? So you can see, I can set different rules for Exchange, different rules for Share, point different rules for OneDrive. Okay, so I can set those to whatever one. I can add my conditions that I want to set, right? So if this is content, it’s going to include some kind of sensitive info type. Okay, we’ll go through here. We’ll look for we’ll just say US. Driver’s license, bank account, us. UK. Passport. So we’ll just add Social Security. So we’ll add those and I’ll just say PII for Exchange, all right, so give that a name, click Save, all right? We could do the same thing for SharePoint. So we’ll click Next, set the rule for SharePoint, add the conditions, sensitive info types. We’ll go there. If you wanted to do different info types, you could, right?

I’m just kind of clicking the ones that I want to use. All right, we’ll say PII for SharePoint and you can modify the confidence levels and how many it’s looking for and all that. And then we’ll do the same thing for one drive. So one drive condition, sensitive info types, add, choose the info you want. So it’s really just kind of rinse and repeat. You can select what you want here. So I’ll say PII four, one drive all right. Just to kind of give it a name. So at that point, we’ll click next and we’re going to choose label to Auto Apply. So we’ve already created sensitivity labels in the past. All right, I’m just going to go with the one called Business Secure that I’ve created in the past.

All right? And it does warn you. It says since the encryption is turned on, a large amount of content might be automatically encrypted when this label is applied. Turning on Encryption Impacts, Office, Word, PowerPoint, Excel, they have the label because these files will be encrypted for security reasons, performance will be slow when it’s open. So they’re just kind of warning you that this is going to affect performance. Okay, so I’m going to go ahead. That’s fine. I’m going to click next. And one thing of note here, you’re not allowed to just turn this on immediately. It tells you to help you determine whether the label will be applied to the correct items. You’ll need to run the Policy and Simulation Mode before turning it on.

You can do this right away or you can wait until later. So I’m going to say run in simulation mode. Or if I want to just leave the policy turned off and then do it later, I can. So I’m going to say run in simulation mode. All right. At that point, we’ve got our auto labeling policy created fully. You can see the green check mark. Now let me warn you, too. If you get an error that tells you that you haven’t enabled Auditing, then that means you didn’t go through and enable Auditing like it should have been done earlier. If you need to enable Auditing, if you get an error, then the way you’re going to do that is just go back over here to Compliance. You’re going to go to the Auditing blade right here, audit. And just make sure that there’s going to be a little button right here. You’re just going to click to turn that on. Keep in mind it can take about an hour to turn that on, so it’s kind of a forewarning. But other than that, we’ve now created our auto labeling policy.

  1. Viewing Sensitivity Labels as an end user

Okay, I now want to take a look at actually how a user could open up like Microsoft Word for example, and apply a sensitivity label to a document if they wanted to. To start though, I want to look at one of the sensitivity labels that I’ve created. I’m going to go here to portal Microsoft. com. I’m going to click the Show All lip symbol. We’re going to go to the Compliance Center by clicking on Compliance. That’s going to take us to Compliance Microsoft. com. And then from there we’ll go right here we have Data Classifications which is where we have our sensitive info types which gets into the different things that we want to look for if we want to auto apply sensitivity labels. And then if we go down to Information Protection, this is where we’re going to have our labels.

Okay? So if I go right here, I’m going to wait on my labels to load up. And then I’ve got this one here called Confidential info. I’m just going to click on that and right now I’ve got this set up so I don’t have auto labeling turned on. And this one’s just going to be a manual label and I’ve got a watermark that is going to say the word Confidential. Okay? So I just wanted to kind of show that. Now I could edit this label, I could add more of the sensitive info types that we have up here under Data Classification if we want. But I’m not going to go back into all that. I just mainly wanted to show you that particular label that we’ve got and we’re going to open up now. We’re going to go to Portal office. You can also go to WWW. OFFICE.

COM and we’re going to go to Microsoft Word and open up this Word document. Of course at that point we could have a document that’s got all kinds of confidential data in it. I’m just going to put some random text in here, pretend like this is a real document that a user is actually putting information into. So I just put some info in there and if we come up here to the right, you’ll see this little symbol here called Sensitivity. This little sensitivity symbol, I can drop that down. I’m going to choose confidential info. All right. And at that point you’ll notice down here at the bottom it says Confidential Info is tagged down here. Now watch what happens if I go and I try to print this document. So I’m just going to say print and we get a print preview and look at the watermark.

So there’s the watermark. Of course we could have made that watermark much bigger in the label if we wanted to. But yes, if I print this document, even if I save it to a PDF file, it’s going to have that information. It’s going to have that word Confidential written and I could have done a header and a footer and that’s all stuff that you’ve seen in going through creating a sensitivity label. But hopefully this gives you a little bit of a visual. I encourage you to try stuff yourself on this. Try create some labels for some of your different office products and all that. Join a computer to the cloud and you can have it download and installed within your office environment locally as well and give that a shot and see how that plays out for you. But as you can see, the label did successfully become available to me and was able to tag this document as a basically confidential info.

  1. Monitoring Data Classification and Label usage by using Label Analytics Tools

So one of the things that you want to consider after working with sensitivity labels in your environment for a while is that you’re going to want to keep an eye on things. You’re going to want to be able to monitor what the users are doing, how often this is being used, and also try to find out if maybe users are getting errors or if they’re misusing it or whatever. So to do this, there’s various tools we have available to us and I’m going to go ahead and show some of that to you. We’re going to start out on Portal Microsoft. com. We’re going to go to show all, we’re going to go to the Compliance Center here and load that up. And the first thing I’ll show you is that we have a couple of nice little reports we can take a look at. So we’ll go over here to reports and once we go to reports we have How Labels Replied, how Labels classified as Records, top Five Labels. And each one of these, it’s really neat because you can look at the usage. You can click on these as well.

For example, if I want to do this one here, I can click View Details and can I see information about what’s going on in the last 90 days. Now granted, if you haven’t really had a whole lot going on in your environment, you’re probably not going to have a whole lot of labels to even look at here because of the fact that you’ve got a trial environment or whatever. But you can go through and you can do a bunch of labeling of things, a bunch of classification labels, and have those manually deployed if you want, or automatically deployed, you can go through and pull up these reports and take a look at these reports. All right? The other neat thing about these reports, once they get generated, is you can export them as well. All right, so that’s kind of cool. Definitely something to check out. Let me warn you though, you got to be patient with this. If you got a trial tenant like I’ve got a trial tenant right now and you’ve applied labels, this can take a while, up to 24 hours before the initial reports start showing up. All right, so just heads up on that. But definitely some nice little reports to look at. And most of the reports are pretty self explanatory. They tell you pretty much what they are as you look at it and you can pull those up. The second thing you can do is you can go over to up here where it says Data Classification and you have Content Explorer and you can browse Exchange OneDrive SharePoint and look at the different content that’s available. All right? And keep in mind that some of this is still kind of in a preview mode. And so in preview mode there might be a few issues with it. Microsoft is still working on it. And then also, again, let me warn you that if you’ve recently just started messing with labels, it could be 24 hours or so before you go into this.

It may throw an error message. And then you’ve got once you get in there, though, you can actually look at the data classifications for the content in those locations. And then you’ve also got Activity Explorer. Activity Explorer will show you all the activities that have gone on. And you can see that I’ve got a few activities here that were performed, labels being applied or changed. And of course, I can click on that and I can see information about it, client IP address, the person who did it, the document. So you get some pretty valuable information from that. This is one of those things that I encourage you to play around with it yourself and just kind of get a feel for it. If you’ve got a production environment that you can try this in, you’re going to get a lot more information than just playing around with it in a trial environment.

But even if you just got a trial environment, obviously you can also get some valuable information. But you do need to be patient. You need to apply some labels and give them time to get activated. You might even need to wait about 24 hours before you’re going to really see a whole lot of stuff here. But those are your three primary things. The reports blade Content Explorer, which will let you explore the content that you’ve got through these three things. And then also you’ve got Activity Explorer, all right, which is going to give you kind of a quick rundown of what’s going on. And then again, keep in mind you can export this information to CSV and pull it into spreadsheets and all that as well.

img