Tutorial / Cram Notes
Sensitivity labels in Microsoft 365 are tags that can be applied to content such as documents and emails. These labels can enforce protection actions like encryption, content marking, and access restrictions across your organization’s files and emails.
Creating and Configuring Sensitivity Labels
To create and configure new sensitivity labels:
- Open Microsoft 365 compliance center.
- Navigate to Solutions > Information protection.
- Click on + Create a label and follow the prompt to configure label settings.
When configuring sensitivity labels, you can define several protection settings:
- Encryption: It allows you to encrypt documents and emails. You can set permissions that restrict how recipients can interact with the content (viewing, editing, printing, forwarding, and copying).
- Content marking: You can add watermarks, headers, and footers to documents. This visibly marks the content as sensitive.
- Endpoint data loss prevention (DLP): Extend the protection to endpoint devices to prevent unauthorized actions such as copying sensitive data to a USB drive.
- Auto-labeling: Set up conditions that automatically apply labels based on the presence of sensitive information types.
Example of Creating a Sensitivity Label with Protection Settings
Imagine you work for a company that frequently handles confidential financial data. You can create a label called “Confidential Financial” with the following settings:
- Encryption: Set permissions to allow only users within your finance department to edit the content, while others can only view it.
- Content marking: Add a watermark that says “Confidential” diagonally across each page of the document.
Applying and Managing Sensitivity Labels
Once created, sensitivity labels can be published to users and groups within the organization. This involves creating and configuring a label policy:
- Label policies: Determine how labels are published to users and where they can be applied.
- Priority: In case of multiple applicable labels, determine which label takes precedence based on priority order.
Configuring Label Policies for Sensitivity Labels
- In the compliance center, go to Information protection.
- Select the label you created and choose Publish labels.
- Choose users or groups the label should apply to and define the settings for automatic or recommended labeling.
Example of Applying Sensitivity Labels
Following the earlier example, the “Confidential Financial” label could be published to the finance department. This policy ensures that any document created or edited by these users will either recommend or automatically apply this label.
Label Priority and Conflict Handling
Label priority is essential when a document meets conditions for more than one label. You must set the labels priority in the label policy where the most protective label has the highest priority.
Label Name | Priority | Protection Settings |
---|---|---|
Confidential Financial | 1 | Encryption, Content Marking |
Internal Use | 2 | Content Marking |
Public | 3 | None |
In this table, “Confidential Financial” has the highest priority and will be applied over “Internal Use” if both conditions are met for a document.
Monitoring and Analytics
For an administrator, it is critical to monitor the application of sensitivity labels across the organization’s data estate:
- Audit logs: Review actions related to sensitivity labels such as labeling, label changes, and access attempts contrary to label permissions.
- Analytics: Use dashboards to understand exposure of sensitive information and how labels are being used within your organization.
Enforcing and Troubleshooting Sensitivity Labels
Finally, protection settings only have value if they are enforced and understood. Regularly:
- Review and update: Policies to ensure they still align with organizational requirements.
- Educate users: On how to classify data correctly.
- Troubleshoot: Issues such as labels not appearing or being applied incorrectly.
As part of the SC-400 exam preparation, comprehending how to manage, configure, and enforce sensitivity labels is essential to administering information protection in Microsoft 365. Understanding the practical application of these labels will help ensure that sensitive information within your organization is appropriately protected.
Practice Test with Explanation
True/False: Sensitivity labels in Microsoft 365 can be applied manually by the user or automatically using policies.
- Answer: True
Explanation: Sensitivity labels can be applied both manually by users and automatically through policies based on certain conditions or content detection.
True/False: Once a sensitivity label has been applied to a document, it cannot be changed or removed by the user.
- Answer: False
Explanation: Sensitivity labels can be configured to allow or prevent users from changing or removing them after they have been applied, depending on the settings chosen by the administrator.
Which of the following options can sensitivity labels in Microsoft 365 apply encryption to? (Multiple Select)
- A) Emails
- B) Documents
- C) Teams messages
- D) Calendar items
Answer: A and B
Explanation: Sensitivity labels can be applied to emails and documents to apply encryption. Teams messages and calendar items do not directly support encryption through sensitivity labels.
True/False: Content marking such as headers, footers, and watermarks can be added to documents and emails automatically based on the applied sensitivity label.
- Answer: True
Explanation: Sensitivity labels can be configured to automatically add content markings such as headers, footers, and watermarks to documents and emails.
Sensitivity labels are managed in which of the following admin centers?
- A) Microsoft 365 compliance center
- B) Azure Active Directory admin center
- C) Microsoft 365 admin center
- D) Exchange admin center
Answer: A
Explanation: Sensitivity labels are managed in the Microsoft 365 compliance center.
True/False: Sensitivity labels can be applied only to content stored in Office
- Answer: False
Explanation: Sensitivity labels can be applied to content across various locations, including Office 365, on-premises servers, and third-party services with the appropriate information protection solutions.
Which of the following is NOT a protection setting that can be configured with a sensitivity label?
- A) Access levels in Office apps
- B) Document retention period
- C) Antivirus scanning policy
- D) Offline access permissions
Answer: C
Explanation: Sensitivity labels do not configure antivirus scanning policies; they are more focused on access control, encryption, and content marking.
True/False: If a user forwards an email with a sensitivity label applied, the label and its protections are automatically carried forward to the recipient.
- Answer: True
Explanation: When an email with a sensitivity label is forwarded, the label and its associated protections will carry forward, provided that the label’s settings are configured to do so.
True/False: Sensitivity labels can enforce encryption on files when they are uploaded to third-party cloud storage.
- Answer: True
Explanation: Sensitivity labels can enforce encryption on files regardless of where they are stored, including on third-party cloud storage, provided that the service integrates with Microsoft Information Protection (MIP).
Which PowerShell cmdlet is used to publish sensitivity labels to users and groups?
- A) New-LabelPolicy
- B) Publish-LabelPolicy
- C) Set-LabelPolicy
- D) New-SensitivityLabel
Answer: B
Explanation: The Publish-LabelPolicy cmdlet publishes sensitivity labels to specified users and groups.
True/False: A document with a sensitivity label that enforces encryption will remain encrypted when downloaded locally to a device.
- Answer: True
Explanation: When a document that has a sensitivity label enforcing encryption is downloaded, it retains the encryption to help protect the data regardless of its location.
What type of content can auto-labeling policies for sensitivity labels scan and label in Microsoft 365? (Single Select)
- A) Emails only
- B) Documents only
- C) Both emails and documents
- D) Emails, documents, and instant messages
Answer: C
Explanation: Auto-labeling policies in Microsoft 365 can scan and automatically apply sensitivity labels to both emails and documents.
Interview Questions
What are sensitivity labels, and what can they do?
Sensitivity labels are a feature in Microsoft 365 that allows organizations to classify and protect data based on its sensitivity. They provide an easy way to mark and protect sensitive data across different Microsoft apps and services. Sensitivity labels can be used to define protection settings like encryption, access controls, and visual marking.
How can sensitivity labels help organizations manage their data?
Sensitivity labels can help organizations to classify data, apply protection settings, automate labeling, monitor and protect data, and ensure compliance with relevant regulations.
What steps can organizations follow to manage protection settings and marking for applied sensitivity labels?
Organizations can create sensitivity labels, apply sensitivity labels to data, configure protection settings, monitor sensitivity labels, modify or remove labels, and train users.
How can sensitivity labels be automatically applied?
Sensitivity labels can be automatically applied based on certain conditions, such as content or location.
What is Activity Explorer, and how can it be used to monitor sensitivity labels?
Activity Explorer is a monitoring tool that can be used to monitor how sensitivity labels are being used.
How can organizations modify or remove sensitivity labels?
Organizations can modify or remove labels as needed to update protection settings or change the sensitivity of the data.
What is the purpose of training users on how to use sensitivity labels?
Proper training can ensure that data is properly classified and protected.
What is the role of protection settings in sensitivity labels?
Protection settings define how data is protected based on the sensitivity label applied to it.
How can sensitivity labels be applied to files and emails?
Sensitivity labels can be applied to files and emails through Microsoft 365.
What is the role of encryption in sensitivity labels?
Encryption is one of the protection settings that can be applied to data based on the sensitivity label applied to it.
What is the difference between sensitivity labels and metadata?
Sensitivity labels are used to classify and protect data based on its sensitivity, while metadata provides additional information about the data.
What is the importance of monitoring the use of sensitivity labels?
Monitoring the use of sensitivity labels can help organizations ensure that data is properly classified and protected and that their security and compliance policies are being followed.
What are the benefits of using sensitivity labels in Microsoft 365?
Sensitivity labels can help organizations improve data management, ensure compliance with relevant regulations, and protect sensitive data from unauthorized access or use.
How can organizations ensure that sensitivity labels are being used effectively?
By providing proper training and monitoring the use of sensitivity labels, organizations can ensure that they are being used effectively.
What are some best practices for using sensitivity labels?
Some best practices for using sensitivity labels include creating a clear labeling policy, ensuring that labels are being used consistently, and regularly reviewing and updating label settings to ensure they remain effective.
Can someone explain the process of configuring sensitivity labels in Office 365?
Can sensitivity labels be applied automatically based on content?
How do sensitivity labels integrate with other MIP solutions?
I am having trouble with label priority settings. Can someone help?
Does using sensitivity labels affect document collaboration?
Great article! Thanks for sharing!
What are the best practices for applying sensitivity labels?
How can I track the application of sensitivity labels?