Tutorial / Cram Notes
Sensitivity labels are a core component of the Microsoft 365 compliance suite that enables organizations to classify and protect their data, based on its content and context. These labels are used to enforce data governance policies and ensure that sensitive information is handled appropriately.
Sensitivity labels can be applied to documents and emails, and the protections that come with these labels can persist whether the data is inside or outside of the organization. This is a crucial aspect of modern data protection, as it aligns with the need to secure information in an era where collaboration often extends beyond traditional organizational boundaries.
How do Sensitivity Labels Work?
Sensitivity labels are created by administrators through the Microsoft compliance center. Once created, they can be published and made available to users within the organization. These labels can be applied manually by the user, automatically by administrators who define rules and conditions, or a combination of both, using recommendations.
When a sensitivity label is applied, it can enact the following protections:
- Encryption: Restrict access to the content to specific individuals or groups.
- Content marking: Insert headers, footers, or watermarks to documents.
- Access restrictions: Enforce policies like ‘Do not forward’ or ‘Do not print’.
- Visual labeling: Display the label in the header or footer of the document or email.
- Metadata: Embed the label information into the document’s properties.
Sensitivity Label Capabilities
To enhance clarity, let’s look at a comparison table of the capabilities that sensitivity labels can offer:
| Capability | Description |
| Classification | Assigns a sensitivity label to data. |
| Protection | Applies encryption and access restrictions. |
| Marking | Adds visual markings like headers or watermarks. |
| End User Labeling | Allows users to apply labels manually. |
| Automatic Labeling | Applies labels based on content detection or policy. |
| Recommendations | Suggests a label to the user based on content. |
| Persistence | Protection persists even when data is shared outside the organization. |
| Monitoring and Analytics | Provides insights into labeled content and how it’s being used. |
Examples of Sensitivity Labels
Let’s look at some practical examples of how sensitivity labels might be used in an organization:
- Confidential Project Documents: A document that contains confidential information about a new product could be labeled “Confidential”. This could automatically encrypt the document and restrict access to only the project team members.
- Internal Only Emails: An email that should only be read by employees could be labeled “Internal”. This may add a watermark and prevent the email from being forwarded outside the corporate domain.
- Public Reports: A document meant for public distribution could be labeled “Public”. This label might not apply any restrictions but could track how the document is distributed.
Implementation Insight
When implementing sensitivity labels, administrators should consider the following:
- Identify data types: Understand the kinds of data that need protection within the organization.
- Define protection actions: Determine the specific protections each type of data requires.
- Create labeling policies: Develop policies that dictate how and when labels should be applied.
- Educate users: Train users on the importance of data classification and how to apply labels.
- Monitor label usage: Use label analytics to monitor compliance and adjust policies as necessary.
Sensitivity labels form a critical part of the Microsoft Security, Compliance, and Identity ecosystem. Through the SC-900 exam, Microsoft tests an individual’s understanding of these labels, ensuring that they comprehend both the functionality and the importance of proper implementation for securing sensitive data within an organization.
Practice Test with Explanation
True/False: Sensitivity labels can be applied to content automatically based on certain conditions.
- True
True
Sensitivity labels can be automatically applied to content such as emails and documents based on predefined conditions like the presence of sensitive data.
True/False: Once a sensitivity label is applied to a document, it cannot be changed or removed by the end-user.
- False
False
The ability to change or remove a sensitivity label by the end-user depends on the label’s permissions configured by the admin. Users might be able to change or remove the label if the permissions allow.
Multiple Select: Which of the following can sensitivity labels be applied to? (Select all that apply)
- A) Emails
- B) Documents
- C) Teams chats
- D) Calendar entries
A, B
Sensitivity labels can be applied to emails and documents to classify and protect the content. They are not applied to Teams chats and calendar entries directly.
Single Select: What can sensitivity labels in Microsoft 365 enforce?
- A) Encryption
- B) Content marking
- C) Access restrictions
- D) All of the above
D
Sensitivity labels in Microsoft 365 can enforce encryption, content marking (e.g., headers, footers, watermarks), and access restrictions to protect sensitive information.
True/False: Sensitivity labels are exclusively for use within the Microsoft 365 suite and do not work with non-Microsoft products.
- False
False
Sensitivity labels can be used with non-Microsoft products as well, especially with the help of Microsoft Information Protection SDK.
True/False: Sensitivity labels can be used to control external sharing of documents and emails.
- True
True
Sensitivity labels can be configured to restrict external sharing, helping organizations control the flow of sensitive information.
Single Select: Who is responsible for the creation and management of sensitivity labels in an organization?
- A) Microsoft
- B) The organization’s IT administrator
- C) End users
- D) Third-party vendors
B
Sensitivity labels are created and managed by the organization’s IT administrator who defines the labeling policies and rules.
Multiple Select: What kind of rules can be used to automatically apply sensitivity labels? (Select all that apply)
- A) Content contains specific keywords
- B) Content shared to a specific domain
- C) Content created by a certain department
- D) Content containing sensitive information types (e.g., credit card numbers)
A, D
Sensitivity labels can be automatically applied when content contains specific keywords or sensitive information types (like PII or credit card numbers). They are not applied based on the domain to which the content is shared or which department created it.
True/False: Sensitivity labels in Microsoft 365 can be applied to both files and emails, but not to containers such as SharePoint sites.
- False
False
Sensitivity labels can also be applied to containers like SharePoint sites, Office 365 groups, and Microsoft Teams, in addition to files and emails.
True/False: Sensitivity labels can help organizations remain compliant with industry regulations.
- True
True
By controlling access to and marking sensitive content, sensitivity labels can help organizations adhere to various industry regulations and compliance requirements.
Single Select: Which of the following options is a capability of sensitivity labels in Microsoft 365?
- A) Anti-virus scanning
- B) Content retention
- C) Assigning privileges in Azure Active Directory
- D) Preventing data loss
B
Although sensitivity labels themselves don’t handle anti-virus scanning or assign privileges in Azure AD, they can specify retention rules, which contribute to content lifecycle management.
True/False: Sensitivity labels are the same as retention labels and serve the same purpose.
- False
False
Sensitivity labels and retention labels are distinct. Sensitivity labels focus on ensuring the confidentiality and access controls of the content while retention labels deal with how long the content is retained based on regulatory, legal, or business requirements.
Interview Questions
What are sensitivity labels in Microsoft 365?
A Sensitivity labels in Microsoft 365 are a way to classify and protect your organization’s sensitive information based on its level of confidentiality.
What types of sensitive information can be protected with sensitivity labels?
A Sensitivity labels can be used to protect a wide range of sensitive information types, including documents, emails, and sites.
How are sensitivity labels applied to documents and other content?
A Sensitivity labels can be applied manually by users, or automatically by using policies that are defined by administrators.
What are the benefits of using sensitivity labels?
A The benefits of using sensitivity labels include greater control over your organization’s sensitive information, improved compliance with regulations, and reduced risk of data breaches.
Can sensitivity labels be customized to match an organization’s specific needs?
A Yes, sensitivity labels can be customized to include specific metadata, colors, and visual markings that align with an organization’s policies and compliance requirements.
How are sensitivity labels enforced in Microsoft 365?
A Sensitivity labels can be enforced through various security controls, such as Data Loss Prevention (DLP) policies, Information Protection policies, and Azure Information Protection (AIP) labels.
How do sensitivity labels integrate with Microsoft Teams and SharePoint?
A Sensitivity labels can be used to protect Microsoft Teams and SharePoint content, providing an additional layer of security for collaboration and content sharing.
What is the process for creating and managing sensitivity labels?
A Sensitivity labels can be created and managed through the Microsoft 365 compliance center or the Azure Portal, with options to apply them to specific locations or content types.
Can sensitivity labels be used to track the usage and activity of sensitive content?
A Yes, sensitivity labels can be used in conjunction with activity tracking and auditing to provide insights into how sensitive content is being accessed and used within an organization.
How can organizations get started with using sensitivity labels?
A Organizations can get started with sensitivity labels by defining their information protection needs, creating customized labels, and implementing policies and controls to enforce them across their environment. Microsoft offers a range of resources and training materials to help organizations get started with sensitivity labels.
Sensitivity labels are a powerful feature in Microsoft 365 for classify and protect sensitive content.
Can anyone explain how sensitivity labels differ from retention labels?
What is the relationship between sensitivity labels and Azure Information Protection?
I appreciate the detailed blog post on sensitivity labels!
Does applying a sensitivity label automatically encrypt my files?
Sensitivity labels can include protection settings like encryption, but it’s an optional configuration.
I’ve faced issues with sensitivity labels not being applied consistently. Any insights?
Sensitivity labels are great, but they require careful planning to align with company policies.