Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on the application of sensitivity labels to meetings and calendar items. Its purpose is to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
There are two options available to assist the protection of meetings and meeting content:
- Organizations with E5 or A5 licensing can apply sensitivity labels to calendar items.
- Organizations that have Teams Premium add-on license can extend these protections to the Team meeting.
Labeling of calendar items
The sensitivity label meetings scope option is available to customers with E5 or A5 licensing and allows for labels to be published to Outlook or Teams calendars. Calendar items can be subject to mandatory labeling configuration. If enabled via label policies, users are prompted to apply a label before they can create a calendar item or send a calendar invitation.
Labeled calendar items receive client-based visual markings to indicate the sensitivity of the invite and/or the meeting's content. Invites forwarded via email receives any configured text-based headers. For example:
Important
If a label applies encryption, then the meeting invite body, and any attachments are encapsulated via the label's Azure Rights Management encryption settings, ensuring that only authorized users are able to access the enclosed content. This includes external recipients of the meeting invite.
To enable labeling for calendar items, the Meetings option needs to be selected from within label scope.
Consideration should be given to which labels require the meeting scope option to be enabled. As with groups and sites labels, it isn't always appropriate to enable meetings scope for labels that include Information Management Markers (IMMs).
The following example demonstrates this configuration:
| Sensitivity label | Meetings scope option |
|---|---|
| UNOFFICIAL | ON |
| OFFICIAL | ON |
| OFFICIAL Sensitive (Category) | OFF |
| • OFFICIAL Sensitive | ON |
| • OFFICIAL Sensitive Personal Privacy | OFF |
| • OFFICIAL Sensitive Legal Privilege | OFF |
| • OFFICIAL Sensitive Legislative Secrecy | OFF |
| • OFFICIAL Sensitive NATIONAL CABINET | OFF |
| PROTECTED (Category) | OFF |
| • PROTECTED | ON |
| • PROTECTED Personal Privacy | OFF |
| • PROTECTED Legal Privilege | OFF |
| • PROTECTED Legislative Secrecy | OFF |
| • PROTECTED CABINET | ON |
The configuration setting from the previous table demonstrates that any meeting attachments (which are more likely to contain actual sensitive data) can have IMMs applied without impacting the label applied to the meeting as auto-labeling won't recommend label changes within a set of sublabels.
However, if a meeting is labeled with a lower tier label, such as OFFICIAL, and then a higher tier attachment, such as PROTECTED is added to it, then label inheritance settings take effect, recommending that the user uplift the label applied to the meeting to PROTECTED. Accepting the recommendation ensures that the meeting invitation's content is treated in line with the highest label applied to it.
Label inheritance doesn't change text-based markings applied to meeting invitations. Label-based Data Loss Prevention (DLP) policies outlined in preventing inappropriate distribution of security classified information do apply, however, including those applying subject markings to email.
Note
Label inheritance applies via item attachments only. Sharing links included in meeting invites don't uplift the label applied to a meeting. Label inheritance doesn't currently have the ability to check labels applied to Azure Rights Management encrypted attachments. DLP policies, such as those discussed in Preventing inappropriate distribution of security classified information are required to protect such content attached to meeting invitations.
Government organizations should consider correlation between the Meetings label scope option and PSPF's intent of applying classifications to information. The Meetings and calendar items label scope option allows us to extend classification principals, such as those from Requirement 59, to these extra item types.
| Requirement | Detail |
|---|---|
| PSPF 2024 - 08. Classification System - Requirement 59 | The value, importance, or sensitivity of official information (intended for use as an official record) is assessed by the originator by considering the potential damage to the government, the national interest, organisations, or individuals that would arise if the information’s confidentiality were compromised. |
In addition, meetings and calendar item scope allows us to extend marking capabilities included in to calendar items (aligned to Requirement 61), and allows for the application of operational controls (for example, item encryption) relevant to the sensitivity of items (Requirement 71).
| Requirement | Detail |
|---|---|
| PSPF 2024 - 09. Classifications & Caveats - Requirement 61 | Security classified information is clearly marked with the applicable security classification, and when relevant, security caveat, by using text-based markings, unless impractical for operational reasons. |
| PSPF 2024 - 10. Information Holdings - Requirement 71 | Entity implements operational controls for its information holdings that are proportional to their value, importance, and sensitivity. |
For more information on the application on sensitivity labels to calendar items, see Use sensitivity labels to protect calendar items, Teams meetings, and chat.
Teams Premium label configuration
Important
This article assumes you have Teams Premium licenses and they're enabled. Without this licensing applied, you're unable to enable Teams Premium label scope options.
E5 licensing allows us to enable the Meetings label scope option and apply sensitivity labels to meetings. Microsoft Teams Premium is an add-on license that includes a range of features, some of which are out of scope of this article. However, it also includes several enhanced security controls that can be applied to Teams meetings. These features are grouped into a category of capabilities referred to as Protected meetings, and include:
- Watermarks for meetings
- Policies and templates to control settings like lobby bypass and copy and paste of chat content
- Granular control over recording permissions
- End-to-end encryption for online meetings (including multiple-participant meetings)
These controls extend markings and the capabilities referred to in the previous section, all the way through to actual Teams meetings, where visual markings can be applied to the Teams interface to indicate the sensitivity of the content being discussed.
The watermark feature can be applied to meeting backgrounds that containing the signed in user's User Principal Name (UPN). These watermarks are intended to help dissuade users from inappropriately disclosing information. If session recordings were to be recorded via a non-Teams application or external device, the recording is marked with the attendee's identity. The user is identified as the originator of the unauthorized recording.
Meetings templates
Teams Premium introduces Teams meeting templates that allow Teams administrators to preconfigure meeting settings selected by users when scheduling a meeting. These templates allow control of the following settings:
| Setting | Description |
|---|---|
| Chat | Control chat for meeting attendees, including whether chat is available before and after the meeting. Also allows control over copying chat content to the clipboard. |
| End-to-end encryption | Control end-to-end encryption for meeting video and audio. |
| Lobby | Control who can bypass the lobby and join the meeting directly. |
| Manage what attendees see | Control whether meeting organizers can preview and approve content being shared on screen before other meeting participants can see it. |
| Mic and camera for attendees | Controls mute and camera use for meeting attendees. |
| Notify when callers join and leave | Play a sound when people calling in by phone join or leave the meeting. |
| Q&A | Control use of the Q&A feature during the meeting. |
| Reactions | Control use of reactions and hand raising in the meeting. |
| Recording | Control who can record and if the meeting is recorded automatically. |
| Sensitivity label | Specify the sensitivity label to be used for the meeting. |
| Watermarks | Apply watermarks to camera feeds and content that is shared on screen in the meeting. |
These templates can be made available to users by targeting the templates at specific groups of users.
These templates can be targeted to users via Teams admin configuration or can be aligned with label configuration, allowing for settings to be controlled based on the sensitivity of a meeting.
This is an example of granular control of meeting settings based on the label applied to the meeting:
| Setting | OFFICIAL | OFFICIAL: Sensitive | PROTECTED |
|---|---|---|---|
| Allow Camera | On | On | On |
| Allow mic | On | On | On |
| Apply watermark | Off | On | On |
| End-to-end encryption | Off | Off | On |
| Meeting chat | On | In-meeting only | In-meeting only |
For more information about these features, see Overview of custom meeting templates in Microsoft Teams.
Sensitivity labels application to meetings
Once the Meetings label scope option is enabled and Teams Premium licensing is applied to the environment, Teams meeting scope options become available within the label configuration.
Some options, such as lobby and presentation settings, can be configured via other methods, such as via the Teams admin center. Configuring these options per-label allows for granular control of these settings based on the sensitivity of items.
Teams meeting end-to-end-encryption
Microsoft Teams end-to-end meeting encryption (E2EE) allows for extended encryption of Teams meetings. Without this feature enabled, Teams data is still encrypted. However E2EE adds extra layers of protection by ensuring that only meeting participants can decrypt meeting data. This prevents all nonspecified parties from accessing the content.
When Teams meetings are encrypted via E2EE, a padlock icon is visible at the top of the Teams call screen. This padlock icon is like that which is visible on label encrypted email and documents.
PSPF 2024 Section 9.3 lists the minimum protections and handling requirements for security classified information across various different device types. This includes encryption requirements for data transmission. Australian Government organizations have the option of making use of Teams end-to-end encryption as a way of applying different encryption methods to data, furthering information security for security classified information. For example:
| Security classification | Transmission requirements |
|---|---|
| OFFICIAL Sensitive | OFFICIAL: Sensitive (or higher) network. Encrypt if transferred over public network infrastructure or through unsecured spaces (including Zone 1), unless residual risk of not doing so has been recognized and accepted by the CSO/CISO. |
| PROTECTED | PROTECTED (or higher) network, otherwise encryption required. |
Important
Enabling E2EE disables some Teams services features. For these reasons, careful consideration of the impact of E2EE is required.