Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on the configuration of Microsoft Purview sensitivity labeling. Its purpose is to help organizations to strengthen their approaches to data security and to streamline the deployment of Microsoft Purview capabilities. Recommendations in this guide closely align with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Sensitivity labels are created from the Microsoft Purview portal, under the Information Protection menu.
To create a sensitivity label, administrators need to provide a label name, a description for users and some other configuration items, which are discussed in this article.
Label naming
Label name is a unique identifier for a sensitivity label. This field isn't visible to users but is visible to administrators when configuring labels.
Label names can't contain special characters, which means that administrators need to omit certain characters, such as the : in 'OFFICIAL: Sensitive.' Some special characters like colons are permitted elsewhere such as in sensitivity label content marking. When marking items, it's the content marking which applies, so lack of colon characters in label names has no effect on PSPF compliance.
The label display name is visible to users when selecting a sensitivity label. It doesn't need to be unique and can contain some special characters. As with label name, display name can't contain the colon : character.
The configuration suggested in this guide makes use of a tiered label taxonomy that includes what are referred to as sublabels. A sublabel is a label that sits below another label. Labels with sublabels are referred to as 'parent labels.' In a PSPF aligned configuration, there can be a clash in label naming. For example, OFFICIAL Sensitive as both a parent label and sublabel.
Parent labels are only used for navigation. Sublabel are what is applied to actual items. There are certain situations where underlying label names can be visible to administrators. For simplicity, Microsoft recommends keeping the sublabel name in alignment with label display name, and naming the parent label differently. For example, apply a prefix to the parent label name, such as 'cat_' for category, to indicate that it's the parent. For example:
| Label name (not seen by end user) | Label type | Label purpose | label display name (seen by end user) |
|---|---|---|---|
| cat_OFFICIAL Sensitive | Parent label | Used in sensitivity menu to display a set of sublabels. Not applied to items. | OFFICIAL Sensitive |
| OFFICIAL Sensitive | Sublabel | Is applied to items and contains configuration. | OFFICIAL Sensitive |
Tip
Underlying label names are of little consequence. For new deployments, it's worthwhile paying attention to label naming. If sensitivity labeling is already deployed, there's little benefit in recreating labels to tidy up label naming.
Label descriptions for users
Label descriptions for users field is displayed as 'tooltips' to users, to assist them in their label selection. For example:
Important
Make sure that label description wording is clearly understandable to help ensure correct application of labels to items. If descriptions are poorly worded, there's risk that users could apply incorrect labels to items, resulting in improper data security controls.
Label descriptions should include information on all elements included in a label, such as:
- Classifications
- Caveats
- Information Management Markers (IMMs)
For example, if marking an item as 'OFFICIAL: Sensitive NATIONAL CABINET', be sure to include descriptions for both 'OFFICIAL: Sensitive' and 'NATIONAL CABINET' markings. Without both markings, when a user receives an item and views the label description, they won't have access to descriptions for both elements. Both descriptions are required for a user to understand their full obligations to protect the enclosed information.
Label descriptions examples
The following extract from Protective Security Policy Framework (PSPF) provides basic label description suggestions based on potential damage of compromise. Wording can be tailored to each Government organization's requirements:
| Sensitivity label | Label description |
|---|---|
| UNOFFICIAL | No business impact No damage. This information doesn't form part of official duty. |
| OFFICIAL | Low business impact No or insignificant damage. This is most routine information. |
| OFFICIAL Sensitive (Category) | Low to medium business impact OFFICIAL information that due to its sensitive nature requires limited dissemination. Compromise of the information would result in limited damage to an individual, organization, or government. |
| OFFICIAL Sensitive | Low to medium Business impact Limited damage to an individual, organization, or government generally if compromised. |
| OFFICIAL Sensitive Personal Privacy | Low to medium business impact Limited damage to an individual, organization, or government generally if compromised. Personal Privacy indicates that the item also contains personal information collected for business purposes. |
| OFFICIAL Sensitive Legal Privilege | Low to medium business impact Limited damage to an individual, organization, or government generally if compromised. Legal Privilege indicates that the item also contains information is subject to legal professional privilege. Compromise of the confidentiality of the information is likely to cause at least limited damage to the national interest, organizations, or individuals. |
| OFFICIAL Sensitive Legislative Secrecy | Low to medium business impact Limited damage to an individual, organization, or government generally if compromised. Information is also subject to one or more legislative secrecy provisions. Compromise of the confidentiality of this information is likely to cause at least limited damage to the national interest, organizations, or individuals. |
| OFFICIAL Sensitive NATIONAL CABINET | Low to medium business impact Limited damage to an individual, organization, or government generally if compromised. NATIONAL CABINET identifies any information that which has been prepared for National Cabinet or its subcommittees. To be handled in accordance with Cabinet conventions and within legal Frameworks and processes such as Freedom of Information, parliamentary inquiries and judicial processes. |
| PROTECTED (Category) | High business impact Damage to the national interest, organizations, or individuals. |
| PROTECTED | High business impact Damage to the national interest, organizations, or individuals. |
| PROTECTED Personal Privacy | High business impact Damage to the national interest, organizations, or individuals. Personal Privacy indicates that the item also contains personal information collected for business purposes. |
| PROTECTED Legal Privilege | High business impact Damage to the national interest, organizations, or individuals. Legal Privilege indicates that the item also contains information is subject to legal professional privilege. Compromise of the confidentiality of the information is likely to cause at least limited damage to the national interest, organizations, or individuals. |
| PROTECTED Legislative Secrecy | High business impact Damage to the national interest, organizations, or individuals. Information is also subject to one or more legislative secrecy provisions. Compromise of the confidentiality of this information is likely to cause at least limited damage to the national interest, organizations, or individuals. |
| PROTECTED CABINET | High business impact Damage to the national interest, organizations, or individuals. The CABINET caveat identifies any information that has been prepared for informing the Cabinet, reveals decision or deliberations of Cabinet, is prepared by departments to brief their ministers on matters proposed for Cabinet or has been created for informing a proposal to be considered by the Cabinet. |
| PROTECTED NATIONAL CABINET | High business impact Damage to the national interest, organizations, or individuals. NATIONAL CABINET identifies any information that which has been prepared for National Cabinet or its subcommittees. It's to be handled in accordance with Cabinet conventions and within legal Frameworks and processes such as Freedom of Information, parliamentary inquiries and judicial processes. |
Sensitivity label color
Label color options help to improve user awareness of item sensitivity and enhance the user interface of label aware clients. They provide a color coded shield icon that appears alongside sensitivity labels on labeled items.
Colors could traditionally be used in place of text-based markings for situations where such capabilities weren't available. These requirements aren't specified in the 2024 version of PSPF. Australian Government customers can align their label colors with traditional classification color codes. For example:
| Security classification | Color-based marking |
|---|---|
| OFFICIAL: Sensitive | Yellow |
| PROTECTED | Blue |
Note
Microsoft recommends use of both color and word based markings to improve user experience and accessibility.
Label scope
Label scope is used to enable specific configuration options for a sensitivity label. Scope options include:
- Files & other data assets allowing for this label to be applied to files (office documents & PDFs).
- Emails allowing for emails to be marked via Outlook or other label aware email clients.
- Meetings allowing for Teams meetings or outlook calendar items to be labeled.
- Groups and sites allowing for the label to be applied to SharePoint sites, Microsoft 365 groups, and Teams.
The groups and sites option requires enablement before available for selection. Configuration steps for groups and sites are outlined in Assign sensitivity labels to Microsoft 365 groups in Microsoft Entra ID.
Note
The groups and sites label scope option is often not required for every sensitivity label. Some labels, such as those containing IMMs (for example, 'OFFICIAL Sensitive Personal Privacy'), are more likely to apply to individual items, such as documents or emails. If so, enablement of the groups and sites option for the OFFICIAL Sensitive label only could be the most appropriate configuration, with the setting left off for IMMs and caveats.
Label encryption
The label encryption scope options allow Azure Rights Management to apply encryption to items when they're labeled. Azure Rights Management encryption ensures that items can't be accessed by unauthorized users.
For organizations and administrators that are new to Microsoft Purview, it's recommended that encryption is disabled while building and completing initial testing. This feature can affect usability and integration with other services and often requires a higher level of capability maturity for successful enablement. More information on encryption configuration is provided in sensitivity label encryption.
Sensitivity label content marking
This set of options allows for the application of text-based visual markings to documents and emails. The available options are header, footer, and watermark. These configuration options align with PSPF marking requirements.
| Requirement | Detail |
|---|---|
| PSPF 2024 - 09. Classifications & Caveats - Requirement 61 | Security classified information is clearly marked with the applicable security classification, and when relevant, security caveat, by using text-based markings, unless impractical for operational reasons. |
Section 9.3.1, Protections, and Handling Requirements for Physical information specifies that text based markings should be "Center top and center bottom of each page; capitals, bold text, large fonts, and distinctive color (red preferred)."
Configurations of label visual markings, font, and bold size can be adjusted with PowerShell. For example, to change the font applied to items in font 'Franklin Gothic Medium,' size 14, along with red text, the following PowerShell script can be used.
`Set-Label -Identity UNOFFICIAL -ApplyContentMarkingHeaderFontName "Franklin Gothic Medium"
This command provides the following visual marking, which aligns closely with PSPF requirements:
Content marking is important because sensitivity label indicators provided by the various Microsoft user interfaces are only visible within an organizations environment. When labeled items are sent to external organizations, such indicators won't be present, unless addressed via approaches covered in automatic application of sensitivity labels.
When content marking is configured, security classifications are embedded into items and are visible regardless of the client being used to open or edit them. This allows for external recipients, who might not be using a Microsoft 365 Apps client, to still see it's applied security classification. Markings are also visible on items that are exported to PDF or printed.
Auto-labeling
The auto-labeling options configured as part of a sensitivity label's configuration are referred to as client-based auto-labeling. This capability can provide label recommendations to users working in Outlook or Microsoft 365 Apps clients, that prompt the users to raise the sensitivity label based on the detection of sensitive content. For example, a user drafting an UNOFFICIAL email that contains either a sensitive keyword or patterns that align with PROTECTED information, could be prompted to raise the item’s sensitivity to PROTECTED. This capability:
- Helps to ensure label correctness.
- Helps ensure that applied labels are maintained on any downstream items, such as reply emails or Copilot for Microsoft 365 generated content.
- Helps to educate users on correct label application.
Client-based auto-labeling is an advanced capability, which does require some consideration to be used effectively. It's advisable to keep these options disabled on initial configuration but enable them as compliance maturity increases.
For further guidance on the configuration of client-based auto-labeling in alignment with Australian government requirements, see client-based auto-labeling recommendations.
Sensitivity label configuration examples
The following table provides sample configuration, which aligns with PSPF requirements:
| Label name | Label display name | Scope | Label Color | Content marking |
|---|---|---|---|---|
| UNOFFICIAL | UNOFFICIAL | Files, Email, Groups & Sites, Meetings | Green | Header: Color: RED, Size: 14, Align: Center, Text: UNOFFICIAL Footer: Color: RED, Size: 14, Align: Center, Text: UNOFFICIAL |
| OFFICIAL | OFFICIAL | Files, Email, Groups & Sites, Meetings | Grey | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL |
| Cat_OFFICIAL Sensitive | OFFICIAL Sensitive | Files, Email | Yellow | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive |
| OFFICIAL Sensitive | OFFICIAL Sensitive | Files, Email, Groups & Sites, Meetings | N/A | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive |
| OFFICIAL Sensitive Personal Privacy | OFFICIAL Sensitive Personal Privacy | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Personal Privacy Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Personal Privacy |
| OFFICIAL Sensitive Legal Privilege | OFFICIAL Sensitive Legal Privilege | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Legal Privilege Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Legal Privilege |
| OFFICIAL Sensitive Legislative Secrecy | OFFICIAL Sensitive Legislative Secrecy | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Legislative Secrecy Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive Legislative Secrecy |
| OFFICIAL Sensitive NATIONAL CABINET | OFFICIAL Sensitive NATIONAL CABINET | Files, Email, Groups & Sites | N/A | Header: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive//NATIONAL CABINET Footer: Color: RED, Size: 14, Align: Center, Text: OFFICIAL: Sensitive//NATIONAL CABINET |
| Cat_PROTECTED | PROTECTED | Files, Email | Blue | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED |
| PROTECTED | PROTECTED | Files, Email, Groups & Sites, Meetings | N/A | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED |
| PROTECTED Personal Privacy | PROTECTED Personal Privacy | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED Personal Privacy Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED Personal Privacy |
| PROTECTED Legal Privilege | PROTECTED Legal Privilege | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED Legal Privilege Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED Legal Privilege |
| PROTECTED Legislative Secrecy | PROTECTED Legislative Secrecy | Files, Email | N/A | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED Legislative Secrecy Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED Legislative Secrecy |
| PROTECTED CABINET | PROTECTED CABINET | Files, Email, Groups & Sites | N/A | Header: Color: RED, Size: 14, Align: Center, Text: PROTECTED//CABINET Footer: Color: RED, Size: 14, Align: Center, Text: PROTECTED//CABINET |