Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on the services and components that should be deployed to an organization to make best use of sensitivity labeling and other Microsoft Purview capabilities. Its purpose is to help organizations to understand the prerequisites for deployment of Microsoft Purview Information Protection to meet requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
To make best use of the configurations outlined in this guide, organizations should implement the following core set of Microsoft 365 services:
- Exchange Online
- Microsoft Office Online or Microsoft 365 Apps Office clients
- SharePoint
- Microsoft Teams
The configurations discussed in this guide refer to markings and classifications up to and including PROTECTED, organizations should also use PROTECTED environment requirements beyond the scope of this guide.
Note
Implementing a PROTECTED label doesn't automatically mean that the environment is suitable for housing PROTECTED data. Government organizations must have underlying controls in place as per the Information Security Manual (ISM) and the ASD's Blueprint for Secure Cloud.
Microsoft Office client support
Client support is key to successful implementation of Microsoft Purview Information Protection capabilities. The clients used by users to interact with Office files, email, and other services, need to be label aware in order to facilitate label application. This section discusses Microsoft Office client versions capable of this integration and seeks to identify any prerequisite work that is needed ahead of Purview deployment.
Microsoft 365 Apps for Enterprise
Microsoft 365 Apps for Enterprise is a version of Microsoft Office, which allows for integration with the Microsoft 365 suite of services. As Microsoft 365 is a cloud-based service that is continually evolving, the Microsoft 365 Apps version of the Office client receives a high frequency of updates to keep up with the cloud platform. This integration between the Office client and Microsoft 365 cloud services allows for a broader feature set to be made available to users than is achievable via standalone Office clients. Traditional clients offer a static feature-set and receive security updates, but typically don't receive newly released capabilities or access to cloud-centric capabilities.
For more information on update channels available to Microsoft 365 apps, see Overview of update channels for Microsoft 365 Apps.
Mac, iOS, and Android client support
New Purview features are typically made available to the Windows-based Microsoft 365 Apps version of the Office first and then to other Office versions. For the status of client versions capabilities, see minimum versions for sensitivity labels in different clients. Organizations deploying Microsoft 365 should be assessing this information to ensure that all desired capabilities are available on the versions being used by the organization.
Microsoft 365 web clients
Minimum versions for sensitivity labels in Microsoft 365 Apps also includes information on features supported by Microsoft 365 web clients. This information should be assessed to ensure that any sensitivity label capabilities required by your organization are available to web clients.
It's also worth noting that Microsoft Edge Chromium includes Microsoft Data Loss Prevention capabilities. Such capabilities can be added to other browsers like Chrome and Firefox via extensions. For example, Microsoft Purview extension for Chrome and Microsoft Purview extension for Firefox. These DLP capabilities can help to prevent the exfiltration of security classified or otherwise sensitive items, so should be considered for deployment.
Mandating client requirements
Client applications that have an understanding of a user’s requirement to apply markings to items can help us to meet requirements by forcing users to apply markings at time of item creation. Once marked, operational controls to protect an item's enclosed content can then be enforced. Such configuration is often referred to as 'Mandatory Labeling.' Within Microsoft 365 this is primarily achieved via a label policy option, which is discussed in mandatory labeling. Mandatory labeling allows us to meet Release 2024 Requirement 59:
| Requirement | Detail |
|---|---|
| PSPF Release 2024 Requirement 59 | The value, importance, or sensitivity of official information (intended for use as an official record) is assessed by the originator by considering the potential damage to the government, the national interest, organizations, or individuals that would arise if the information’s confidentiality were compromised. |
To demonstrate the importance of mandatory labeling, consider an email that sent without a protective marking first being applied, which could occur due to lack of client support. In such situations, we must assume that the user hasn't had an opportunity to assess the sensitivity of the enclosed information. We must therefore assume that distribution of the item is high risk. Options to enforce mandatory labeling can only be applied by clients that are aware of an organization’s Microsoft Purview configuration. Therefore, organizations should consider ensuring that users can only access Microsoft 365 services via clients that support such Microsoft Purview integration, which can be achieved via Conditional Access policies.
For information on applying conditional access under the Essential 8, see application control and conditional access.
PDF integration
Windows-based Microsoft 365 Apps clients include the ability to maintain labels applied to Office documents when they're exported or saved as PDF files. These PDFs maintain protection settings to their source Office files, including encryption.
Protected PDF documents can be read in label-aware PDF readers including Microsoft Edge, Chrome, Foxit Reader, and Adobe Reader (with the Information Protection plug-in for Acrobat and Acrobat Reader plugin installed).
Government organizations should deploy and use label-aware PDF clients or client plugins. Such clients help to maintain clear identification of sensitive information and application of controls when items are exported to PDF.
More information on these capabilities can be found via the following links:
- Apply sensitivity labels to PDFs created with Office apps
- General Availability of Adobe Acrobat Reader Integration with Microsoft Purview Information Protection
Note
Optical Character Recognition (OCR) can be used to scan the content of images and image-based PDFs. Once scanned, Microsoft Purview capabilities such as Data Loss Prevention (DLP) can apply to them. Australian Government organizations might with to consider enablement of OCR to better support their data security requirements. For more information, see Learn about optical character recognition in Microsoft Purview.
Required licensing
Entry level use of Purview Information Protection capabilities requires an E3 license. However, most Government organizations should consider using Microsoft 365 E5 (or equivalent E5 compliance add-ons) to better provide for their data security requirements.
The following table has a subset of common government use cases and their minimum required license to perform that use case.
| Use Case | License |
|---|---|
| Manually apply a sensitivity label to items. | E3 |
| Prevent the distribution of labeled items to unauthorized users. | E3 |
| Apply subject markings to labeled items to indicate item sensitivity. | E3 |
| Automatically apply sensitivity labels based on markings applied by other organizations. | E5 |
| Monitor and report on label usage across the environment. | E5 |
| Apply labels to meetings and calendar items. | E5 |
| Recommend the application of a sensitivity label based on detection of sensitive content. | E5 |
| Monitor and control the use of labeled items on devices. | E5 |
| Identify malicious users based on activity with labeled or otherwise sensitive items. | E5 |
| Detect sensitive content and controls its distribution via Teams chat. | E5 |
| Browse where labeled and otherwise sensitive content resides across an environment. | E5 |
Government organizations with E3 licensing can implement Purview at a basic level and achieve ad hoc or developing levels of the PSPF maturity model (included in the Protective Security Policy Framework (PSPF) Assessment Report). However, to ensure that items are protected via controls relevant to their sensitivity, capabilities included in E5 or equivalent licensing is required. With E5 licensing available, organizations can achieve Managing or Embedded levels of PSPF maturity.
An important factor to achieving higher levels of compliance maturity is the use of sensitivity auto-labeling. Auto-labeling allows Government organizations to honor classifications that have been applied externally. If an email is classified and marked by one entity, when sent to a second entity the item is still marked but, by default isn't labeled. Because it lacks a label, it's out of scope of a range of label-based data security controls, such as DLP policies. Auto-labeling allows for protective markings (as defined in Australian Government Email Protective Marking Standard) to be interpreted on email as it is received. Once interpreted, a matching label is applied during transmission, ensuring that all relevant controls apply to the enclosed information when received by the user.