Share via


Use sensitivity labels with Microsoft Loop

Microsoft 365 licensing guidance for security & compliance.

Use your sensitivity labels with Microsoft Loop to add an extra layer of protection to the Loop-related data that users create with this app. This protection extends to Microsoft 365 Copilot.

Loop supports sensitivity labels at the file level, to help protect components and pages:

  • Users can manually apply sensitivity labels that are published to them with the Files & other data assets label scope, including sensitivity labels that apply encryption configured to apply permissions now.
  • Watermarks as a label setting are supported but not variables in the text string.
  • Mandatory labeling and a default document label are supported as settings from a label publishing policy.
  • Other policy settings supported:
    • Justification to remove a label or lower its priority
    • The "Learn more" link

Example Loop component that's currently labeled with the Confidential \ All Employees sensitivity label that applies encryption, displaying other available labels:

Microsoft Loop component displaying sensitivity labels to protect the data in the component.

Loop supports sensitivity labels at the container level, to help protect access to workspaces:

  • This functionality is currently rolling out for tenant-owned workspaces on the web version of the Loop app.
  • You can apply a sensitivity label when you create a new workspace, or apply or change a sensitivity label as a More (...) workspace configuration.
  • Using the SharePoint admin center with the SharePoint Embedded admininstrator role, you can see and change applied sensitivity labels from Containers > Active containers.

Microsoft Loop workspace creation displaying sensitivity labels to protect access to the data in the workspace.

See the following sections for more details about requirements, supported scenarios, and limitations when you use sensitivity labels with Loop.

For information where Loop-related content is stored, see Loop storage.

Sensitivity labels to protect Loop components and pages

The ability to apply sensitivity labels to Loop components and pages requires that SharePoint and OneDrive is enabled for sensitivity labels. Then, you can apply sensitivity labels to loop components and pages in the following apps:

  • The Loop app (web and mobile)
  • Loop in Outlook (desktop, mobile, web)
  • Copilot Pages in Microsoft 365 Copilot Business Chat

When Loop components and pages are encrypted by sensitivity labels, Microsoft 365 Copilot honors the EXTRACT usage right. Microsoft 365 Copilot won't summarize this Loop data unless the user is granted this usage right.

As with sensitivity labels that are applied to documents in SharePoint and OneDrive, the following auditing events are supported:

  • Applied sensitivity label to file
  • Changed sensitivity label applied to file
  • Removed sensitivity label from file

Sensitivity label inheritance for components and pages

Any unlabeled Loop components on the page inherit the sensitivity label applied to the page. That label is retained if you move it to another Loop page.

A Loop page can inherit a higher priority sensitivity label from Copilot in the Loop app when referenced files are labeled. If more than one file is referenced and labeled, the page inherits the label with the highest priority.

Limitations for Loop components and pages

The following labeling capabilities aren't supported:

  • Label colors
  • Label names and descriptions for other languages
  • Headers and footers
  • Variables in watermarks and dynamic watermarks
  • Automatic and recommended labeling
  • Default label for SharePoint document library
  • Sensitivity labels that are configured for any of the following encryption settings:
    • Let users assign permissions, sometimes known as "user-defined permissions"
    • User access to content expires is set to a value other than Never
    • Double Key Encryption is selected

Because the task management tools in Microsoft Planner and Microsoft To Do don't support encryption, they stop synchronizing a Loop component or page that's encrypted by a sensitivity label.

Sensitivity labels to protect Loop workspaces

The ability to apply sensitivity labels to Loop workspaces at the tenant-level requires that sensitivity labels are enabled for containers and that the label scope includes Groups & sites. Then, you can apply sensitivity labels to Loop workspaces in the Loop web app so that content in those workspaces is protected by the following label settings documented in Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites:

  • External user access
  • External sharing from SharePoint sites
  • Access from unmanaged devices
  • Authentication contexts
  • Default sharing link for a SharePoint site (PowerShell-only configuration)
  • Site sharing settings (PowerShell-only configuration)

Although Loop workspaces are stored in SharePoint Embedded containers rather than SharePoint sites, the listed sensitivity label settings for sites are functionally the same.

Limitations for Loop workspaces

As with sensitivity labels that you apply to Loop components and pages, sensitivity labels for Loop workspaces don't support label colors or label names and descriptions for other languages.

The following Loop content isn't protected by the container label settings:

  • Linked files
  • Files uploaded to a workspace because these files are stored in the user's OneDrive
  • Videos that are created in a workspace because these files are stored in the user's OneDrive