Configure encryption with sensitivity labels
- 10 minutes
As the global consulting firm continues strengthening its data protection efforts, they now focus on using encryption settings within sensitivity labels. This allows them to:
- Control who can access sensitive content, even when it's shared or stored outside the organization.
- Define editing rights and expiration dates for highly confidential documents.
- Protect Teams meetings, emails, and files without relying on manual encryption steps.
Administrators can either assign permissions during label configuration or let users define access when applying labels, depending on the use case.
How encryption works with sensitivity labels
Sensitivity labels use the Azure Rights Management service (Azure RMS) to enforce encryption. This ensures that content stays protected through encryption, identity verification, and policy enforcement.
Labels that apply to Teams meetings use a separate encryption method tailored to protect real-time audio and video streams.
Prerequisites
Before enabling encryption with sensitivity labels, ensure:
- Azure Information Protection is activated in your tenant.
- Network configurations and Microsoft Entra ID support encrypted content access.
- Exchange is configured for Azure Information Protection to enable email and calendar invite encryption.
Add encryption to a sensitivity label
When creating or editing a sensitivity label, you can apply encryption to protect files, emails, and meeting invites.
In the label settings, select Protection settings > Apply or remove encryption.
On the Encryption page, select Configure encryption settings to define access controls.
Choose how permissions are assigned:
- Assign permissions now to define user access at the time the label is created.
- Let users assign permissions to give users the flexibility to configure access when applying the label.
Consider a confidential project, such as Client X Initiative - Confidential. The firm uses Assign permissions now to restrict access to a defined project team, ensuring strict control over document access and editing.
Assign permissions now
If you choose this option, you can:
Set content expiration to limit how long users can access labeled content. Expiration can be based on a fixed date or a number of days after labeling.
Control offline access, allowing it always, never, or for a limited time.
Specify users or groups who can access the content, along with their permission levels (for example, view-only, edit, full control).
Options include internal groups, individual users, or broader options like Any authenticated users. Choose carefully to match your organization's access policies.
Update encryption settings for existing labels
You can update a label's encryption settings at any time. Changes apply to new content labeled after the update. For existing labeled content:
- Changes to Assign permissions now take effect when users reauthenticate.
- Switching from one predefined permission (like Do Not Forward) to another (like Encrypt-Only) doesn't retroactively apply to existing items.
For example, after completing a sensitive client engagement, the firm might update the label to change edit permissions to view-only, preserving content integrity while maintaining access.
Knowledge check
Select the best response to the question.