Share via


Enable sensitivity labels for files in SharePoint and OneDrive

Microsoft 365 licensing guidance for security & compliance.

Enable built-in labeling for supported Office files and PDF files in SharePoint and OneDrive so that users can apply your sensitivity labels in Office for the web. When this feature is enabled, users see the Sensitivity button on the ribbon so they can apply labels, and see any applied label name on the status bar.

For SharePoint, users can also see and apply sensitivity labels from the details pane. This method is also available from the Files tab in Teams.

Enabling this feature also results in SharePoint and OneDrive being able to process the contents of Office files and optionally, PDF documents that have been encrypted by using a sensitivity label. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, data loss prevention, search, and other collaborative features won't work for these files.

After you enable sensitivity labels for these files in SharePoint and OneDrive, for new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Key Encryption):

  • For Word, Excel, and PowerPoint files, and uploaded PDF files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file.

  • When users download or access these files from SharePoint or OneDrive, the sensitivity label and any encryption settings from the label are enforced and remain with the file, wherever it's stored. Ensure you provide user guidance to use only labels to protect documents. For more information, see Information Rights Management (IRM) options and sensitivity labels.

  • When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least View usage rights to those files. For example, they can open the files outside SharePoint. If they don't have this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents.

  • Use Office for the web (Word, Excel, PowerPoint) to open and edit Office files that have sensitivity labels that apply encryption. The permissions that were assigned with the encryption are enforced. You can also use auto-labeling for these documents.

  • External users can access documents that are labeled with encryption by using guest accounts. For more information, see Support for external users and labeled content.

  • eDiscovery supports full-text search for these files and data loss prevention (DLP) policies support content in these files.

Note

If encryption has been applied with an on-premises key (a key management topology often referred to as "hold your own key" or HYOK), or by using Double Key Encryption, the service behavior for processing the file contents doesn't change. So for these files, coauthoring, eDiscovery, data loss prevention, search, and other collaborative features won't work.

The SharePoint and OneDrive behavior also doesn't change for existing files in these locations that are labeled with encryption using a single Azure-based key. For these files to benefit from the new capabilities after you enable sensitivity labels for Office files in SharePoint and OneDrive, the files must be either downloaded and uploaded again, or edited.

After you enable sensitivity labels for Office files in SharePoint and OneDrive, three new audit events are available for monitoring sensitivity labels that are applied to documents in SharePoint and OneDrive:

  • Applied sensitivity label to file
  • Changed sensitivity label applied to file
  • Removed sensitivity label from file

You always have the choice to disable sensitivity labels for Office files in SharePoint and OneDrive (opt-out) at any time.

If you're currently protecting documents in SharePoint by using SharePoint Information Rights Management (IRM), be sure to check the SharePoint Information Rights Management (IRM) and sensitivity labels section on this page.

Requirements

These new capabilities work with sensitivity labels only.

Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and version 19.002.0107.0008 or later on Mac. Both these versions were released January 28, 2019, and are currently released to all rings. For more information, see the OneDrive release notes. After you enable sensitivity labels for Office files in SharePoint and OneDrive, users who run an older version of the sync app are prompted to update it.

Supported file types

After you've enabled sensitivity labels for SharePoint and OneDrive, the following Office file types are supported for sensitivity labeling scenarios.

Applying a sensitivity label in Office for the web or in SharePoint:

  • Word: .docx, .docm
  • Excel: .xlsx, .xlsm, .xlsb
  • PowerPoint: .pptx, .ppsx

Uploading a labeled document, and then extracting and displaying that sensitivity label:

  • Word: doc, .docx, .docm, .dot, .dotx, .dotm
  • Excel: .xls, .xlt, .xla, .xlc, .xlm, .xlw, .xlsx, .xltx, .xlsm, .xltm, .xlam, .xlsb
  • PowerPoint: .ppt, .pot, .pps, .ppa, .pptx, .ppsx, .ppsxm, .potx, .ppam, .pptm, .potm, .ppsm

Adding support for PDF

You can enable support for PDFs for the following scenarios:

Sensitivity labels don't support signed PDFs.

Important

Be aware that enabling PDF support can increase the number of files that get automatically labeled with existing auto-labeling policies, which support a maximum of 100,000 files a day.

To turn on support from the Microsoft Purview portal:

  • Sign in to the Microsoft Purview portal > Solutions > Information Protection > Sensitivity labels > Policies > Auto-labeling policies

    Then, if you see a message Protect PDFs with Auto-labeling, select this banner to confirm you want to turn on PDF protection for files in SharePoint and OneDrive.

Alternatively, you can turn on PDF support by using PowerShell when you use the Set-SPOTenant cmdlet with the EnableSensitivityLabelforPDF parameter:

Set-SPOTenant -EnableSensitivityLabelforPDF $true

This PDF parameter requires a minimum version of 16.0.24211.12000 for the SharePoint Online Management Shell. If you need more information about how to install this PowerShell module or run the cmdlets, see the section on this page to enable support for sensitivity labels.

For Microsoft 365 Multi-Geo: Similarly to the instructions to run the PowerShell command to enable support for sensitivity labels, you must connect to each of your geo-locations, and then run the command to enable support for PDFs.

Support for labels configured for user-defined permissions

User-defined permissions refers to an encryption configuration and the setting Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions is selected.

For files labeled with user-defined permissions, support is gradually rolling out for this content to be inspected for search, data loss prevention, and eDiscovery. This functionality applies to only newly uploaded and edited files.

The following actions support labels configured for user-defined permissions:

  • When a document is labeled with user-defined permissions and uploaded to SharePoint or OneDrive, these services can now process the document so that it can be opened and edited in Office for the web, and the label name is displayed in the Sensitivity column.

  • Labels with this configuration are now displayed in Office for the web. However, currently, users can't apply these labels in Office for the web and if these labels are selected, users see a message instructing them to apply the label using a desktop app.

  • If users need to change labels configured for user-defined permissions, make sure you've enabled co-authoring for files encrypted with sensitivity labels.

To support AutoSave and co-authoring for these encrypted files using a desktop app, you must have enabled co-authoring for files encrypted with sensitivity labels.

This functionality comes with the following change in behavior for encryption:

Limitations

  • SharePoint and OneDrive can't process some files that are labeled and encrypted from Office desktop apps when these files contain PowerQuery data, data stored by custom add-ins, or custom XML parts such as Cover Page Properties, content type schemas, custom Document Information Panel, and Custom XSN. This limitation also applies to files that include a bibliography, and to files that have a Document ID added when they're uploaded.

    For these files, either apply a label without encryption so that they can later be opened in Office for the web, or instruct users to open the files in their desktop apps. Files that are labeled and encrypted only in Office for the web aren't affected.

  • SharePoint and OneDrive don't support sensitivity labels if the labels were applied before you enabled these services for sensitivity labels. The labels won't be recognized and if the labels applied encryption, the contents won't be processed. For the labels and encryption to be supported by SharePoint and OneDrive, download these files and then upload them to their original location.

  • Users can't apply sensitivity labels configured for user-defined permissions while using Office for the web.

  • SharePoint and OneDrive can't process encrypted files when the label that applied the encryption has either of the following configurations for encryption:

    • User access to content expires is set to a value other than Never.

    • Double Key Encryption is selected.

      For labels with either of these encryption configurations, the labels aren't displayed to users in Office for the web. If they're parent labels, this means that users won’t see that label's sublabels, even if the sublabels aren't configured to apply encryption.

      Additionally, the new capabilities can't be used with labeled documents that already have these encryption settings. For example, these documents won't be returned in search results, even if they're updated.

  • SharePoint and OneDrive can't read or apply sensitivity labels when the document is password-protected.

  • For performance reasons, when you upload or save a document to SharePoint and the file's label doesn't apply encryption, the Sensitivity column in the document library can take a while to display the label name. Factor in this delay if you use scripts or automation that depend on the label name in this column.

  • If a document is labeled while it's checked out in SharePoint, the Sensitivity column in the document library won't display the label name until the document is checked in and next opened in SharePoint.

  • If a labeled and encrypted document is downloaded from SharePoint or OneDrive by an app or service that uses a service principal name, and then uploaded again with a label that applies different encryption settings, the upload will fail. An example scenario is Microsoft Defender for Cloud Apps changes a sensitivity label on a file from Confidential to Highly Confidential, or from Confidential to General.

    The upload doesn't fail if the app or service first runs the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, as explained in the Remove encryption for a labeled document section. Or, before the upload, the original file is deleted, or the file name is changed.

  • Users might experience delays in being able to open encrypted documents in the following Save As scenario: With a desktop version of Office, a user chooses Save As for a document that has a sensitivity label that applies encryption. The user selects SharePoint or OneDrive for the location, and then immediately tries to open that document in Office for the web. If the service is still processing the encryption, the user sees a message that the document must be opened in their desktop app. If they try again in a couple of minutes, the document successfully opens in Office for the web.

  • For encrypted documents, printing, downloading, exporting, and creating a copy aren't supported in Office for the web.

  • For encrypted documents in Office for the web, screen captures aren't prevented. However, when documents are labeled and encrypted, and the Copy usage right isn't granted, Office for the web prevents copying to clipboard in the same way as desktop apps prevent this action.

  • By default, Office desktop apps and mobile apps don't support co-authoring for files that are labeled with encryption. These apps continue to open labeled and encrypted files in exclusive editing mode. To change the default behavior, see Enable co-authoring for files encrypted with sensitivity labels.

  • If an admin changes settings for a published label that's already applied to files downloaded to users' sync client, users might be unable to save changes they make to the file in their OneDrive Sync folder. This scenario applies to files that are labeled with encryption, and also when the label change is from a label that didn't apply encryption to a label that does apply encryption. Users see a red circle with a white cross icon error, and they're asked to save new changes as a separate copy. Instead, they can close and reopen the file, or use Office for the web.

  • Sensitivity labels that are configured for automatic labeling are supported for Office for the web when the label settings for conditions are for sensitive information types only. Automatic labeling isn't supported for Office for the web when the conditions include trainable classifiers.

  • Users can experience save problems after going offline or into a sleep mode when instead of using Office for the web, they use the desktop and mobile apps for Word, Excel, or PowerPoint. For these users, when they resume their Office app session and try to save changes, they see an upload failure message with an option to save a copy instead of saving the original file.

  • Documents that have been encrypted in the following ways can't be opened in Office for the web:

    • Encryption that uses an on-premises key ("hold your own key" or HYOK)
    • Encryption that was applied by using Double Key Encryption
    • Encryption that was applied independently from a label, for example, by directly applying a Rights Management protection template.
  • Labels configured for other languages arem't supported and display the original language only.

  • If you delete a label that's been applied to a document in SharePoint or OneDrive, rather than remove the label from the applicable label policy, the document when downloaded won't be labeled or encrypted. In comparison, if the labeled document is stored outside SharePoint or OneDrive, the document remains encrypted if the label is deleted. Note that although you might delete labels during a testing phase, it's very rare to delete a label in a production environment.

  • When a labeled and encrypted Office file larger than 12 MB is copied or moved to a different site, SharePoint can no longer process this file. As a result, the Sensitivity column doesn't display the label name and users can't open the file using Office for the web. Users can successfully open the file when they use an Office client app.

How to enable sensitivity labels for SharePoint and OneDrive (opt-in)

Note

Enabling sensitivity labels for SharePoint and OneDrive also enables sensitivity labels for Loop components and pages. For more information, see Use sensitivity labels with Microsoft Loop.

You can enable the new capabilities by using the Microsoft Purview portal, or by using PowerShell. See the following sections for instructions.

As with all tenant-level configuration changes for SharePoint and OneDrive, it takes about 15 minutes for the change to take effect.

Use the portal to enable support for sensitivity labels

This option is the easiest way to enable sensitivity labels for SharePoint and OneDrive, and you must sign in as a global administrator for your tenant.

  1. Sign in to the Microsoft Purview portal > Solutions > Information Protection > Sensitivity labels.

  2. If you see a message to turn on the ability to process content in Office online files, select Turn on now:

    Turn on now button to enable sensitivity labels for Office Online.

    The command runs immediately and when the page is next refreshed, you no longer see the message or button.

Note

If you have Microsoft 365 Multi-Geo, you must use PowerShell to enable these capabilities for all your geo-locations. See the next section for details.

Use PowerShell to enable support for sensitivity labels

As an alternative to using the Microsoft Purview portal, you can enable support for sensitivity labels by using the Set-SPOTenant cmdlet from SharePoint Online PowerShell.

If you have Microsoft 365 Multi-Geo, you must use PowerShell to enable this support for all your geo-locations.

Prepare the SharePoint Online Management Shell

Before you run the PowerShell command to enable sensitivity labels for Office files in SharePoint and OneDrive, ensure that you're running SharePoint Online Management Shell version 16.0.19418.12000 or later. If you already have the latest version, you can skip to next procedure to run the PowerShell command.

  1. If you have installed a previous version of the SharePoint Online Management Shell from PowerShell gallery, you can update the module by running the following cmdlet.

    Update-Module -Name Microsoft.Online.SharePoint.PowerShell
    
  2. Alternatively, if you have installed a previous version of the SharePoint Online Management Shell from the Microsoft Download Center, you can also go to Add or remove programs and uninstall the SharePoint Online Management Shell.

  3. In a web browser, go to the Download Center page and Download the latest SharePoint Online Management Shell.

  4. Select your language and then click Download.

  5. Choose between the x64 and x86 .msi file. Download the x64 file if you run the 64-bit version of Windows or the x86 file if you run the 32-bit version. If you don’t know, see Which version of Windows operating system am I running?

  6. After you have downloaded the file, run the file and follow the steps in the Setup configuration.

Run the PowerShell command to enable support for sensitivity labels

To enable the new capabilities, use the Set-SPOTenant cmdlet with the EnableAIPIntegration parameter:

  1. Using a work or school account that has SharePoint admin privileges in Microsoft 365, connect to SharePoint. To learn how, see Getting started with SharePoint Online Management Shell.

    Note

    If you have Microsoft 365 Multi-Geo, use the -Url parameter with Connect-SPOService, and specify the SharePoint Online Administration Center site URL for one of your geo-locations.

  2. Run the following command and press Y to confirm:

    Set-SPOTenant -EnableAIPIntegration $true
    
  3. For Microsoft 365 Multi-Geo: Repeat steps 1 and 2 for each of your remaining geo-locations.

Publishing and changing sensitivity labels

When you use sensitivity labels with SharePoint and OneDrive, keep in mind that you need to allow for replication time when you publish new sensitivity labels or update existing sensitivity labels. This is especially important for new labels that apply encryption.

For example: You create and publish a new sensitivity label that applies encryption and it very quickly appears in a user's desktop app. The user applies this label to a document and then uploads it to SharePoint or OneDrive. If the label replication hasn't completed for the service, the new capabilities won't be applied to that document on upload. As a result, the document won't be returned in search or for eDiscovery, and the document can't be opened in Office for the web.

For more information about the timing of labels, see When to expect new labels and changes to take effect.

As a safeguard, we recommend publishing new labels to just a few test users first, wait for at least one hour, and then verify the label behavior on SharePoint and OneDrive. Wait at least a day before you make the label available to more users by either adding more users to the existing label policy, or adding the label to an existing label policy for your standard users. By the time your standard users see the label, it has already synchronized to SharePoint and OneDrive.

SharePoint Information Rights Management (IRM) and sensitivity labels

SharePoint Information Rights Management (IRM) is an older technology to protect files at the list and library level by applying encryption and restrictions when files are downloaded. This older protection technology is designed to prevent unauthorized users from opening the file while it's outside SharePoint.

In comparison, sensitivity labels provide the protection settings of visual markings (headers, footers, watermarks) in addition to encryption. The encryption settings support the full range of usage rights to restrict what users can do with the content, and the same sensitivity labels are supported for many scenarios. Using the same protection method with consistent settings across workloads and apps results in a consistent protection strategy.

However, you can use both protection solutions together and the behavior is as follows:

  • If you upload a file with a sensitivity label that applies encryption, SharePoint can't process the content of these files so coauthoring, eDiscovery, DLP, and search aren't supported for these files.

  • If you label a file using Office for the web, any encryption settings from the label are enforced. For these files, coauthoring, eDiscovery, DLP, and search are supported.

  • If you download a file that's labeled by using Office for the web, the label is retained and any encryption settings from the label are enforced rather than the IRM restriction settings.

  • If you download an Office or PDF file that isn't encrypted with a sensitivity label, IRM settings are applied.

  • If you have enabled any of the additional IRM library settings, which include preventing users from uploading documents that don't support IRM, these settings are enforced.

With this behavior, you can be assured that all Office and PDF files are protected from unauthorized access if they are downloaded, even if they aren't labeled. However, labeled files that are uploaded won't benefit from the new capabilities.

Search for documents by sensitivity label

Use the managed property InformationProtectionLabelId to find all documents in SharePoint or OneDrive that have a specific sensitivity label. Use the following syntax: InformationProtectionLabelId:<GUID>

For example, to search for all documents that have been labeled as "Confidential", and that label has a GUID of "8faca7b8-8d20-48a3-8ea2-0f96310a848e", in the search box, type:

InformationProtectionLabelId:8faca7b8-8d20-48a3-8ea2-0f96310a848e

Search won't find labeled documents in a compressed file, such as a .zip file.

To get the GUIDs for your sensitivity labels, use the Get-Label cmdlet:

  1. First, connect to Office 365 Security & Compliance PowerShell.

    For example, in a PowerShell session that you run as administrator, sign in with a compliance administrator account.

  2. Then run the following command:

    Get-Label |ft Name, Guid
    

For more information about using managed properties, see Manage the search schema in SharePoint.

Remove encryption for a labeled document

There might be rare occasions when a SharePoint administrator needs to remove encryption from a document stored in SharePoint. Any user who has the Rights Management usage right of Export or Full Control assigned to them for that document can remove encryption that was applied by the Azure Rights Management service from Microsoft Purview Information Protection. For example, users with either of these usage rights can replace a label that applies encryption with a label without encryption. A super user could also download the file and save a local copy without the encryption.

As an alternative, a SharePoint admin can run the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, which removes both the sensitivity label and the encryption. This cmdlet runs even if the admin doesn't have access permissions to the site or file, or if the Azure Rights Management service is unavailable.

For example:

Unlock-SPOSensitivityLabelEncryptedFile -FileUrl "https://contoso.com/sites/Marketing/Shared Documents/Doc1.docx" -JustificationText "Need to decrypt this file"

Requirements:

  • SharePoint Online Management Shell version 16.0.20616.12000 or later.

  • The encryption has been applied by a sensitivity label with admin-defined encryption settings (the Assign permissions now label settings). Double Key Encryption isn't supported for this cmdlet.

The justification text is added to the audit event of Removed sensitivity label from file, and the decryption action is also recorded in the usage logging for the Azure Rights Management service.

How to disable sensitivity labels for SharePoint and OneDrive (opt-out)

If you disable these new capabilities, files that you uploaded after you enabled sensitivity labels for SharePoint and OneDrive continue to be protected by the label because the label settings continue to be enforced. When you apply sensitivity labels to new files after you disable these new capabilities, full-text search, eDiscovery, and coauthoring will no longer work.

To disable these new capabilities, you must use PowerShell. Using the SharePoint Online Management Shell and the Set-SPOTenant cmdlet, specify the same EnableAIPIntegration parameter as described in the Use PowerShell to enable support for sensitivity labels section. But this time, set the parameter value to false and press Y to confirm:

Set-SPOTenant -EnableAIPIntegration $false

If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.

Next steps

After you've enabled sensitivity labels for files in SharePoint and OneDrive, consider automatically labeling files by using either, or both of the following labeling methods:

Need to share your labeled and encrypted documents with people outside your organization? See Sharing encrypted documents with external users.