Configuring Microsoft Purview Information Protection
The workflow presented below is an example of how to set up Microsoft Purview Information Protection (formerly Microsoft Information Protection) Sensitivity Labels. The configurations listed here are only example configurations and must be set up on a company-specific basis.
You can skip this chapter if you are already familiar with creating Sensitivity labels or your organization has created Label policies.
To create a new Sensitivity label, you must have the correct permission to the Microsoft Purview, described in chapter Prerequisites.
New Sensitivity Label
Begin by providing the basic details of your label:
- Name: An internal name for your label, visible only in Purview.
- Display Name: The name of the label that your users will see.
- Description for users: This description is what your users will see when choosing the label to be applied.
Define Scope of Label
Next, we want to define the scope of the Sensitivity label. In general, admins can chose between 4 groups: Files and other data assets, Emails, Meetings and Groups & Sites. For our use case, we only want to select Files and Emails
Protection Settings for Items
The protection settings you configure will be enforced when the label is applied to items in Microsoft 365.
Choose only Control Access from the list and select Next
Access Control
In this section, you define who in your organization has what control over the Sensitivity label.
- Configure access control: Select
Configure access control settingsto configure them now - Assign permissions now?: Select
Assign permissions now - User access expires?: Select
Never - Allow offline access: Select
Always - Assign permission: Choose who in your organization can use the Sensitivity label and who owns it
- Users and groups: For example, you can make the label available to all users in your organization, but make only an admin group owners
- Use Double Key Encryption: Select
Use DKE - Access URL: Provide the URL that you generated in the Access URL page.
Finalize Label
The next 2 sections are highly dependent on your company's policies therefore these sections will be skipped. However, we recommend to not have Auto-labeling for files and emails and to leave all Group & Sites Protection Settings unchecked. All default values of the options.
The last page is a summary of the Sensitivity label. Once you have verified that all details are correct, select Create Label.
Afterwards, the page will reload and the new Sensitivity label will be created and Purview will ask you if you would like to publish it now or at a later point. Selecting Publish label will begin publishing it, the process usually takes a few minutes, depending on the size of your company.
Publishing Label
If you choose to publish the label at a later point, you can go the Sensitivity Labels page, mark your newly selected label and Publish it. This will begin creating a new policy.
You can publish multiple labels at the same time.
Admin Units
Do not specify admin units. This way the policy will apply to all users and groups. Select Next.
Users and Groups
The labels you selected will be available for the users, distribution groups, mail-enabled security groups, and Microsoft 365 Groups you choose here. By default, this is all Users and Groups.
Policy Settings
Configure settings for the labels included in this policy.
We recommend enabling Users must provide a justification to remove a label or lower its classification.
The rest of the settings can all be left as default. Again, publishing the policy can take a few minutes, depending on the size of your company.
Begin Using Sensitivity Labels
The user must then log out and restart all of their Microsoft related applications (Word, Outlook, Excel, etc.) to see the Sensitivity label in the list. In some cases a full workstation restart is required.
In the above image, there are 5 additional sensitivity labels. These 5 labels are the provided by Microsoft. You can read more about in this article.
While their creation is not explicitly covered in this document, the process of creation is the same.
You are now ready to begin using our Sensitivity labels. For examples, see the Using DKE page.
What's Next
- Next, test your setup by Labeling Documents.