Encryption of documents in MS Teams, Part 2: Sensitivity labels

Sensitive files in Teams need to be encrypted

As we mentioned in the first part of our mini encryption series, over 25% of documents stored and exchanged in the cloud contain sensitive data. Encryption is often used in such cases to prevent confidential files from being accidentally destroyed in Teams or accessed by unauthorised employees. In the first part, we already discussed the different types of encryption in Teams. In this article, we will take a closer look at another option of encryption – sensitivity labels.

Sensitivity Labels

Every Microsoft Office document, e.g. a Word document or an Excel spreadsheet, can be encrypted manually. For this purpose, Word or Excel offers the option “Encrypt with password”, which can be found in the “File” menu. In addition, Microsoft 365 allows documents to be encrypted manually or automatically in the different applications. For this purpose are used so-called sensitivity labels.

Sensitivity labels (manual from Office 365 licence E3 or automatic from E5) are used to identify and encrypt Office files according to their protection status. They can be managed by the Global Administrator, Security Administrator, Compliance Administrator or the Compliance Data Administrator. Alternatively, the role “Sensitivity Label Administrator” can be assigned to a user. These users can create new sensitivity labels in the Compliance Admin Center and specify their application to files and emails. Among other things, it is possible to define permissions and the automatic assignment of labels, or permission for offline access, or to apply double encryption.

Furthermore, there is the option to set conditions, for example, for applying the label to all files that contain a passport or an identity card number. Microsoft provides multiple classification-templates that define how each can be recognised. Once a sensitivity label has been created, it must be published via a labelling policy.

Use of sensitivity labels

New Microsoft Office documents created in Teams show the user the available sensitivity labels in the action group “Confidentiality”. If the label is assigned to the document, encryption takes place upon saving. However, this can delay the saving process.

Another possible application is to open the document via the locally installable Microsoft Azure Information Protection Client for uniform labels instead of in a local Office 365 client. This client must be installed manually and is available via the Microsoft download page. After selecting this option, the client is started. First, the user must log in to the Microsoft 365 client again.

PDF files can be protected as well. Although they are not encrypted by default via a label, the user can assign local PDF files via the option “Classify and protect”. If an attempt is made to open this PDF file in a non-Microsoft browser, a message appears stating that the file is protected and the user can only open it via certain applications. If, however, the PDF file is opened in a Microsoft Edge browser, the user will be allowed to log in. After successful login, the file can be viewed via the Microsoft Edge browser.

Similarly, the PDF file can also be opened via the local Microsoft Azure Information Protection Viewer. This viewer is installed with Microsoft Azure Information Protection Client for uniform labels. After the PDF file has been created and encrypted locally, it can of course be uploaded to the Teams channel. Now the PDF file can be opened by clicking on the file name.

The use of sensitivity labels for graphic or also XML files is a bit specific. If these files are given a label by the Unified Label Client, the file extension is renamed. As a rule, a “p” is placed in front of the actual file extension. The file type is also changed and “Protected” is placed in front of the actual file type. The files can then no longer be read by other graphics programmes or opened by web browsers. The Azure Information Protection Viewer can be used for this purpose.

In a Microsoft Teams channel, a new column “Confidentiality” can also be added. The assigned label is then displayed in this column. However, this only works for Office files and not for others that have been assigned a label and encrypted via the Unified Labeling Client. There are also some file types that are excluded from the assignment of labels and thus from encryption.

Product licences

For the manual sensitivity labels is required an Office 365 E3 resp. E5 or a Microsoft 365 Business Premium resp. E3 or E5 licence. Alternatively, an AIP Plan 1 or Plan 2 is also possible. For automatic assignment of sensitivity labels, it is necessary to have an Office 365 E5 or Microsoft 365 E5 licence . These licences are also required for the use of double encryption. Further information on licensing can be found on the Microsoft site.

The use of sensitivity labels in overview

Sensitivity labels provide a powerful way to encrypt documents managed in Microsoft 365. As is typical with Microsoft products, all Microsoft Office products are well supported. Documents from other file types can be labelled with the sensitivity labels via Azure Information Protection Unified Labeling Client, which can be installed separately.

The optional double encryption ensures that the documents can only be viewed by the specific company, as long as it does not give away the sovereign rights over the second key. It is important always to back up the use of the sensitivity label with an implementation and training program. Otherwise, this could lead to inconsistent implementation or confusion and frustration on the part of users.

Learn how iQ.Suite 360 Document Encryption protects the documents you store and share on your collaboration platforms with simple and automated encryption that every employee can use.

As an expert in email security, GBS also offers advanced features for centralised and user-friendly encryption of your email communication with iQ.Suite.

If you have any questions or need further information on the encryption of your data and documents in Microsoft Teams, please contact us at sales@gbs.com. We will be happy to help you.