Support for Office 365 Sensitivity Labels Now in Office ProPlus for Windows

Less Friction on the Road to Office 365 Protection

The September update for Office ProPlus delivered version 1909 (build 12026.20108) to Monthly Channel (targeted) to Windows desktops. The notable item delivered in this version is native support for Office 365 sensitivity labels for the Windows Office apps, something that’s been available in Office for Mac since January. Sensitivity labels can apply markings (like headers and footers) to messages and documents depending on their different degrees of importance (or sensitivity); at the highest level, sensitivity labels can invoke rights management to encrypt and protect content.

Native support might not seem like a big thing, but it is given the influence of Office for Windows on user desktops. Having Office apps able to apply sensitivity labels and the encryption that can be invoked by label settings makes it much easier for organizations to protect their most confidential information.

Native Support for Office

Native support means that the Office apps include all the code (based on the Microsoft Information Protection SDK) needed to fetch policy information from the Security and Compliance Center, interpret label settings, apply markings, and encrypt documents. Up to now, Windows users have had to install the Azure Information Protection client on workstations to process sensitivity labels. After you install the ProPlus update, you have everything needed to protect Office documents stored in Exchange Online, SharePoint Online, and OneDrive for Business.

On the other hand, if you need to protect content stored outside Office 365 – or apply protection to non-Office files (like PDFs) before you import them into Office 365, or you need to use some of the advanced protection features (like applying a default label) that are not yet implemented in Office, you still need to install the unified labelling version of the Azure Information Protection client.

Long Road to Native Support in Office

It’s taken a long time for Microsoft to release native Office ProPlus support for sensitivity labels, especially given the many demos shown at Ignite 2018. Then again, many Ignite announcements must be taken with a pinch of salt because of the high marketing to engineering ratio behind the words.

The Office apps connect to the Security and Compliance Center to download published sensitivity labels, which are then accessible through the Sensitivity button (Figure 1). You know you have the native version of sensitivity labels when you see your Office 365 account name at the top of the list.

Office ProPlus Sensitivity Labels
Figure 1: The Sensitivity button in Word for Windows (image credit: Tony Redmond)

The same Sensitivity button shows up across all the Office apps. Figure 2 shows the same button as seen in Outlook.

Outlook Sensivity Label
Figure 2: Outlook applies a sensitivity label (image credit: Tony Redmond)

One issue I noticed is that applying sensitivity labels through Office (or an AIP client) is not captured in the Office 365 audit log. This functionality must likely wait until the SharePoint Online browser interface supports sensitivity labels.

Removing the Azure Information Protection Client

It will take time for Office 365 tenants to get Office ProPlus version 1909 onto all user desktops. Until then, you can use the combination of Office ProPlus and the Azure Information Protection client to expose sensitivity labels within the Office apps.

After you deploy version 1909, you can remove the Azure Information Protection client and go into native mode. This has some side-effects. First, the information bar installed by the Azure Information Protection client to allow Office apps apply protection labels isn’t available. Second, you still need the client if you want to use the PowerShell cmdlets it contains to process protected files. Third, the Encrypt button in Outlook is restricted to applying the two standard Office 365 Message Encryption (OME) Encrypt-Only and Do Not Forward templates. Last, you’re confined to the set of labels available in your home tenant.

More Work to Do

Microsoft still has several other hurdles to cross to make sensitivity labels easier to use within Office 365. First, they must upgrade the Office online apps (including OWA) to use sensitivity labels (roadmap item 44919 (apps) and 44921 (OWA)). According to Office 365 notification MC191074, targeted release tenants should see support for sensitivity labels in OWA just about now with worldwide roll-out complete by the end of October. Second, Outlook Mobile needs to be able to apply sensitivity labels to new messages (roadmap item 32648 (iOS) and 32649 (Android), both due in October 2019). Third, the browser interfaces for SharePoint Online and OneDrive for Business need an overhaul to allow sensitivity labels to be assigned to documents as easily as Office 365 retention labels are placed on documents today.

Given where we are in the year, it wouldn’t be a big surprise to hear Microsoft announce at Ignite 2019 that all of this is possible. Of course, software can do a lot, but that’s not the question. What would be nice to know is a firm date when sensitivity labels can be used across the complete Office 365 ecosystem. That might not be forthcoming at Ignite.