Using Microsoft Information Protection (MIP) for Data Classification and Labeling

Using Microsoft Information Protection (MIP) for Data Classification and Labeling

01/09/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using Microsoft Information Protection (MIP) to classify and label sensitive data in Microsoft 365 environments. MIP, part of Microsoft Purview, provides a unified framework for discovering, classifying, protecting, and governing sensitive data wherever it resides or travels, ensuring compliance and preventing data loss [1].

Introduction

In today's landscape of cyber threats and increasingly stringent data privacy regulations (such as LGPD and GDPR), the ability to identify, classify and protect sensitive information has become a critical priority for organizations. Data such as personally identifiable information (PII), financial data, intellectual property, and trade secrets, if exposed, can result in serious consequences, including heavy fines, reputational damage, and loss of customer trust. Microsoft Information Protection (MIP) addresses these challenges by providing a robust set of tools to apply sensitivity labels to data, allowing organizations to control who can access it and how it can be used, regardless of where the data is stored or shared [2].

This practical guide will cover creating and configuring sensitivity labels, manually and automatically applying these labels, integrating with other Microsoft 365 services (such as SharePoint, OneDrive, and Exchange Online), and validating their effectiveness. Step-by-step instructions and example configurations will be provided so that the reader can implement a comprehensive data classification and labeling strategy, strengthening your organization's information governance and security posture.

Why is Microsoft Information Protection crucial?

  • Data Discovery and Classification: Helps you identify and categorize sensitive data across your Microsoft 365 environment and beyond.
  • Persistent Protection: Applies protection (encryption, access restrictions) that travels with the data, regardless of where it is stored or with whom it is shared.
  • Data Governance: Allows you to impose data usage and retention policies based on your classification.
  • Regulatory Compliance: Helps organizations meet data privacy compliance requirements such as LGPD, GDPR, HIPAA, etc.
  • Optimized User Experience: Natively integrates with Microsoft 365 apps (Word, Excel, PowerPoint, Outlook), allowing users to easily apply labels.
  • Data Loss Prevention (DLP): Works in conjunction with DLP policies to prevent inappropriate sharing of sensitive information.
  • Traceability and Auditing: Provides detailed logs on how labels are applied and how protected data is accessed.

Prerequisites

To use Microsoft Information Protection, you will need the following items:

  1. Licensing: MIP and sensitivity labels require Microsoft 365 E3, Microsoft 365 E5, Office 365 E3, Office 365 E5, or equivalent security/compliance licenses [3].
  2. Administrative Access: An account with the role of Compliance Administrator, Compliance Data Administrator or Global Administrator on the Microsoft Purview portal (https://compliance.microsoft.com).
  3. Enable Sensitivity Labels: For some scenarios, you may need to enable the sensitivity labels feature for files in SharePoint and OneDrive.

Step by Step: Data Classification and Labeling with MIP

Let's configure sensitivity labels and apply them.

1. Accessing the Microsoft Purview Portal

  1. Open your browser and navigate to https://compliance.microsoft.com.
  2. Log in with an account that has the necessary permissions.

2. Creating Sensitivity Labels

Sensitivity labels are the basis of MIP. They define the sensitivity of the data and the associated protection actions.

  1. In the left navigation pane, select Information Protection > Labels.
  2. Click + Create a label.

  3. Name the label: Give the label a name (e.g. Confidential - Financial), a display name (e.g.Confidential - Financial) and a description for users and administrators.

  4. Set scope for this label: Select where the label can be applied (e.g. Files and Emails, Groups and Sites, Database Schemas). For this example, select Files and emails and Groups and sites.

  5. Choose protection settings for files and emails: Select Encryption and Content Marking.

  6. Encryption: Configure access permissions. For example, for Confidential - Financial, you can restrict access to only specific users or security groups, and set permissions such as Viewer, Editor, Co-Author.

  7. Content Marking: Configure headers, footers and watermarks to indicate the sensitivity of the document. Example: add a CONFIDENTIAL - FINANCIAL footer.

  8. Automatic labeling for files and emails: Configure rules to automatically apply labeling based on content (e.g. credit card number patterns, keywords). For this example, let's skip automatic labeling for now and focus on publishing. (Will be covered in the automatic labeling section).

  9. Continue with the remaining settings (group and site protection, database schemas, etc.) as necessary and finish creating the label. Create some labels with different sensitivity levels (e.g. Public, General, Confidential, Highly Confidential).

3. Publishing Sensitivity Labels

After you create the labels, you need to publish them so that they are available to users and services.

  1. In the left navigation pane, select Information Protection > Label Policies.
  2. Click + Publish labels.

  3. Choose labels to publish: Select the labels you just created (ex: Public, General, Confidential, Highly Confidential).

  4. Assign Policy to Users and Groups: Select the users and groups this label policy will apply to. You can assign it to all users or specific groups.

  5. Policy Settings: Configure options such as Apply a default label to documents and emails, Require users to apply a label to their documents and emails, and Provide users with a link to a custom help page.

  6. Policy Name: Give the policy a name (e.g. Corporate Label Policy) and a description.

  7. Click Create policy.

4. Manually Applying Labels in Microsoft 365 Apps

After publishing, users can apply the labels directly to Microsoft 365 apps.

  1. Open a document in Word, Excel or PowerPoint (desktop or web versions).
  2. On the ribbon, look for the Sensitivity (or Confidentiality) button.

  3. Click the button and select one of the published labels (e.g. Confidential - Financial).

  4. Note that content markups (header, footer, watermark) and encryption (if configured) are applied automatically.

  5. For emails in Outlook, the process is similar. When composing a new email, click the Sensitivity button and select the label.

5. Automatic Labeling for Files and Emails

Automatic labeling allows MIP to identify and label sensitive data without user intervention.

  1. In the Microsoft Purview portal, select Information Protection > Labels.
  2. Edit an existing label (e.g. Confidential - Financial).
  3. On the Automatic labeling for files and emails screen, select Turn on automatic labeling.

  4. Conditions: Define the conditions that will trigger the labeling. For example, add a condition for Content contains > Sensitive information types > Credit Card Number (with a minimum occurrence count).

  5. Actions: Choose whether the label should be Automatically apply label or Recommend label to users.

    • Tip: Start with Recommend label to avoid interruptions and educate users.

  6. Save changes to the label.

  7. Publish auto-labeling policy: For auto-labeling to work, you need to create or update a label policy to include this setting.

    • In the Microsoft Purview portal, select Information Protection > Label Policies.
    • Edit existing policyte or create a new one, making sure the label with auto-labeling configured is included.

6. Enabling Sensitivity Labels for SharePoint and OneDrive

For label protection to work on files stored in SharePoint and OneDrive, you must enable the feature.

  1. In the Microsoft Purview portal, select Information Protection > Labels.

  2. Click the banner or notification to Enable the ability to render content in Office files in SharePoint and OneDrive.

  3. Confirm activation. This can take up to 24 hours to fully propagate.

Validation and Testing

Validating the MIP implementation involves verifying that labels are applied correctly and that safeguards work as expected.

1. Testing Manual Label Application

  1. Create a new document in Word and save it. Apply a label with encryption (e.g. Highly Confidential).

  2. Try opening the document with an account that does not have access permission.

    • Expected Result: The document should not open, displaying a permission error message.

  3. Share the document with an account that has permission and verify that access is granted and content tags are present.

2. Testing Automatic Labeling

  1. Create a new Word or Excel document and enter a valid credit card number (use a test number, not a real one!) or other sensitive information that triggers your automatic labeling rule.
  2. Save the document to OneDrive or SharePoint.
  3. Wait a few minutes for the MIP auto-labeling service to process the file.
  4. Check the document in OneDrive/SharePoint. It must have the sensitivity label automatically applied or a recommendation to apply the label.

3. Checking Audit Logs

MIP records labeling and access events for protected documents in Microsoft Purview audit logs.

  1. In the Microsoft Purview portal, select Audit.
  2. Search for activities related to sensitivity labels (e.g. Applied sensitivity label, Removed sensitivity label, Accessed document with sensitivity label).

Security Tips and Best Practices

  • Label Planning: Develop a clear taxonomy of sensitivity labels that makes sense for your organization and your data types. Start with a few labels and add more as needed.
  • User Education: Train your users on what sensitivity labels are, why they are important, and how to apply them correctly. User awareness is critical to the success of MIP.
  • Start with Recommendation: When setting up automatic labeling, start with the Recommend the label to users option so that users are familiar with the process and so that you can adjust the rules before automatically applying labels.
  • DLP Integration: Combine sensitivity labels with Data Loss Prevention (DLP) policies in Microsoft Purview to prevent labeled sensitive data from being inappropriately shared or leaked from the organization.
  • Regular Review: Review and update your labels and labeling policies regularly to ensure they remain relevant and effective as data types and compliance requirements evolve.
  • Continuous Monitoring: Utilize MIP audit logs and reports to monitor label usage, identify patterns of misuse, and ensure compliance.
  • Container Protection: Extend label protection to Microsoft 365 groups, SharePoint sites, and Microsoft Teams teams to protect content stored in these containers.

Common Troubleshooting

  • Labels do not appear in applications: Verify that labels have been published and that the label policy has been assigned to the correct users. It can take up to 24 hours for labels to sync to apps.
  • Automatic labeling does not work: Check the conditions configured for automatic labeling. Ensure that sensitive information types or keywords are being detected correctly. Verify that the label policy that contains automatic labeling has been published and assigned.
  • Documents are not encrypted: Make sure encryption is enabled in the label settings. WMake sure access permissions are configured correctly. Verify that the user applying the label has the necessary licenses.
  • Users are unable to open protected documents: Verify that the user has the correct permissions on the label. Make sure the application the user is using supports opening MIP-protected documents.
  • Slow performance when opening/saving documents: Encryption and applying content tags may add a small overhead. In environments with a large volume of documents or slow networks, this may be more noticeable. Optimize policies and consider performance impact.

Conclusion

Microsoft Information Protection (MIP) is a powerful and essential solution for any organization looking to protect and govern their sensitive data in the Microsoft 365 environment. By enabling data classification and labeling, MIP ensures that critical information is protected wherever it resides or travels, helping organizations comply with privacy regulations and mitigate data leakage risks. Effective MIP implementation, combined with user education and security best practices, empowers IT and security teams to build a robust and proactive data security posture. With this practical guide, security professionals will be well-equipped to use Microsoft Information Protection to classify, protect, and govern their sensitive information autonomously, professionally, and reliably.

References:

[1] Microsoft Learn. What is Microsoft Purview Information Protection?. Available at: https://learn.microsoft.com/pt-br/purview/information-protection [2] Microsoft Learn. Learn more about sensitivity labels. Available at: https://learn.microsoft.com/pt-br/purview/sensitivity-labels [3] Microsoft Learn. Licensing requirements for Microsoft Purview. Available at: https://learn.microsoft.com/pt-br/purview/licensing [4] Microsoft Learn. Automatically apply a sensitivity label to your Microsoft 365 data. Available at: https://learn.microsoft.com/pt-br/purview/apply-sensitivity-label-automatically