Yes when creating a label and targeting it at users you can force them to apply an info protection label before they save the file (for supported file types)
As always with IT, it's security VS usability... great from a compliance standpoint if you force your users to label everything but you will get a lot of noise from users if they're not trained properly on why/how they're forced to label ALL files. Probably best to integrate this with DLP and just enforce the important Sensitive Information Types that are key to your organisation.
@@alexthannah you absolutely right. Probably the amount of people who like me (so far they exist :) will increase dramatically. Therefor it can only be done after a good campaign and convincing the management. Thanks and have great weekend.
I don't understand your comment at 11:50 "50 labels and 50 policies" if you just create the default label for your policy. Thanks very much for your video! great job.
At 5:04 Groups & Sites and Schematized data assets is greyed out saying I need to enable and leading me to a page that still requires copious amounts of powershell commands to enable. :(
Hi Mister Andy, tks a lot for video. I just would like to suggest , you could add instructions to verify and generate report where those label are applied. Your content is always so amazing, tks for your job!
Didn't realise that IP labels could be applied to specific sites using DLP - been targeting IP labels at specific users for a while. Thanks for the info Andy!
Thanks Andy for the video. Please what are the Microsoft Information Protection (MIP) encryption types? What MIP features/encryption can be used in PDF?
It’s a fairly simple process and yes, you can do it by using a number of methods. Here are a couple of useful links. helpx.adobe.com/uk/enterprise/kb/mpip-support-acrobat.html and here support.microsoft.com/en-us/topic/create-protected-pdfs-from-office-files-aba7e367-e482-49e7-b746-a385e48d01e4
Thank you very much for this and other video tutorials. How do files with sensitivity labels applied to them behave when membership to the label is based on dynamic group? I have create a label and distributed it to a dynamic group. I have later tagged a word document with this label. At a later stage I also amended the dynamic group to include more users, however the new employees in the group never get access to the previous old word document. How does this work? I have waited a couple of days, still the behaviour is that new employees within the group still do not have access to old documents.
SuperStar 🎅🎄🎁 Andy, We all can only wish if this was a longer video to show us from the end-user experience. And to mention "legacy" MIP local software that is now retired. Old school CFO like to see their banner across the Outlook everytime when creating the email, and now they have to click on "Sensitivity" drop down .... too much work for those Finance guys😁
Yes, that is the manual labeling. Isn't this a risk the users are too lazy and will not apply labels? Auto label policy does this automatic for you, right?
@@patrick__007 DLP policies can take quite a while to kick in. I couldn’t wait that long when I’m recording the video, however, I will look at this in the future for you.
Thank you Andy for the amazing video. 🍵 I have a question: when we create a label, we assign permissions to the label including which users and groups will have the permission to use the content that has the label applied. and we also have permission assignment in the label policy. So when we publish the label to the policy, which permission assignment has the higher priority? For example, a user A is in the scope of the label permission assignment, but he is not in the scope of the label policy's permission assignment, will user A be able to use the contents that applied this label? 👀🤔
@@AndyMaloneMVP sorry not clear... my bad... if the label is created for ALL USERS and the label policies mentioned say 3 SPECIFIC USERS which one it will go for? please clarify
Hello Andi. Thank you for great video. You have right, i learned somethink new! :) I'm not sure if i heard the point, that the group must bee a e-mail activated securety group. Sorry, if i overheard this point. If you want to create a extra group for the labels and want to use a dynamic group, than you can create a m365 group. The special on a m365-Group is the e-mail notification - the feature on this step by the labling is a bit hmmm. The notification can be desablet by the command: Set-UnifiedGroup -Identity GROUPNAME -UnifiedGroupWelcomeMessageEnabled:$false But remember the microsoft cloud-speed. Wait until you change to a dynamic group. P.S.: I bomb the like button :) [sorry, i'm not a nativ englisch speaker]
hi thanks for the awesome video... i am facing an issue while creating a label (user wise) giving error. when i am creating org wise it is creating nicely. i need to apply the same for some specific users... not for whole company. can u plz help on that? currently using business basic and eop1 license
Hey Andy, That was a wonderful information thank you . If you could include the license requirement to use this feature that would be much helpful. As we have multi licensed user and just to know who get this.
Thanks Andy, great video. Something we are currently looking at although the licensing is confusing. To my knowledeg, using DLP in for Teams is E5 as well as auto labelling. Auto labelling is classed as automation (questionable) so requires the high licensing/addons.
I’ll be honest, I’m not a licensing specialist. But if you check out M365maps.com, that’s a great resource if you want to know what features are available.
Hi Andy, is it possible to add multiple labels to a document? - like label1 assigned a Group that can only view. and label2 assigned a Group that can Edit. - or should i create a label for each combination of group acces?
How can we revoke access to a specific user? Example: A user is part of a sensitive project and the label was created using specific defined users in both the access and policy. If that user no longer is on the project but still with the company, how can the access be removed? In my testing, after removing the user from the label access and policy to use the label, they can still open existing documents as they authenticated when they did have access.
@@AndyMaloneMVP The user (in my testing) still has access to the document. Example: User is not part of the policy and cannot open the document with label applied. User is added to label as owner and they can then open the document. Removed the user from being an owner but they can still open the document that was emailed. (Cache mode didnt make a change) You would think being removed as an owner would be real time and no be allowed to open the doc. We have waited 48 hours to ensure the policy was updated and the removed user could still access. Might have to open a ticket with MS on this one but wanted to see.
I applied label but when user send email to any client it's not readable client complaints that email not readable I guess it's encrypted for client how can I resolve this.
Hi Andy, an unrelated question, I was wondering where I could find the registry keys of the group policy editor snap-in, I assume that all of its values must be stored somewhere in Regedit, but after hours of searching on the web, I couldn't find it, do you? I really appreciate any help you can provide. I also posted it here just to be sure it came through.
Hey Andy, I connected with Microsoft support and they were still not able to rectify the issue with Groups (Enabling this with powershell commands). If you have done this and have a video for this could you please share the link
this is the best explanation so far . very Clear and thank you so much
Gr8. Simple and best way to explain.
Thanks Andy , The explanation is very clear and easy to follow👍
Nicely explained. Thank you!!
Thanks again for your very informative video Andy.
Little question.
Is it possible to force users to choose a sensitivity label.
Thanks again.
Yes when creating a label and targeting it at users you can force them to apply an info protection label before they save the file (for supported file types)
As always with IT, it's security VS usability... great from a compliance standpoint if you force your users to label everything but you will get a lot of noise from users if they're not trained properly on why/how they're forced to label ALL files. Probably best to integrate this with DLP and just enforce the important Sensitive Information Types that are key to your organisation.
@@alexthannah you absolutely right. Probably the amount of people who like me (so far they exist :) will increase dramatically. Therefor it can only be done after a good campaign and convincing the management.
Thanks and have great weekend.
I don't understand your comment at 11:50 "50 labels and 50 policies" if you just create the default label for your policy.
Thanks very much for your video! great job.
By default every time you create a label it will create a policy. You don’t want that right?
At 5:04 Groups & Sites and Schematized data assets is greyed out saying I need to enable and leading me to a page that still requires copious amounts of powershell commands to enable.
:(
I’m afraid so sorry.
Great information. Have you done anything on Purview?
loads checkout the playlist
Hi Mister Andy, tks a lot for video. I just would like to suggest , you could add instructions to verify and generate report where those label are applied. Your content is always so amazing, tks for your job!
Thanks for more useful information ❤
Didn't realise that IP labels could be applied to specific sites using DLP - been targeting IP labels at specific users for a while. Thanks for the info Andy!
Thank you for this video. You just got another subscriber
Thank you and welcome aboard 😊
Thanks Andy ! A fabulous video on Microsoft Information protection😊 this is really helpful !
Thanks Sam 👍😊
Great topic!
Thanks Andy for the video. Please what are the Microsoft Information Protection (MIP) encryption types? What MIP features/encryption can be used in PDF?
It’s a fairly simple process and yes, you can do it by using a number of methods. Here are a couple of useful links. helpx.adobe.com/uk/enterprise/kb/mpip-support-acrobat.html and here support.microsoft.com/en-us/topic/create-protected-pdfs-from-office-files-aba7e367-e482-49e7-b746-a385e48d01e4
@@AndyMaloneMVP thanks. the links were very helpful. especially asr regards application of sensitivity labels to pdf.
Thank you very much for this and other video tutorials. How do files with sensitivity labels applied to them behave when membership to the label is based on dynamic group? I have create a label and distributed it to a dynamic group. I have later tagged a word document with this label. At a later stage I also amended the dynamic group to include more users, however the new employees in the group never get access to the previous old word document. How does this work? I have waited a couple of days, still the behaviour is that new employees within the group still do not have access to old documents.
They are dynamic and should work. That said sometimes it can take up to 72 hours for labels to fully filter through.
SuperStar 🎅🎄🎁 Andy, We all can only wish if this was a longer video to show us from the end-user experience. And to mention "legacy" MIP local software that is now retired. Old school CFO like to see their banner across the Outlook everytime when creating the email, and now they have to click on "Sensitivity" drop down .... too much work for those Finance guys😁
No worries. You saw it from the user perspective Word when I applied a label 😊
Yes, that is the manual labeling. Isn't this a risk the users are too lazy and will not apply labels? Auto label policy does this automatic for you, right?
@@patrick__007 if only CFO allows it 😁
@@patrick__007 DLP policies can take quite a while to kick in. I couldn’t wait that long when I’m recording the video, however, I will look at this in the future for you.
@@AndyMaloneMVP Awesome!
Hi Mr. Andy. Great Job you are doing. Do I need to download AIP labelling client on Windows to have this labels showing up on Desktop clients?
This is called windows information protection and yea you would need to download the client. From settings in compliance centre.
@@AndyMaloneMVP Thanks a bunch
Thank you Andy for the amazing video. 🍵 I have a question: when we create a label, we assign permissions to the label including which users and groups will have the permission to use the content that has the label applied. and we also have permission assignment in the label policy. So when we publish the label to the policy, which permission assignment has the higher priority? For example, a user A is in the scope of the label permission assignment, but he is not in the scope of the label policy's permission assignment, will user A be able to use the contents that applied this label? 👀🤔
The most restrictive permission takes precedence
@@AndyMaloneMVP sorry not clear... my bad... if the label is created for ALL USERS and the label policies mentioned say 3 SPECIFIC USERS which one it will go for? please clarify
@@MilanRoy-r4e specific use past as these are explicit restrictions
Very useful! Thanks
Thanks Andy, any advice is "Groups and Sites" is greyed out under label details?
You need to activate it via a power shell script. It’s in the video. I explained it.
Thank Andy but what is the most common use case of this feature, just sharepoint?
Microsoft 365 groups, teams, and SharePoint, document libraries as well as email
@@AndyMaloneMVP thank You
Hello Andi.
Thank you for great video. You have right, i learned somethink new! :)
I'm not sure if i heard the point, that the group must bee a e-mail activated securety group.
Sorry, if i overheard this point.
If you want to create a extra group for the labels and want to use a dynamic group, than you can create a m365 group.
The special on a m365-Group is the e-mail notification - the feature on this step by the labling is a bit hmmm.
The notification can be desablet by the command:
Set-UnifiedGroup -Identity GROUPNAME -UnifiedGroupWelcomeMessageEnabled:$false
But remember the microsoft cloud-speed. Wait until you change to a dynamic group.
P.S.: I bomb the like button :) [sorry, i'm not a nativ englisch speaker]
Hey thanks for the pitch in. Awesome 👍
So I've added the Sensitivity Label to a Sharepoint Site, but it doesn't then apply the label to the documents. Any ideas?
This has to be done separately
Is there a way to apply labels to existing documents? (without opening each one up and applying it!)
This can be done is Cloudapp Security by an Admin. Or use a script
hi thanks for the awesome video... i am facing an issue while creating a label (user wise) giving error. when i am creating org wise it is creating nicely. i need to apply the same for some specific users... not for whole company. can u plz help on that? currently using business basic and eop1 license
Business premium is the subscription you need.
Great content thank you.
Side note, still bugs me that Word online formatting is STILL all over the place
Hey Andy, That was a wonderful information thank you . If you could include the license requirement to use this feature that would be much helpful. As we have multi licensed user and just to know who get this.
No worries. Everyone gets information protection. Azure AD P2 get automated labels
Thanks Andy, great video. Something we are currently looking at although the licensing is confusing. To my knowledeg, using DLP in for Teams is E5 as well as auto labelling. Auto labelling is classed as automation (questionable) so requires the high licensing/addons.
Unfortunately a P2 licence is required
@@AndyMaloneMVP does that require every user to have the p2 license for auto labeling?
Is auto-Labeling possible without a E5 license?
I’ll be honest, I’m not a licensing specialist. But if you check out M365maps.com, that’s a great resource if you want to know what features are available.
I am not sure but I also think you need Azure Information Protection 2. Need to with Microsoft.
@@clifffernandes5814 Azure AD plan 2 is required.
@@AndyMaloneMVP I thought so. And AIP is considerably more expensive. Thanks
@@clifffernandes5814 just to be clear AIP is the old name. Microsift information protection is the new name 😊
If we don't see the label for Data Loss Prevention , Can we conclude that we don't have license or subscription to it ?
Correct
How about to show the behaviour on teat scenarios? I suggest you should add them in demo for more understanding and end user experience
Nice suggestion, I'll see what I can do.
can you please do another video on how to enable sensitivity labels for groups and sites and on prem repository
Absolutely
Hey. You should do a Office 365 tutorial from start to finish. What policies do you apply and why. The tenant has Business Premium
I did a session on business premium. Hardly anyone looked at it😳😩
@@AndyMaloneMVP i did!!!
Options in define protection setting are greyd i am unable to check privacy and external user access.What is the reason?
This is either a permissions issue, or you don’t have the correct license. I suspect permissions is the problem here.
@@AndyMaloneMVP Yes ur right i gues its license issue i will check it.Thanks for reply.
Thank you Sir 😊
Hi Andy, is it possible to add multiple labels to a document?
- like label1 assigned a Group that can only view. and label2 assigned a Group that can Edit.
- or should i create a label for each combination of group acces?
Unfortunately not
Thank you so much Sir
All the best
Is there any way to see Alert of DLP policy more than 1 month? As of now it is confined to 1 month period only
Docs.microsoft.com
How can we revoke access to a specific user? Example: A user is part of a sensitive project and the label was created using specific defined users in both the access and policy. If that user no longer is on the project but still with the company, how can the access be removed? In my testing, after removing the user from the label access and policy to use the label, they can still open existing documents as they authenticated when they did have access.
Simply exclude the user from the policy
@@AndyMaloneMVP The user (in my testing) still has access to the document. Example: User is not part of the policy and cannot open the document with label applied. User is added to label as owner and they can then open the document. Removed the user from being an owner but they can still open the document that was emailed. (Cache mode didnt make a change) You would think being removed as an owner would be real time and no be allowed to open the doc. We have waited 48 hours to ensure the policy was updated and the removed user could still access. Might have to open a ticket with MS on this one but wanted to see.
@@CurtisM-vu7zb I think that would be a good course of action. Good luck👍😊
Rights Management is not active for the tenant. Its after click create label
Check your licence
I applied label but when user send email to any client it's not readable client complaints that email not readable I guess it's encrypted for client how can I resolve this.
I’ve not heard of this, it sounds like a technical support issue. I would submit a ticket with Microsoft
@@AndyMaloneMVP Thanks for reply.
How to convert this kind of word file into pdf withoutloosing Microsoft protection?
Check out the docs at Learn.Microsoft.com you create a secure ppdf
Hi Andy, an unrelated question, I was wondering where I could find the registry keys of the group policy editor snap-in, I assume that all of its values must be stored somewhere in Regedit, but after hours of searching on the web, I couldn't find it, do you? I really appreciate any help you can provide. I also posted it here just to be sure it came through.
Dude, I’m good but not that good, I can’t remember every single registry key. Try the Microsoft tech community. Good luck 😊
Hey Andy, I connected with Microsoft support and they were still not able to rectify the issue with Groups (Enabling this with powershell commands). If you have done this and have a video for this could you please share the link
I mainly work in cloud nowadays. Sorry I couldn’t help on this occasion.
thanks alot
It'd be nice if people would start out these videos saying what level of M365 is required to use the features described in the video
Thanks