What are Sensitivity Labels
Sensitivity Labels are the current result of Microsoft's development in the field of labeling, classification and protection of sensitive information. You may have known previous versions of this solution as Rights Management Services or Azure Information Protection.
The principle of operation of Sensitivity Labels is the possibility to mark the file with a label, which limits the possibilities of accessing it and working with its contents. Typically, applying a label restricts access to a specific group of users and encrypts the file so that no one outside the group can open it. Furthermore, it is common to limit users' ability to work with the contents of the file as such, usually disabling copying of content or disabling printing. It is also possible to add a watermark, set a time expiration, etc. Since the original predecessor of this solution was already available in Windows Server 2008, it is now a solid solution that we can recommend to anyone who needs to protect specific files and their content.
Support for Sensitivity Labels in SharePoint Online
Unfortunately, native Sensitivity Labels support in SharePoint Online and OneDrive for Business has been lacking until now. This meant, among other things, that it was not possible to use Office Web Apps to view and edit files with the Sensitivity Label applied. This would not be so tragic, but unfortunately SharePoint could not access encrypted files internally at all, so it could not index their contents. This meant that we had to say goodbye to DLP policies and searching through eDiscovery (which is very problematic for files that you specifically mark as sensitive).
For several months, support for Sensitivity Labels in SharePoint Online has been in public preview, now it is quite unusually getting releaed as an opt-in feature - so it's no longer a work in progress feature, but a standard feature that's not turned on by default and Microsoft 365 tenant administrators have the option to activate it. Maybe you're saying to yourself that there is a hidden snag somewhere - if all were perfect, Microsoft would turn on support for everyone, right? Well, you're basically right. There are a number of issues, from saving from desktop Office applications to synchronizing files with the OneDrive client. A list of all the limitations can be found on this page.
Why we don't recommend turning on this feature at this time
However, what I consider to be the most pressing problem is the fact that turning on the functionality can significantly reduce the protection of your data. From my point of view, protection in a web browser does not seem to be completely contrived. To some extent, activating Sensitivity Labels support in SharePoint Online degrades what currently works well from a security perspective - the certainty that data files opened in desktop Office applications are well protected.
Microsoft has illogically decided to allow the ability to view / edit files that limited handling of their contents (copying, saving elsewhere), although this is not supported in web applications (and in principle will probably never be - a web browser is simply not built for this). So if you've been relying on the fact that no one to copy anything from protected Office files until now, you're out of luck. A user can just upload the file to OneDrive/SharePoint and the user can easily copy the content from Office Web Apps.
The question is why Microsoft chose to ignore file content protection in this way. It was probably concluded that the possibility of co-authoring and easy editing take precedence before security in this case.
It is possible that the functionality will be modified in some way in the future. It would be simple to disable file opening in Web Apps with Sensitivity Labels that restrict copying / saving or even printing. Unfortunately, the current implementation is as it is.
For whom is the current support for Sensitivity Labels suitable
The current implementation is suitable only for those who do not restrict the handling of the file content, ie copying and saving in their Sensitivity Labels. If you only use labels to limit the group of users who can open a file, you can rest easy and turn on support in SharePoint Online. This extends the functionality and allows users to access files through Office Web Apps.
If, on the other hand, you use Sensitivity Labels primarily to limit copying / saving in sensitive files, we strongly recommend that you do not turn on Sensitivity Labels support in SharePoint Online. This would make it relatively easy to work around these security features.
Today, we went through a new support for Sensitivity Labels in SharePoint Online. In addition to the basic information, we looked at some issues and explained why it is not appropriate to turn on this feature if you use Sensitivity Labels to protect the contents of files. At a time when IT systems are evolving very fast, it is necessary to consider the impact of each new function on everyday work, and when it comes to data protection, this is doubly true.