Part 2: Office 365 Retention Labels and Sensitivity Labels Explained

Post Date: 03/04/2019
feature image

Worried about being able to govern your organization’s Office 365 environment? Give our webinar “7 Crucial Office 365 Strategies To Contain Sprawl And Keep Data Safe” a watch! 


This is Part 2 of our Office 365 labeling coverage. Read part one covering the two types of Office 365 labels here!

As of now, we’re either relying on users to label content or blindly auto-labeling content ourselves. The latter is ham-fisted at best, and the former relies on users knowing how and when to label content (and having the patience to do so properly).

So, what about automatic labeling?

Sensitivity labels and retention labels can both be set to be applied automatically, but under different circumstances and dependent—in part—on what AIP and Office 365 licenses you have available. This environment allows Malcolm to create a retention label policy that is applied automatically.

Let’s have a bit of fun and base this policy on the presence of the word “supercalifragilisticexpialidocious.”

Here’s the label:

All Malcolm’s done is add the one keyword (there’s room for many others to be added) along with a retention policy. In this scenario, he’ll only keep these documents for 14 days after they are labeled. After day 14 Malcolm should receive a notification to review the policy once more.

This admittedly silly example is just to illustrate that you can automatically apply retention policies based on a keyword.

That said, what if one or more keywords are insufficient or too complex? What if you were required to retain content based on a regulatory requirement such as HIPAA, Graham-Leach-Bliley, or their non-US counterparts? Thankfully, Microsoft has you covered there as well.

office 365

By using new or default sensitive info types, a retention policy can be automatically applied based on the contents of a document. These templates include multiple criteria to meet specific requirements.

It’s important to note that these are templates. I’ve never worked with a client who was 100% covered by the templates that are available out-of-the-box from Microsoft or any other vendor. If you’ve come this far down the configuration hole, rest assured you’ll be taking one or more of these templates and customizing them to fit your needs.

Automatic labeling via sensitivity labels is a tad different. The good news is that Microsoft brought a lot of the functionality from MIP into Office 365 E3 and E5 licenses. The bad news is that some functionality requires E5 or additional MIP licenses.

All Malcolm can do in this E3 environment is automatically apply sensitivity labels to create a policy that applies a license by default, like so:

He can also require users to enter justification if they need to change the label from the default and give them a URL to a help page.

Sensitive Info Types

I’ll close with a little visual tour of where sensitive info types get configured. This is where Malcolm defined Supercalifragilisticexpialidocious as a keyword type of sensitive info.

More practically, Malcolm might create a sensitive info type that is based on the presence of one or more types of sensitive information, a keyword, regular expression, or dictionary (the latter essentially being a very large list of keywords).

Supporting elements and matching elements can both be keywords, dictionaries, or regular expressions. The distinction between the two is that the supporting element refines the rule whereas the matching element must be found.

The sensitive info types that Microsoft includes with Office 365 cannot be edited, as they are referenced by some of the templates mentioned earlier. However, you can add your own custom sensitive info types, and then reference both those as well as the out-of-the-box types to create your own settings for automatically labeling content, like so:

As a final note, keep in mind that Office 365 relies on the search crawl to read content in a document in Office 365. That’s Office 365’s automagical way of indexing content (generally for the purpose of end-user search). There are two challenges that come with relying on this:

  1. The index crawler takes time. It can take days to index content in a large organization.
  2. There are ways of hiding content from being indexed.

This doesn’t mean that relying on the search index is necessarily bad, because how well it does work is actually quite remarkable. It just means that you should understand the limits and be ready to explain them to your user community.


Looking for more helpful Office 365 Content? Subscribe to our blog!

Share this blog

Subscribe to our blog