Create an Microsoft Information Protection label
Have you ever received an email and noticed that it was protected or marked sensitive? To do that, a user selects a sensitivity label – which are created by an administrator using Microsoft Information Protection . In this post, we’ll provide step by step instructions on how to configure a Information Protection label.
First, it’s worth mentioning that it seems that Azure Information Protection (AIP) and M365 labels are being somewhat merged to become unified labeling, although AIP labels can still co-exist. The proper product to use is unified labeling (through the Microsoft 365 security center). In the Azure Information Protection docs, it is even self-referenced as the “classic” client. And yet you can use the Azure Information Protection pane to create unified labels, although they’ll have less features than the M365 security center created labels. Microsoft couldn’t make it more confusing if they tried!
So in short summary – Azure Information Protection was previously the go-to method for information protection labeling, but now they’re actively being replaced with unified labeling, which you should access through Microsoft 365 security center. Let’s begin!
Start by heading to security.microsoft.com:
On the left hand side, select Classification > Sensitivity labels and click + Create a label:
In the fly out menu, type in a Name and Description:
Then, you can select the scope of the label (where it CAN be applied to). Here I selected Files & emails.
Then under the Files & emails section, you can select what the label will do. Once you select these options, new sub options will let you define further. I selected both encryption and content marking.
First under encryption, select the encryption settings desired:
Then define the content marking:
For the last option, we can define WHEN this label will apply automatically. Leave auto-labeling off. This setting works as expected – you can have Office 365 automatically label emails & files (label them with your label) based on a condition that you specify (like credit card information, SSN, or other sensitive info). You can also use this to suggest labels automatically rather than apply them.
For Groups & Sites, leave both options unchecked and click next. If you’re wondering why they’re greyed out, it’s because I haven’t configured/enabled labeling for OneDrive and SharePoint (click here for more info)
And click create!
Now you’ll see a confirmation that the label was created:
Like it says in next steps, now we need to publish this label to users so they can see it. Click Publish labels:
Select the label we just created:
In the flyout, first we’ll select which users will see the label:
Then we can select if this label is applied by default, if it can be removed, etc. If you leave this screen blank, users will be able to select the label as an option (it will not be applied by default).
Then we provide a name & description for the label publishing policy:
And click submit!
Great! Now users will see the label we just created in their Office apps (although this can be a bit complicated with coexistance with the Azure Information Protection clients, for more information refer to this docs article). For example, when I create a new email in Outlook, I now see a Sensitivity dropdown and the name of the label I just created:
Selecting this label also shows it applied to the email:
When I receive an email, it will show as encrypted and with the label I applied:
And that’s it! Now you are able to apply sensitivity labels and information protection policies onto your files and stay secure. Happy protecting! 🚀