Block screenshots using Microsoft Information Protection

Recently, I’ve been trying to figure out just how you can use sensitivity labels to prevent screenshots. There’s a great blog post on Tech Community that describes when to use Microsoft Information Protection (MIP) or Microsoft Defender for Cloud Apps (previous MCAS or Cloud App Security), and in that post they reference using MIP to block screen captures by not allowing the Copy permission.

If you try to find the Copy permission for MIP, you’ll wind up finding information about Azure Information Protection, which is currently being deprecated in favor of MIP. AIP had a specific control for blocking copy permissions, which also includes screen captures:

It turns out that this copy permission is now automatically bundled into the “Do Not Forward” permission for Outlook, and for Word/PowerPoint/Excel we can allow users to specify it:

So now that we know the control exists – here’s the steps to use it.

First – Create a Microsoft Information Protection label by reviewing our previous blog post: Create an Microsoft Information Protection label. Note that the new portal you’ll want to use for MIP is compliance.microsoft.com. Just like in that post, be sure to select Do Not Forward and In Word, PowerPoint, and Excel, prompt users to specify permissions. Come back to this page when you’re finished!

We didn’t cover it in that blog post, but if you haven’t enabled the ability to process labels in SharePoint/OneDrive (which you should), you’ll be prompted with a yellow banner in the Information Protection labeling section. Click Turn on now to enable it (it’s that easy!).

With a label that we can use and the configuration to process online files, let’s block some screenshots.

Let’s start by creating a Word doc – since I have the sensitivity label deployed to my users, they’ll be able to select it from the ribbon:

And then they can specify the permissions they want to allow. For screenshots, we don’t want to allow users to copy content from, so we’ll only allow the Read permissions:

With the label applied, this document now has a fun watermark:

Perfect! Now, if we share that document with someone and they open it, here’s what that looks like when they try to screenshot:

As you may have expected from the title of this post, they can’t screenshot it 🙂 Mission accomplished!

What about in Outlook? Let’s create a new email, use the sensitivity label, and send it to someone:

And once they receive the email, here’s what that will look like:

It’s also blocked! And you can even see the Word document blocked behind Outlook, since they both have sensitive content.

Other than it being fun, blocking screenshots isn’t the safest way to protect data exfiltration. While it’s a useful step, almost everyone has a camera attached to them these days and can easily take a picture of data that they can’t screenshot. The best approach is a mix of Microsoft Information Protection labels, Defender for Cloud Apps, and Defender for Endpoint to monitor and safeguard data.

Case in point – since those documents I protected via labeling are in a Virtual Machine, here’s what they actually look like for the recipient:

And then there’s the other problem, you can’t block screenshots from browsers. On my host machine, on a browser I’m signed into, and then signed into Outlook on the web, I can screenshot data without worry:

It’s not like the protection is completely disabled! We are unable to copy any data out, or forward, as expected:

In the gif above, although you can click copy from the context menu it does not copy any data.

Microsoft Information Protection is an incredibly powerful tool for protecting your data, and hopefully you’ve seen in this blog post another fun way to use it. Just be sure to consider it a part of your larger data protection strategy, and be sure to also look into Defender for Cloud Apps! Until then – enjoy securing those files! 🔐