As you know, you have been able to integrate Azure Right Management Services (Azure RMS) with SharePoint Online for quite a long time already.
That said, since Azure RMS has become Azure Information Protection and now also integrates Sensitivity Label, SharePoint Online (and OneDrive for Business) were not able to process the content of the protected files – lot of features stopped working (co-authoring, eDiscovery, DLP…)
Well, good news you can now enable the support of Sensitivity Label on SharePoint Online and OneDrive.
This preview enables these features:
- SharePoint recognizes sensitivity labels applied to Word, Excel, and PowerPoint files in SharePoint and OneDrive and enforces the settings that correspond with each label
- When you download a file from SharePoint or OneDrive, the sensitivity label travels with the file and the settings remain enforced
- Apply sensitivity labels to Office files, and open and edit files that have sensitivity labels applied (if the label’s permissions allow it) by using the web versions of Word, Excel, and PowerPoint. With Word on the web, you can also use Auto labeling when you edit documents
- Office 365 eDiscovery supports full-text search in files that have sensitivity labels applied. Data Loss Prevention (DLP) policies cover content in these files
- Three new audit events are available for monitoring sensitivity labels:
- FileSensitivityApplied
- FileSensitivityLabelChanged
- FileSensitivityLabelRemoved
There are still some limitations (at least during this first phase in preview):
- When you enable this preview, users who apply a label to a file by using the Office desktop or mobile apps might be unable to save other changes they make to the file. Instead, the app prompts users to Save As or Discard local changes. To avoid losing work, do one of these actions:
- To apply labels, use the web versions of the Office apps
- Close a file after you apply a label and then reopen the file to make other changes
- SharePoint doesn’t automatically apply the new labels to existing files that you’ve already encrypted using Azure Information Protection labels. Instead, to get the features to work after you enable this preview, complete these tasks:
- Convert the Azure Information Protection labels to sensitivity labels
- Download the files and upload them to SharePoint
- SharePoint can’t process labels with custom permissions and labels with expiration dates
- When users have edit permissions, the web versions of the Office apps allow copying regardless of the copy policy setting in the label
- RMS revocation, tracking, and reporting are unsupported
- Office desktop apps and mobile apps don’t support coauthoring. Instead, these apps continue to open files in exclusive editing mode
- If a label includes encryption, Microsoft Cloud App Security isn’t able to read the label information for the files in SharePoint
To enable the Sensitivity Label support on SharePoint Online and OneDrive you need to use the SharePoint Online PowerShell modules (available https://www.microsoft.com/en-us/download/details.aspx?id=35588) and you must use OneDrive for Business client at least version 19.002.0121.0008 on Windows and 19.002.0107.0008 on Mac devices).
Enable Sensitivity Label support
- Connect to your SharePoint tenant using the command
Connect-SPOService -Url https://<your tenant>-admin.sharepoint.com
- Then enable the support using the command
Set-SPOTenant -EnableAIPIntegration $true
- Sensitivity Label will now be enable to new uploaded files (existing file will not [yet?] the label applied)
Disable Sensitivity Label Support
If you need to disable support for Sensitivity Label, execute the below actions
- Connect to your SharePoint tenant using the command
Connect-SPOService -Url https://<your tenant>-admin.sharepoint.com
- Then enable the support using the command
Set-SPOTenant -EnableAIPIntegration $false
