Microsoft 365 - Sensitivity Labels

 

What they are

Sensitivity labels are a tool for classifying and protecting Microsoft 365 data based on its sensitivity or confidentiality level. At CU Boulder, sensitivity labels can safeguard their Microsoft files and emails, Teams sites, Microsoft 365 groups, SharePoint document libraries and PDF files against unauthorized data access and leakage.

Once applied, the label and its protections stay with the item even when it’s shared between devices, applications or cloud services.

What they do

OIT has configured a set of sensitivity labels that map to CU's classification levels of institutional data and apply the appropriate protective measures for that data classification.

Sensitivity LabelDescription
Public (L1)Data is not protected. Content was specifically prepared for public consumption.
University Data (L2)Data is not protected. Content was not meant for public consumption but would not have an adverse impact if disclosed to the public.
Confidential (L3)Content is sensitive, is not typically disclosed to the public, and requires a legitimate business purpose to access.
Highly Confidential (L4)Content is extremely sensitive; is protected from disclosure by law, regulations, contracts or legal agreements; and/or requires reporting of unauthorized disclosure.

The confidential and highly confidential labels have four sublabels each that apply different protections.

Sensitivity SublabelDescription
No ProtectionData is not protected; access is not restricted. Share only with trusted partners who cannot perform their work if the file is protected.
InternalData is protected; access is restricted to users with a University of Colorado email address (e.g., colorado.edu, cu.edu). Users can take any action, including removing protection (justification required).
ExternalData is protected; access is not restricted to users with a University of Colorado email address. Users can take any action, including removing protection (justification required).
CustomThe owner assigns a permissions level to each user or domain.

Sublabel Protections

Sublabel Protections

No Protection

Internal

External

Applies an additional layer of encryption

No

Yes

Yes

Prevents access by unauthenticated users

No

Yes

Yes

Prevents access by non-CU accounts

No

Yes

No

Prevents printing & downloading

No

No

No

Requires justification to decrease or remove label

No

Yes

Yes

What they don't do

Labeling a file or email as confidential or highly confidential does not shield it from disclosure under Colorado Open Records Act (CORA) if it is otherwise a public record subject to disclosure. For additional information, see the sensitivity labels FAQs.

What they look like

If sensitivity labels are enabled for your account, you'll see a brightly colored shield icon at the top of the labeled document or email, serving as a visual indicator of the sensitivity of its contents. In some applications, the name of the sensitivity label will appear next to the icon.

Users who don't have CU Boulder’s sensitivity labels enabled will only see the shield when using the Microsoft web applications. In desktop applications, the protections will be listed in a banner at the top of the file.

Word, Excel & PowerPoint

The sensitivity label appears next to the document name at the top of the window.

View web app screenshots
Image
In Word for the web, the sensitivity label is indicated by a brightly colored shield icon that appears to the right of the document name.
 
Image
In Excel for the web, the sensitivity label displays as a brightly colored shield icon to the right of the file name.
View desktop app screenshots
Image
In the Word desktop app, the sensitivity label displays to the right of the document name as a brightly colored shield icon followed by the label's name.
 
Image
In the Excel desktop app, the sensitivity label displays to the right of the file name as a brightly colored shield icon followed by the label's name.

Outlook

In the inbox, labeled items are indicated by a padlock icon. In an open message, the sensitivity label appears either next to the subject line or below the message headers.

View Outlook (new) screenshots
Image
In new Outlook, protected messages are identified in the inbox by a padlock icon that appears on the right side of the "from" column.
 
Image
In new Outlook, when a protected email is open, the sensitivity label displays to the right of the subject line as a brightly colored shield icon followed by the label's name.
View Outlook (classic) screenshots
Image
In classic Outlook, protected messages are identified in the inbox by a padlock icon that appears above the timestamp on the far right.
 
Image
In classic Outlook, when a protected email is open, the sensitivity label displays below the message headers as a brightly colored shield icon followed by the label's name. If the message is encrypted, an additional notation lists the email address of the person who granted permission to the recipient.

Microsoft Teams

If a sensitivity label is applied to a Team, then the label will appear when one of the Team's channels is selected. The sensitivity label appears in the tabs row at the top of the content pane. Learn how to label a Microsoft Team.

View Teams screenshot
Image
In the Teams desktop app, when a Team is open in the content pane, the sensitivity label appears on the right side of the tabs row.

SharePoint libraries

At this time, there's no at-a-glance method for checking a SharePoint library's default sensitivity label; however, that information is available through the library settings menu (see screenshot below). Users can add the Sensitivity column to view files' sensitivity labels in the content list.

View SharePoint screenshots
Image
In SharePoint online, users can check a document library's default sensitivity label by clicking the gear icon in the top toolbar ("Settings"), then clicking "Library settings."
 
Image
In SharePoint online, adding the Sensitivity column to a document library's content list will allow users to see each file's sensitivity label.

PDF files

When viewed through Adobe Acrobat or Microsoft Edge, labeled PDFs have a banner at the top indicating that they're protected. Non-Microsoft web browsers don't display protected PDFs; instead, they display an Adobe-branded landing page that states the document is protected by Microsoft Purview Information Protection and can be viewed using a supported PDF reader.

View Adobe Acrobat screenshot
Image
In Adobe Acrobat, a banner states that the PDF file is protected by Microsoft Purview Information Protection and specifies the sensitivity label.
View Microsoft Edge screenshot
Image
In Microsoft Edge, a banner with a padlock icon states that the PDF file is protected by Microsoft Information Protection. The sensitivity label is not identified, but the View permissions link displays the actions the user can and cannot take.
View non-Microsoft web browser screenshot
Image
In non-Microsoft web browsers, the protected PDF file doesn't display. Instead, an Adobe-branded landing page states that the document is protected by Microsoft Purview Information Protection and directs users to view the file using a supported PDF reader.

Who can use them

Sensitivity labels are currently only enabled for our project team and pilot groups. Once testing is complete, OIT plans to enable sensitivity labels for all CU Boulder faculty, staff and students.

Support & Documentation