OIT Office of Information Technology
| Menu

Sensitivity Labels - FAQ

What They DoHow to Use ThemKnown IssuesSupport for Non-⁠CU Recipients
 

What They Do

Purpose

What problems are sensitivity labels trying to solve?

Enabling sensitivity labels at CU Boulder is a necessary step toward closing existing security and compliance gaps within Microsoft 365.

When properly applied, confidential and highly confidential labels reduce the risk of unauthorized data access and leakage by applying an additional layer of encryption and requiring users to authenticate their identity before accessing protected materials. The higher the classification level, the more protection the label confers.

Classifications & Protections

If I label an email confidential or highly confidential, does that protect it from open record requests under CORA?

No, sensitivity labels have no bearing on whether emails or files are subject to open record requests.

There is a presumption that all records made, maintained or kept by CU Boulder are public under the Colorado Public Record Act (CORA), unless:

  • An exception applies (e.g., personnel files, letters of reference, records protected by federal law [such as student records under FERPA], specific details of bona fide research projects, proprietary information); or
  • The record is not public by definition (e.g., donor information)

The fact that a record is in email format is irrelevant; whether digital or hard copy, it remains a record subject to CORA unless an exception/exemption applies. Furthermore, marking a document confidential does not shield it from disclosure under CORA if it is otherwise a public record subject to disclosure.

For more information, see Colorado Open Records Act (APS #2022).

If I send an encrypted email to a non-CU email account, what does the recipient see? Are there any instructions I can share with them?

If you send an encrypted email (i.e., an email labeled confidential or highly confidential - external) to a non-CU email account, the recipient's experience will vary depending on the email client they're using.

  • Recipients who access their email through Outlook (e.g., email addresses ending in outlook.com, hotmail.com, live.com, msn.com) will have a similar experience to campus users. There will likely be no login prompts or protective measures.
  • Recipients using Google or any other non-Outlook email client will likely encounter a fully protected message. The sender's name and the subject line will be visible, but the email contents will be hidden behind Microsoft Purview Message Encryption.

OIT recommends that CU Boulder senders let the recipient(s) know in advance that they'll be receiving an encrypted email from you.

Please also feel free to include the authentication instructions below.

If a trusted person sends you an email that's protected by Microsoft Purview Message Encryption, follow these steps to complete authentication and view the message:

  1. Open the email and hover over the Read the message link to view the destination URL.
  2. If the URL begins with https://outlook.office365.com/Encryption, go ahead and click Read the message. (It may take several seconds for the next page to load.)
  3. On the next page, you'll be asked to sign in. Click the link to sign in with a one-time passcode (recommended).
  4. Return to your inbox. Once you receive a message from Microsoft Office 365, open it and copy the passcode.
  5. Return to the sign-in page and enter the passcode. Click Continue.
  6. You should now be able to view the sender's message.
 

How to Use Them

Apply a Label

What types of items can I apply sensitivity labels to?

CU Boulder's sensitivity labels are currently configured to apply to:

  • Word files (.docx, .docm, .dotx, .dotm)
  • Excel files (.xlsx, .xlsb; .xlsm, .xltx)
  • PowerPoint files (.pptx, .pptm, .potx, .potm, .ppsx, .ppsm)
  • Loop files
  • PDFs (see "How do I apply a sensitivity label to a PDF?")
  • Outlook emails
  • Microsoft 365 groups
  • Microsoft Teams sites
  • SharePoint document libraries
If I convert a labeled Microsoft file to a PDF, will the PDF retain the label's protections?

No, that functionality is not currently available at CU Boulder.

Can I apply a sensitivity label to multiple files at once?

There are currently two ways to apply a sensitivity label to multiple files at once:

  1. Move the unlabeled files into a SharePoint document library that a site owner has configured to apply the appropriate sensitivity label by default.
  2. Install the Microsoft Purview Information client (Windows only) to apply sensitivity labels to one or more files through File Explorer. If you're using a university-owned Windows computer that's enrolled in Secure Computing, you can download the client from the Software Center. If not, you can download it from the Microsoft website. Visit Microsoft's Label and Protect Files in File Explorer in Windows page for step-by-step instructions.

Change a Label

I need to change a sensitivity label. How do I do that?

To change the sensitivity label on a Microsoft 365 file:

  1. Open the file using its native web or desktop app.
  2. At the top of the window, click on the sensitivity label to access the sensitivity bar.
  3. Under the Sensitivity heading, click the drop-down menu to select the new sensitivity label.
  4. If you change to a lower protection level, you will be prompted to justify the change (e.g., "Previous label was incorrect").
  5. The new label and its associated protections will be applied immediately.

If you are drafting a new email that you've already labeled or are forwarding a labeled email:

  1. In the email draft, click on the existing sensitivity label to open a drop-down list.
  2. Select the new sensitivity label from the list.
  3. The new label and its associated protections will be applied immediately.
 
If I need to change the label on another person's file or email, do they receive a notification?

No, the owner does not receive a notification if their file or email's sensitivity label is changed.

Who can see my justification when I downgrade a sensitivity label?

Your justification is logged in a Microsoft database that can be accessed by OIT as needed to investigate a specific security concern.

Can I remove a sensitivity label entirely?

Yes, you can apply, change and remove sensitivity labels as needed. To remove a label, select the current label from the drop-down menu to deselect it.

Can I change a file's label after I've shared it with others?

As long as you shared a link to the file rather than emailing a copy, then yes, you can change the sensitivity label on the file and the new protections will apply immediately.

Before increasing a file's protections, we recommend reviewing the file's Manage access list to identify whether the new label will affect existing users' permissions. For example, if a file's label is changed from Confidential - External to Confidential - Internal, then any users outside of CU who were granted access to the file will no longer be able to view it.

 

Known Issues

When a student submits an assignment in Canvas that uses certain sensitivity labels, instructors can't preview the files in SpeedGrader.
Issue

An "Error while processing or retrieving the document" message will appear in SpeedGrader's document preview window if the document has one of these sensitivity labels applied:

  • Confidential
    • Internal
    • External
    • Custom
  • Highly Confidential
    • Internal
    • External
    • Custom

SpeedGrader's preview functionality is not affected by the Public, University Data, Confidential (No protection) or Highly Confidential (No protection) labels.

Workaround

Instructors can download the labeled file and view it locally.

 

Support for Non-CU Recipients

How will I know if I receive a labeled email or file?

If you don't have access to CU Boulder's custom sensitivity labels and you're viewing the item in Microsoft:

  • Web applications will display a shield icon to indicate that the file is protected, but won't provide additional details.
  • Desktop applications will list the protections in a banner at the top of the file.

In general, OIT recommends that CU Boulder senders who share a protected file outside of the university do the following:

  1. Let recipients know in advance that they're going to receive a protected email or file.
  2. Include a note in the file-sharing notification or email message with a protected attachment:

    This content is protected by a Microsoft sensitivity label. If you have any trouble accessing it, please let me know.
I received a "protected message" from someone at CU Boulder. Is this legitimate? If so, how do I open it?

If a trusted person sends you an email that's protected by Microsoft Purview Message Encryption, follow these steps to complete authentication and view the message:

  1. Open the email and click Read the message. (It may take several seconds for the next page to load.)
  2. On the next page, you'll be asked to sign in. Click the link to sign in with a one-time passcode (recommended).
  3. Return to your inbox. Once you receive a message from Microsoft Office 365, open it and copy the passcode.
  4. Return to the sign-in page and enter the passcode. Click Continue.
  5. You should now be able to view the sender's message.
I need to forward a file I received, but it won't let me. What should I do?

Please reach out to the sender and let them know what you're trying to do. If appropriate, they can change the sensitivity label or discuss concerns they may have about forwarding the protected information.

Can I remove a sensitivity label from a file I received?

No. Only users who are authorized to apply a sensitivity label to a file can change or remove an existing label. When they do, they will be prompted to justify the change before it can take effect.