Use Microsoft Information Protection to Prevent Data Leaks

In an earlier blog, I outlined and explained Microsoft Secure Score. But how do you protect data leaks at the file level and control users from leaking your organization’s sensitive data?

Nearly a year and a half ago, a friend of mine was starting a new business. To win a contract, he needed to prove his startup could protect its sensitive data by any means from leaking. A cost-effective, enterprise data protection plan was needed.

This proved to be a daunting task. Enterprises often create, share and store sensitive data in on-premises software, in the cloud and across multiple clouds. Because of the nature of any business to meet regulatory requirements and prevent data leaks, sensitive data must always be securely stored and protected with technology solutions, including strong data encryption.

Also, enterprises are heterogenous. One size does not fit all, because each one has different business needs.

But there is a way.

How Does Microsoft Information Protection (MIP) Prevent Data Leaks?

My friend wanted to avoid the excessive cost of buying on-premises hardware and colocation. He needed a cloud-first solution. I suggested Microsoft Information Protection.

By using MIP, we took advantage of a built-in, intelligent, unified and extensible solution so we could make sure sensitive data was safe in his Microsoft 365 cloud services, on-premises software and third-party SaaS applications.

MIP supplied a unified set of capabilities to be informed of his data, safeguard his data and prevent data loss across all his Microsoft 365 apps like Word, PowerPoint, Excel, Outlook and services like Teams, SharePoint and Exchange.

Microsoft has a variety of encryption keys to support various customer scenarios. It can be an intimidating task to understand all the various encryption key types and applications in the context of their environment. However, you can get a good understanding of the key options by referring to the Computer Security Resource Center’s best practices for key management.

To ensure your data is protected, you must provide labels. Enterprise developers use MIP to label and protect sensitive customer information on exports from line-of-business applications, safeguarding customer information.

The MIP ecosystem enables applications to apply, update and remove sensitivity labels in your own application data. This is done without the overhead of integrating a full software development kit (SDK). This effort was critical to my friend, as he didn’t have a budget to hire developers for this task.

Implement Microsoft Information Protection Sensitivity Labels to Prevent Data Leaks

By using sensitivity labels from the MIP framework, we were able to classify and protect his data, without hindering the productivity of his users and their ability to collaborate.

Here are two things to consider before implementing any sensitivity label capabilities:

  1. Business requirements. Establish the business reasons for applying sensitivity labels throughout your organization. For example, data privacy requirements for information protection.
  1. Sensitivity label capabilities. Don’t let sensitivity labeling get too complex. Read and understand the sensitivity labels documentation before you get started.

Just remember that sensitivity labels are managed in the Microsoft compliance admin center. But targeting and application options can significantly vary.

Types of Sensitivity Labels

Sensitivity labels are organized by sites, groups and teams at the container level. However, settings don’t apply to content inside the container. Those are published to users and groups when they apply and provide them through a site, group or team.

My friend and I used sensitivity labels for active content. These too were published to users or groups who either manually apply them or are automatically applied when any file is changed. For example, opened, edited or saved to the user’s desktop, SharePoint site or OneDrive. Another example is when an email is drafted and sent.

Sensitivity labels can be used for automatic applications to file encryption at rest in SharePoint and OneDrive, and emails in transit through Exchange. These will be targeted to all sites or specific ones and automatically apply to the files at rest in these environments.

In my dealings at my friend’s organization, we didn’t have to rationalize current sensitivity labeling with past or alternative methods. However, you may need to take that into account.

Reconcile Sensitivity Labels

Your current sensitivity labeling scheme may need to be reconciled with any existing Azure Information Protection labeling implementation.

If you’re thinking about using modern sensitivity labeling to protect email with existing email encryption, methods like Office 365 Message Encryption are available. MIP and Message Encryption can co-exist.

But it’s important to first understand the scenarios in which they can be applied. Check out Office 365 Message Encryption’s (OME) new capabilities, which includes a table comparing modern sensitivity label-type protection with OME-based protection.

You should also plan for integration into a broader information protection scheme. On top of co-existence with OME, sensitivity labels must be taken advantage of alongside capabilities like Microsoft 365 data loss prevention (DLP) and Microsoft Defender for Cloud Apps.

You should also read about MIP in Microsoft 365 to achieve your data privacy-related information protection goals. Work on Developing a sensitivity label classification and control scheme. This link will give you more information about data classification and sensitivity label taxonomy.

How Do You Assign Sensitivity Labels?

When you create a sensitivity label, you can automatically assign that label to content, including an email, when it matches conditions you specify. This was important to my friend because:

  • You don’t need to train your users when they must use each of your classifications.
  • You don’t need to rely on users to correctly classify all content.
  • Your users no longer need to know about your policies. Instead, they can focus on their work.

My friend and I used auto-labeling to support recommending labels to his users and had it automatically apply a label. However, the user must decide whether they want to accept or reject the label, helping ensure the correct labeling of content. Proper training in label use is important to support a secure environment and prevent data leaks.

Using client-side labeling creates nearly no delay for documents because the label can be applied before the document is saved. You must remember not all client apps support auto-labeling. That capability is supported by the Azure Information Protection unified labeling client and various versions of Office apps.

For more information on configuration instructions, read how to configure auto-labeling for Office apps. For data privacy, you can auto-apply sensitivity labels for content holding sensitive personal information.


This Microsoft Information Protection solution was both cost-effective and easy to install at my friend’s organization. The solution was implemented in just a few days.

If Microsoft Information Protection can help your enterprise protect your business data at the file level and control users from leaking your organization’s sensitive data, System Soft Technologies can be your trusted partner to resolve your business needs.

Discover more information about System Soft’s cloud solutions and services.

About the Author: Don Bilbrey

Don Bilbrey serves as a Senior Cloud Solutions Architect at System Soft Technologies and has more than 22 years of experience in the IT industry and more than 12 years in cloud services. Don energetically manages the service delivery needs of large enterprise customers and is an expert in understanding client’s systems and storage solutions.