Skilling Tasks

Your task is to create and publish sensitivity labels within your organization that classifies and protects sensitive data according to its level of confidentiality and the necessary access controls.

Tasks:

  1. Enable support for sensitivity labels
  2. Create sensitivity labels
  3. Publish sensitivity labels
  4. Configure auto labeling

Task 1 – Enable support for sensitivity labels in SharePoint and OneDrive

In this task, you’ll install the necessary modules and enable support for sensitivity labels on your tenant. This is needed for the optional task of applying sensitivity labels later in this exercise.

  1. In the desktop, open an elevated PowerShell window by right clicking the Windows button in the task bar, then select Terminal (Admin).

  2. Confirm the User Account Control window with Yes.

  3. Run the Install-Module cmdlet to install the latest MS Online PowerShell module version:

     Install-Module -Name MSOnline

  4. Confirm the Nuget security dialog and the Untrusted repository security dialog with Y for Yes and press Enter. This might take a while to complete processing.

  5. Run the Install-Module cmdlet to install the latest SharePoint Online PowerShell module version:

     Install-Module -Name Microsoft.Online.SharePoint.PowerShell

  6. Confirm the Untrusted repository security dialog with Y for Yes and press Enter.

  7. Run the Connect-MsolService to connect to the MS Online service:

     Connect-MsolService

  8. In the Sign into your account form, sign in as the user you selected as the Compliance Administrator in a previous exercise.

  9. After signing in, navigate back to the terminal window.

  10. Run the Get-Msoldomain cmdlet and save the domain as a variable:

     $domain = get-msoldomain

  11. Use the $domain variable created in the previous step to create a new variable for $adminurl:

     $adminurl = "https://" + $domain.Name.split('.')[0] + "-admin.sharepoint.com"

  12. Run the Connect-SPOService cmdlet using the $adminurl variable created in the previous step:

     Connect-SPOService -url $adminurl

  13. In the Sign into your account form, sign in as the Global Administrator.

  14. After signing in, navigate back to the terminal window.

  15. Run the Set-SPOTenant cmdlet to enable support for sensitivity labels:

     Set-SPOTenant -EnableAIPIntegration $true

  16. Confirm the changes with Y for Yes and press Enter.

  17. Close the PowerShell window.

You have successfully enabled support for sensitivity labels for Teams and SharePoint sites.

Task 2 – Create sensitivity labels

In this task, your HR department has requested a sensitivity label to apply to HR employee documents. You’ll create a sensitivity label for internal documents and a sublabel for the HR department.

  1. Open Microsoft Edge and navigate to https://purview.microsoft.com. Log into Microsoft Purview as the user you selected as the Compliance Administrator.

  2. In the Microsoft Purview portal, select Solutions from the left sidebar, then select Information Protection.

  3. On the Microsoft Information Protection page, on the left sidebar, select Sensitivity labels.

  4. On the Sensitivity labels page select + Create a label.

  5. The New sensitivity label configuration will start. On the Provide basic details for this label, enter:

    • Name: Internal
    • Display name: Internal
    • Description for users: Internal sensitivity label.
    • Description for admins: Internal sensitivity label for Contoso.

  6. Select Next.

  7. On the Define the scope for this label page, select Items, then select Files and Emails. If the checkbox for Meetings is selected, make sure it’s deselected.

    [!NOTE] When Meetings is selected, you can’t create a sublabel for the sensitivity label.

  8. Select Next.

  9. On the Choose protection settings for labeled items page, select Next.

  10. On the Auto-labeling for files and emails page, select Next.

  11. On the Define protection settings for groups and sites page, select Next.

  12. On the Auto-labeling for schematized data assets (preview) page, select Next.

  13. On the Review your settings and finish page, select Create label.

  14. On the Your sensitivity label was created page, select Don’t create a policy yet, then select Done.

  15. On the Sensitivity labels page, find the newly created Internal sensitivity label. Select the vertical ellipsis () next to it, then select + Create sublabel from the dropdown menu.

    Screenshot showing the Action menu to create a sublabel for a sensitivity label.

  16. The New sensitivity label wizard will start. On the Provide basic details for this label page enter:

    • Name: Employee data (HR)
    • Display name: Employee data (HR)
    • Description for users: This HR label is the default label for all specified documents in the HR Department.
    • Description for admins: This label was created with input from the Head of HR. Contact the HR department for any changes to the label settings.

  17. Select Next.

  18. On the Define the scope for this label page, select Items, then select Files, Emails, and Meetings.

  19. Select Next.

  20. On the Choose protection settings for labeled items page, select the Control access option, then select Next.

  21. On the Access control page, select Configure access control settings.

  22. Configure the encryption settings with these options:

    • Assign permissions now or let users decide?: Assign permissions now
    • User access to content expires: Never
    • Allow offline access: Only for a number of days
    • Users have offline access to the content for this many days: 15
    • Select the Assign permissions link. On the Assign permissions flyout panel, select the + Add any authenticated users, then select Save to apply this setting.

  23. On the Access control page, select Next.

  24. On the Auto-labeling for files and emails page, select Next.

  25. On the Define protection settings for groups and sites page, select Next.

  26. On the Auto-labeling for schematized data assets (preview) page, select Next.

  27. On the Review your settings and finish page, select Create label.

  28. On the Your sensitivity label was created page, select Don’t create a policy yet, then select Done.

You have successfully created a sensitivity label for your organizations internal policies and a sensitivity sublabel for the Human Resources (HR) department.

Task 3 – Publish sensitivity labels

You will now publish the Internal and HR sensitivity label so that the published sensitivity labels will be available for the HR users to apply to their HR documents.

  1. In Microsoft Edge, the Microsoft Purview portal tab should still be open. If not, navigate to https://purview.microsoft.com > Solutions > Information Protection > Sensitivity labels.

  2. On the Sensitivity labels page select Publish labels.

  3. The publish sensitivity labels configuration will start.

  4. On the Choose sensitivity labels to publish page, select the Choose sensitivity labels to publish link.

  5. On the Sensitivity labels to publish flyout panel, select the Internal and Internal/Employee Data (HR) checkboxes, then select Add at the bottom of the flyout panel.

  6. Back on the Choose sensitivity labels to publish page, select Next.

  7. On the Assign admin units page, select Next

  8. On the Publish to users and groups page, select Next.

  9. On the Policy settings page, select Next.

  10. On the Default settings for documents page, select Next.

  11. On the Default settings for emails page, select Next.

  12. On the Default settings for meetings and calendar events page, select Next.

  13. On the Default settings for Fabric and Power BI content page, select Next.

  14. On the Name your policy page, enter:

    • Name: Internal HR employee data
    • Enter a description for your sensitivity label policy: This HR label is to be applied to internal HR employee data.

  15. Select Next.

  16. On the Review and finish page, select Submit.

  17. On the New policy created, select Done to finish publishing your label policy.

You have successfully published the Internal and HR sensitivity labels. Note that it can take up to 24 hours for changes to replicate to all users and services.

Task 4 – Create a client-side auto labeling policy

In this task, you’ll create a client-side auto-labeling policy. Client-side auto-labels apply automatically to files and emails based on their content, ensuring that sensitive information is classified and protected before it leaves the user’s device.

  1. You should still be on the Sensitivity labels page in the Microsoft Purview portal. If not, navigate to https://purview.microsoft.com > Solutions > Information Protection > Sensitivity labels.

  2. On the Sensitivity labels page, find the newly created Internal sensitivity label. Select the vertical ellipsis () next to it, then select + Create sublabel from the dropdown menu.

  3. The New sensitivity label configuration will start. On the Provide basic details for this label page, enter:

    • Name: Confidential Research Data
    • Display name: Confidential Research Data
    • Description for users: This document or email contains sensitive research or development data that is proprietary to the organization.
    • Description for admins: This label is auto-applied to documents and emails containing information related to research, prototypes, or internal projects.

  4. Select Next.

  5. On the Define the scope for this label page, select Items, then select Files, Emails, and Meetings.

  6. Select Next.

  7. On the Choose protection settings for labeled items page, select Apply content marking, then select Next.

  8. Select Next.

  9. On the Content marking page, select the toggle to enable content marking.

  10. If the checkbox for Add a footer is selected, deselect it, and select the checkbox for Add a watermark, then select Customize text.

  11. In the Customize watermark text flyout pane, enter Confidential - R&D Data as Watermark text. Increase the Font size to 40, then select Save at the bottom of the panel.

  12. Back on the Content marking page, if other content marking options are enabled, disable them to ensure Add a watermark is the only option enabled.

  13. Select Next.

  14. On the Auto-labeling for files and emails page, set the Auto-labeling for files and emails to enabled.

  15. In the Detect content that matches these conditions section, select + Add condition > Content contains.

  16. In Content contains section select the Add > Trainable classifiers.

  17. In the Trainable classifiers flyout panel, add these trainable classifiers:

    • Source code
    • Project documents
    • Software Product Development Files

  18. Select Add at the bottom of the panel to add these trainable classifiers.

  19. Back on the Auto-labeling for files and emails page, select Next.

  20. On the Define protection settings for groups and sites page, select Next.

  21. On the Auto-labeling for schematized data assets (preview) page, select Next.

  22. On the Review your settings and finish page, select Create label.

  23. On the Your sensitivity label was created page, select Publish label to users’ apps, then select Done.

  24. On the Publish label flyout panel, select Create new label policy.

  25. On the Choose sensitivity labels to publish page, select the Choose sensitivity labels to publish link.

  26. Select the parent Internal label and the Confidential Research Data label that was just created, then select Add.

  27. Back on the Choose sensitivity labels to publish page, select Next.

  28. On the Assign admin units page, select Next.

  29. On the Publish to users and groups page, select Next.

  30. On the Policy settings page, select the checkbox for Users must provide a justification to remove a label or lower its classification, then select Next.

  31. On the Default settings for documents​ page, select Next until you reach the Name your policy page.

  32. On the Name your policy page, enter:

    • Name: R&D Confidential Data Policy
    • Enter a description for your sensitivity label policy: Automatically applies labels to source code, project documents, and development files to protect sensitive R&D data.

  33. Select Next.

  34. On the Review and finish page, select Submit.

  35. On the New policy created page, select Done.

You have successfully created a client-side auto-labeling policy that will automatically apply the Confidential Research Data label to files and emails containing research and development data. It might take up to 24 hours for the policy to take full effect.

Task 5 – Create a service-side auto labeling policy

In this task, you’ll create a service-side auto-labeling policy. Service-side auto-labels are applied by cloud services like SharePoint, Exchange, and OneDrive after content is uploaded or received, ensuring that sensitive data is protected even if users don’t manually classify it.

  1. You should still be on the Sensitivity labels page in the Microsoft Purview portal. If not, navigate to https://purview.microsoft.com > Solutions > Information Protection > Sensitivity labels.

  2. Expand the Internal label, then select the Confidential Research Data sublabel you created in a previous task.

  3. In the Confidential Research Data flyout panel, you’ll see the properties for the auto-label you created in a previous task. In this panel, select Create auto-labeling policy.

    Screenshot showing the option to create an auto-labeling policy.

  4. On the Name your policy page, enter:

    • Name: R&D Confidential Data Container Policy
    • Enter a description for your sensitivity label policy: Automatically applies the Confidential Research Data label to content in SharePoint, Exchange, and OneDrive.

  5. Select Next.

  6. On the Assign admin units page, select Next.

  7. On the Choose locations where you want to apply the label page, leave Exchange email, SharePoint sites, and OneDrive accounts selected, then select Next.

  8. On the Set up common or advanced rules page, leave Common rules selected, then select Next.

  9. On the Define rules for content in all locations page, edit the Confidential Research Data rule.

    Screenshot where to edit the rule for a service-side auto-labeling policy.

  10. In the New rule flyout panel, under Conditions > Content contains select the dropdown for Add, then select Trainable classifiers.

  11. In the Trainable classifiers flyout panel, add these trainable classifiers:

    • Source code
    • Project documents
    • Software Product Development Files

    This ensures consistent protection between client-side and service-side labels.

  12. Select Add at the bottom of the panel to add these trainable classifiers.

  13. Back on the Define rules for content in all locations page, select Next.

  14. On the Choose a label to auto-apply, leave the Internal/Confidential Research Data chosen, then select Next.

  15. On the Decide if you want to test out the policy now or later page, select Run policy in simulation mode, and select the checkbox for Automatically turn on policy if not modified after 7 days in simulation, then select Next.

  16. On the Review and finish page, select Create policy.

  17. On the Your auto-labeling policy was created page, select Done.

You have successfully created a service-side auto-labeling policy that will automatically apply the Confidential Research Data label to content stored or shared in SharePoint, Exchange, and OneDrive. It might take up to 24 hours for the policy to take effect.