Redefining Project Permissions with Sensitivity Labels in Microsoft 365
Sensitivity labels are an entirely new way to implement permission controls in Microsoft 365. They are more powerful and easier to administer than groups and SharePoint permissions. Will sensitivity labels ultimately be the future of permissions management in Microsoft 365? Read on to find out more.
Historical Microsoft 365 permissions overview
If you are familiar with Microsoft 365 permissions, you know how complicated administering permissions can be between external and internal users or even controlling permissions for different types of information.
If you use SharePoint to store your documents, you gain additional permission controls that you can apply by user or group by site, app, folder, list, library, or even record. And with SharePoint permission levels, you have an extensive range of options to fine-tune further what specific users can do once they gain access, such as read and edit.
Administering permissions from a content location-centric mindset (i.e., where the file is stored) can become tedious depending on the number of sites and applications in play. Also, while these types of permissions prevent access to the document in SharePoint, they do not prevent someone from getting a copy of a document from an email attachment or a chat and simply downloading it locally.
What if you could apply permissions based on a type of record or the type of person interacting with the data and ensure the permissions permeate through your entire Microsoft 365 tenant?
Introducing Sensitivity Labels
Now that we covered Microsoft 365 permissions, as we all know and love, you might wonder how sensitivity labels could improve on the foundation. Here are some of the features of sensitivity labels:
- Persistence. Because the label is stored in metadata for files and emails, it stays with the content, no matter where it’s saved or stored. The unique label identification becomes the basis for applying and enforcing policies you configure, which apply online and offline.
- Encryption. Emails and documents can be encrypted to prevent unauthorized people from accessing the data. You can even add expiration dates.
- Watermarks. Sensitivity label watermarks can be automatically applied to documents and emails. You can configure the watermarks to display on the documents’ header, body, and footer.
- Microsoft Office support. Microsoft Word, Excel, PowerPoint, and Outlook, both on the desktop and on the web, support sensitivity labels. Sensitivity labels work on Windows, macOS, iOS, and Android. Users can assign sensitivity labels directly to the file as they work on them, and that metadata is saved with the file throughout Microsoft 365. Even Power BI reports can recognize sensitivity labels.
Real-world construction examples
Scenario #1. You have confidential correspondence that only the project manager and the project controls lead should be able to see. You could create a sensitivity label called Confidential and only include PMs and PCM users. You can select the sensitivity label from right within your Outlook menu. Now that email will be restricted to only PMs and PCMs.
Scenario #2. You want all internal correspondence documents in a SharePoint document library to not be shared externally. You can create an internal sensitivity label, grant access to all internal company users, and then set up a default sensitivity label on the entire document library. Now when every file gets dropped off, it is automatically restricted to internal company users.
Scenario #3. You want to conduct regular vendor review meetings, but you only want to include the construction contract management (CCM) team and control any access to what is discussed and shared. You can create a sensitivity label called “vendor review” and include the CCMs. Then apply the sensitivity label from Outlook and Teams when you set up the meeting. The meeting settings can consist of:
- Who can bypass the lobby.
- Who can present.
- Who can record.
- Encryption for meeting video and audio.
- Automatically record.
- Video watermark for screen sharing and camera streams.
- Prevent copy of meeting chat.
- Prevent or allow copying chat contents to the clipboard.
If you are interested in utilizing sensitivity labels, there are a couple of items to consider:
- Sensitivity labels only work with Microsoft Office documents. It is possible to use PDFs but refer to the latest documentation on how to set it up: Microsoft Purview Information Protection support in Acrobat (adobe.com)
- Sensitivity labels are created and managed in the Microsoft 365 Admin center, which very few users can access.
Overall, Sensitivity Labels are very powerful tools for managing who has access to your information. They provide a different permissions vector than traditional permissions management and are much more robust across the Microsoft 365 ecosystem. You can use both models simultaneously since it is not an either-or decision. I suggest trying them out for confidential documents that should not be shared externally to see how you can incorporate them into your daily work process.
If you need any help with sensitivity labels, permissions, or Microsoft 365 in general, you can request a one-hour free consultation. You can request a demo here if you are looking for an enterprise construction management solution for Microsoft 365.