Secure SharePoint Online data – Part 2

In my previous blog post, which you will find here, I showed how to start with securing SharePoint Online data with just a few simple steps. In this blog post I will go further with securing SharePoint Online by using Office 365 Labels and Data Loss Prevention (DLP) policies. By using those labels and policies, you are able to show your users a policy tip when they share confidential data with people outside the organization or even block sharing SharePoint documents with people outside your organization.
To use this features you need to assign your users at least an Office 365 E3 license.

Create an Office 365 Label

Office 365 labels and DLP policies are managed using the Security & Compliance Admin center. Open the admin center and navigate to Data governance, Dashboard. Click Create a label.

Data governance

Give your Office 365 label a name and description for admins and users and click Next.

Name your label

Your subtitle here

On the next page you can choose to turn on retention for this label, I left retention turned off. Click Next.


Your subtitle here

Review your settings and click Create this label.

Review your settings

Publish an Office 365 label

After creating the Office 365 label, we need to publish the label to SharePoint Online. From the properties of the label click Publish label.

Publish label

On the Choose labels to publish tab click Next.

Choose labels to publish

Your subtitle here

At this moment I`m not using this label in Exchange, so I switched Exchange email off. But if preferred you can choose the default option All Locations as long as it contains SharePoint sites its fine for this setup.

Choose locations

Your subtitle here

Give your policy a Name and description and click Next.

Name your policy

Your subtitle here

Review your settings and click Publish labels.
NB: It can take up to 1 day before the label is published and visible in SharePoint. Fortunately most of the times it`s visible in half an hour till a few hours.

Review settings

After clicking Publish, the status is shown as On (pending). If successfully published the status will be On (Succes).

Status On

Apply a label to your SharePoint Online site

Now we need to apply the Office 365 label to the SharePoint Online site to automatically label all items in the preferred document library, in my case a library under the Legal Department site.
Open the SharePoint Online site and navigate to the documents library. On the right top click the Settings icon and click Library settings.

SharePoint Online site

Your subtitle here

Under Permissions and Management click Apply label to items in this list or library.

Library settings

Choose the label you previously created, in my case Highly confidential, and check Apply label to existing items in the library. Click Save.

Apply label

Your subtitle here

After some time you see the items are labeled with the label you chose in the previous step.

Documents are labeled

Create and apply a DLP policy

Now your SharePoint Online documents are automatically labeled with an Office 365 label it`s time to apply a DLP policy to our High Confidential documents.
Switch back to the Compliance & Security center. Navigate to Data loss prevention, Policy and click Create a policy.

DLP Policies

Your subtitle here

We need to create a Custom policy.

Custom policy

Enter a name and description for the DLP policy and click Next.

Image title

Your subtitle here

Check Let me choose specific locations and click Next.

Choose locations

Your subtitle here

Switch off Exchange email and OneDrive accounts. If you click Choose sites, you are able to search for your SharePoint site to only apply the policy to that specific site.
Click Next.

Switch off Exchange

Your subtitle here

On the next page make sure Detect when this content is shared is set to with people outside my organization.
Above that option click Edit to select the High Confidential label we already applied to the SharePoint site.

Policy settings

As type of content we need to select Labels.

Choose the type of content to protect

Your subtitle here

Select the High Confidential label.
Back on the Policy settings tab click Next to get some more options.


Your subtitle here

Now it`s time to set the actions which need to be taken when sensitive info is detected. By default a policy tip is shown. Also by default the option to detect when a specific amount of sensitive data is shared is turned on and an incident report is send by email. This option will send an incident report to the Global admin and the account which setup the policy.

A more restrictive option you can set on this tab is to check Restrict access or encrypt the content and check Block people from sharing and restrict access to shared content. This will not only show a policy tip and send en email, but will prevent accidental sharing of confidential files. 
After setting the preferred options click Next.

Actions to take on sensitive info

Your subtitle here

On the next page check Only people outside your organization.
If you want your users to be able to override the policy, switch that option on. It is a good option if you allow override, you check Require a business justification to override. All policy overrides are recorded, with this option you as an admin get information on all policy overrides and the reason why the users did share the item.
Click Next.

Customize access and override permissions

Check Yes, turn it on right away and click Next.
In the next screen, review your settings and click Create.

Turn on the policy

Your subtitle here

With all the previous steps we have applied an Office 365 label (High Confidential) to a document library in a SharePoint Online site (Legal department). By applying a DLP policy your users will see a policy tip when they try to share a High Confidential document with people outside the organization.
Depending on the options set, the user is able to override the policy and share the document. But the override will be recorded (if also turned on).

End-user experience

Let`s have a look at the user-experience. Logon to the SharePoint Online site and navigate to the documents library. Try to share one of the labeled documents with an external users. A policy tip will be shown. Click View policy tip.

Send link

Your subtitle here

The policy tip is shown. You are able to Report an issue or Override the policy. Click Override to see how that looks like.

Override policy

Your subtitle here

You need to enter a business justification to override the policy and click Submit. The override is recorded and the user is able to share the document with an external user.

Image title

Your subtitle here

The next step in securing your SharePoint Online data is encrypting the documents with Azure Information Protection. In a future blog post I will have a look these options.

1 Comment

  1. Thanks for this Peter. Tried applying labels to a SharePoint library (after labeling the site) but was faced with an issue; none of the published labels are showing up in the drop-down option in library settings.

    Any idea what might cause this?

Leave a Reply

Your email address will not be published.