Office 365 Labels are how you classify content across Office 365 services. Labels replace records management and some governance features in SharePoint and Exchange.
Office 365 labels are a part of the Advanced Data Governance (ADG) suite of tools. The purpose of ADG is to ensure you keep data you need in your organization. It helps to dispose of the information when it is not required.
What is Advanced Data Governance?
There are three components of ADG: Labels, Retention, and Supervision.
Classify your information for governance purposes. For example, you could have a label for a contract, employee review, or another type of information. Labels can also have a retention policy associated with it.
Retention policies ensure that you do not delete content prematurely. Once content has reached the end of its retention period it can be deleted, start an approval process for deletion, or it can do nothing.
Allows you to set policies to monitor email and 3rd party communications in your organization. You can specify people to review these communications.
In this article, we are going to focus on ADG Labels. We will review retention and supervision functionality in a future post.
What Are the Components of an Office 365 Label?
There are two components of an Office 365 Label. First, you create the actual label. Then you define where to deploy the label using a label policy.
Creating a Label
To create a label, go to the Security and Compliance Center. Click on Classifications, and then Labels. When you create a label, there are some options for configuration.
On the first screen, you will be required to select a name for your label. You also can optionally provide a separate label description for both administrators and end users.
On the next screen, you have the option to include retention as a part of your label. The options for retention applied using a label are a bit different than the settings if you are creating a retention policy without using a label. Here are your options:
- You can decide to either retain the content for a specific period or delete content if it is older than a certain amount of time.
- You can also choose to retain content forever.
- You can specify time periods in days, months, or years.
- You can retain or delete the content based on the following date fields: when it was created, when it was last modified when it was labeled, or based on an event. You cannot use other date fields, such as those created in a SharePoint column.
- The label can be designated as a “record,” which means that users cannot modify or delete the content, or change or remove the label. However, they can still edit the content’s metadata.
- Once the content has reached the end of its retention period, the content can be deleted automatically, trigger a disposition review, or nothing can happen.
Once you have created your label, you will need to create a label policy to deploy it to specific locations, or to allow it to be automatically applied.
To create a label policy, first, go to the Security and Compliance Center. Then click on Data Governance, Retention. Click the Label policies box at the top of the screen.
Here you have two options: Publish labels or Auto-apply a label. Publishing a label is for when you want end users to be able to apply the label manually, and they are location based. Auto-apply a label allows you to automatically apply a label when it meets the criteria that you specified. Let’s look at both these options in more detail.
How Location-Based Office 365 Labels Work
Once you’ve chosen to publish a label, so it’s available to end users you will need to do the following steps.
First, you will need to choose a label to publish Click +Add and select a label that you have created in the previous step. As of this writing, retention policies that have been created separately from a label also appear in this list. Click Done and then Next.
Next, you will choose the locations where you would like to deploy the label. The graphic below shows supported deployment locations as of this writing. You can also decide to have the label deployed to all locations.
Note that you can include or exclude elements in the policy.
- In Exchange email, you can choose or exclude up to 1,000 people in a policy. For example, if you want all members of your procurement team to manually tag all emails related to a contract negotiation, you can include only those people that work in procurement.
- For SharePoint sites, you can include or exclude up to 100 sites per label. This approach is useful when you have labels that apply specifically to a department or project, for example.
- In OneDrive for Business, you can specify up to 1,000 accounts that can manually apply a label. For example, you may want executives to have their label to designate important records.
- For Office 365 Groups, you can include up to 100 groups that can manually apply a label. When the Office 365 Groups location is selected, the label will appear in both the group Exchange mailbox and the Group site.
Once you have chosen the places where you will deploy the label, you will be asked to create a required name for the policy and an optional description. These will only be viewable to those with access to the Security and Compliance Center.
Labels will appear to end users in SharePoint, Office 365 Group Sites, and OneDrive after one day. They will appear in Exchange and Office 365 group Mailboxes after seven days.
How Office 365 Automated Labels Work
The second option for label publishing is to auto-apply the label, but this requires an Office 365 E5 license. There are three ways to auto apply a label:
- Based on sensitive information types
- Based on a search query
- Based on a document library location
Auto-Apply a Label Based on Sensitive Information Types
Labels applied automatically using sensitive information types allow you to label data such as US social security numbers, bank account numbers, and health records. The sensitive information is identified using Office 365 Data Loss Prevention (DLP) policies.
DLP policies come as a pre-defined template from Microsoft that use a data pattern to determine sensitive information. For example, a US social security number is in the following format: ###-##-####. The DLP policy looks for that format, and as it finds the pattern, we can automatically label the document. There are also settings to set the sensitivity of data identification.
We can apply automatic labels based on sensitive information types to content residing in Exchange (all mailboxes only), SharePoint, and OneDrive for Business. In Exchange, auto-apply labels (for both queries and sensitive information types) are applied only to messages newly sent (data in transit), not to all items currently in the mailbox (data at rest). Also, auto-apply labels for sensitive information types can apply only to all mailboxes; you can’t select the specific mailboxes.
Auto-Apply a Label Based on a Search Query
Labels can also automatically be applied using a search query. The query can search for specific words or phrases, and you use search operators such as like AND, OR, and NOT. We use the Office 365 search index for the query, and any content that matches it and resides in Exchange, SharePoint, OneDrive or Office 365 Groups will be automatically labeled.
Auto-Apply a Label Using Document Libraries
The last way we can automatically label content is by using SharePoint document libraries. Using document libraries, we can automatically apply a label to any document located in that library. For example, if you have a document library that stores contracts you could set the default label on that library as a contract. Anytime someone uploads a document to the contracts library the label will be automatically applied.
Limitations of Office 365 Labels
The information above explains how to use labels. However, there are many nuances of how labels really work versus how they work in theory. You will need to know these nuances if you are planning an implementation.