Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.
Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.
Why should you use Unified labels you say?
Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.
When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.
So!
Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.
Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label
![CD
Home
Alerts
Permissions
— Classification
Sensitivity labels
Retention labels
Sensitive info types
https://protection.office.com/sensitivity?viewid=sensitivitylabels
Office 365 Security & Compliance
Home > sensitivity
Labels Label policies
Sensitivity labels are used to classify email messages, documents, sites, and more.
encrypt files, add content marking, and control user access to specific sites. Learn
+ Create a label Publish labels C) Refresh
Name
Classified - Web only from not compliant clients
Highly classified - Block access from not compliant devices](/wp-content/uploads/2020/02/image-4.png)
Follow through with the wizard
![New sensitivity label
o
o
o
o
o
Name & description
Encryption
Content marking
Endpoint data loss prevention
Site and group settings
Auto-labeling for Office apps
Review your settings
Name your label
The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever
they go, whether they're saved in the cloud or downloaded to a computer.
Name
Classified
Tooltip
Enter text that helps users understand this label's purpose
Description
Enter a description that's helpful for admins who will manage this label](/wp-content/uploads/2020/02/image-5-1024x425.png)
And when going through the Wizard you need to take some descisions on what the policy should do.
- Encryption
- Yes or no and what permissions should be set automatically to your files.
- Should the access to the file expire on a givven date or days after encryption
- Allow offline access to files could be convenient for some.
- Should the content be watermarked?
- Add DLP policy from the Entpoint (Windows Information protection WIP).
- Use this label to protect
Office365 groups (Teams and SharePoint sites also)
- Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
- Use Autolable based on
conditions
- This feature require E5
- You can automatically lable documents with for example Norwegian passport number is written in a document.
Thats it! You have created your first label – quite easy.
But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.
My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.
S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security