![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\")
Empowering self-service is important to us at Microsoft. Every employee should be able to create the resources they need without engaging IT to do it for them. To support this level of freedom, we rely on a strong governance strategy to identify and protect valuable content. By ensuring accountability, our employees are able to create the containers and content they need to stay productive.<\/p>\n
With sensitivity labels, Microsoft Digital Employee Experience (MDEE), the organization that supports, protects, and empowers the company, can now proactively enforce policies to keep shared workspaces safe. Microsoft 365 groups, SharePoint sites, Teams, Viva Engage communities, and any container used throughout Microsoft now utilize sensitivity labels to identify and proactively protect valuable information. In doing so, Microsoft can strengthen self-service without exposing sensitive information.<\/p>\n
Regardless of the technology behind it, labels represent a visual cue to people interacting with a shared workspace or document. Labels can inform an enterprise\u2019s governance practices, letting the organization describe the landscape to properly manage it and enact the right policies.<\/p>\n
At Microsoft, labels enable our employees to identify different degrees of value. Based on the label, we can apply the right amount of protection.<\/p>\n
Previously, when a Microsoft employee created a new group a Microsoft Azure Active Directory (AAD) label would help classify it, denoting who should have access to the shared workspace according to Microsoft\u2019s policies. On its own, an AAD label doesn\u2019t do anything; it\u2019s simply a string of descriptive text incapable of enforcement. Custom scripts run by administrators would apply policy rules based on these AAD labels. As a consequence of the gap between classification and enforcement, users could accidentally ignore the policies, creating circumstances where the group is out of compliance. Once the non-compliant container is recognized and remediated by the custom solutions, the user might be surprised or disrupted by enforcement actions taken to protect and secure the workspace.<\/p>\n
In moving to sensitivity labels, we in MDEE are able to further empower users with compliant self-service right out of the box. Enforcement happens through sensitivity labels, so users are never disrupted or required to take additional compliance actions; they have a clear understanding of classification from the start, creating a better user experience while protecting the enterprise. The migration allows the organization to retire several custom solutions that are no longer necessary. Sensitivity labels have also enabled us to unify content and container classifications, creating consistent taxonomy and the opportunity for centralized administration.<\/p>\n
Applying labels to a workspace not only informs the organization as to what a site or container is, but drives a culture of good governance. To have a successful implementation of sensitivity labels, MDEE built strong, meaningful, and self-explanatory labels. Alignment with partners at Microsoft Digital Security and Resilience (DSR) meant labels could communicate the level of sensitivity in the workplace or document without a technical explanation.<\/p>\n
At Microsoft, we use four labels for container and file classification:<\/p>\n
These definitions inform policies from a technological side, and once taxonomy was established, we were able to enforce consistent security policies across the company. From a user\u2019s perspective, understanding these terms is easier to comprehend than the underlying rules and settings behind the classifications. Labels are intended to support security without creating an extra burden for users. It\u2019s not always easy for users to understand the details of security, but they do understand constructs like \u201cGeneral,\u201d \u201cConfidential,\u201d and \u201cHighly Confidential.\u201d<\/p>\n
Aligning on label taxonomy also secured buy-in for company defaults. For some companies, governance policies are open by default, whereas Microsoft is closed.<\/p>\n
With the new sensitivity labels, container classification communicates four things:<\/p>\n
Prior to sensitivity labels, AAD tagged containers at a tenant level with document labeling being handled by security and compliance, or Microsoft Purview Information Protection. As a consequence, the two artifacts lived in two separate locations, requiring administrators to visit different sites for managing governance.<\/p>\n
The two locations also meant container labels worked a little differently than document labels. Where tenant-level AAD labels for a container would display an entire list of classifications, document labels only showed classifications that were appropriate to the user. Once unified, sensitivity labels for containers only populate appropriate classifications, limiting the list to valid labels for the users and groups.<\/p>\n
Shifting labels from AAD to Microsoft Purview Information Protection, where data-loss prevention and retention takes place, unified labels across the company, reduced the workload for administrators, and allowed Microsoft to take another step forward in readying the environment.<\/p>\n
By using terms for labels that mean something to people, label definition becomes intuitive and reinforces a culture of accountability. Establishing this level of awareness creates corporate buy-in. Getting the company to stand behind these specific label classifications not only supports a consistent experience, but informs corporate strategy decisions around privacy and sharing.<\/p>\n
Rationalizing a hierarchy of policies establishes where you are today and where you\u2019ll be tomorrow. Currently, there\u2019s no concept of inheritance between a container and its content. Labeling a workspace highly confidential does not pass that trait on to documents stored inside. In the future, however, unified taxonomy and centralized administration creates the opportunity for an efficient connection between the workspace\u2019s label and the classification of documents within.<\/p>\n
For some organizations, those coming from a green state with no existing AAD classifications in place, sensitivity labels can be easily onboarded, and offer a chance to introduce a strong culture of governance.<\/p>\n
But for companies like us at Microsoft, where existing AAD labels and custom governance solutions were already established, moving to sensitivity labels required preparation and alignment across the company before migration could occur.<\/p>\n
Onboarding sensitivity labels gave us an opportunity to create consistent classification language for containers. This entailed conversations about balancing employee experience and enablement with security and legal implications. Agreeing on taxonomy and selecting terms with meaning allowed us to protect the enterprise while empowering self-service.<\/p>\n With clear taxonomy and a strong governance strategy, we were ready to start working on the logistics of applying sensitivity labels to existing containers. Careful coordination, including organized efforts and timing, prevented users from experiencing any disruptions in productivity or security while sensitivity labels were rolled out.<\/p>\n For a short period, we existed in a unique hybrid state, with both AAD and sensitivity labels active across the enterprise. To avoid any derailments or threats to the environment, we in MDEE had to time the conversion of existing labels to new sensitivity labels correctly.<\/p>\n Whether it be Microsoft Teams, Viva Engage, or a Microsoft 365 group, certain user interface and backend changes had to be completed to enable sensitivity labels. All stakeholders agreed to tasks and workloads that needed to be completed during a specific release cadence. This allowed the hybrid environment to be resolved without placing Microsoft at risk.<\/p>\n Coordination between stakeholders also meant MDEE had to support teams with smaller engineering capabilities, empowering them to complete tasks on schedule.<\/p>\n There are over 333,000 Microsoft 365 groups at Microsoft, 55,000 SharePoint sites, and thousands of Viva Engage communities. Planning out the migration meant closely surveying these environments to understand what might be encountered and require attention before, during, and after the migration.<\/p>\n Having mapped out the environment, we could then reduce our reliance on the custom tooling that scanned AAD labels to trigger security and compliance settings. From an engineering perspective, this straightforward step meant labels would no longer call an API but make calls on behalf of users to get applicable labels.<\/p>\n Only group owners and global administrators can assign a label to a group directly. This posed a unique challenge for us. Custom scripts run by global administrators could change the labels of these containers, but it was estimated to take at least 27 hours, which far exceeds Microsoft\u2019s access policy for global administrators. Adding to the challenge, the administrator\u2019s computer would be locked down and required to stay active throughout the duration.<\/p>\n Having a global administrator handle these responsibilities wasn\u2019t going to happen and giving someone global administrator status for one job was a non-starter.<\/p>\n This required us to develop a different solution.<\/p>\n Thinking through the problem, the team recognized that labels set in SharePoint through AAD will get synced back to Microsoft 365, which is also a container. Knowing this, we were able to use custom workflows to map and migrate sensitivity labels for containers through an app, instead of a group owner, without compromising security.<\/p>\n Migrating to sensitivity labels would not use deployment rings. Once the PowerShell script was executed, the environment would be transformed by the new classification system. Extensive testing was done to identify break points and what the system could handle, but we also built tools to revert to the last good state if needed.<\/p>\n Several scenarios were defined, and of these, key indicators and circumstances were recognized as trigger events that would necessitate a rollback. Simultaneously, certain scenarios also helped to identify if there were any points of failure that we could coexist with until a fix was put in place.<\/p>\n Test tenants can only reveal so much about the real environment, and the team had the data points in place to demonstrate a successful migration but having a rollback plan in place meant they could reverse course and restore Microsoft\u2019s environment to a working state in a pinch.<\/p>\n Part of our duty is to inform and educate users about new features.<\/p>\n Sensitivity labels not only meant new label structures and compliance practices, but introduced new concepts, like parent and child labels for containers.<\/p>\n Child labels already existed for documents, but AAD labels were unable to offer this kind of granular definition for containers. The combination of parent and child labels in containers required users to understand how this relationship might impact shared workspaces, especially unique situations like containers that are internally confidential and require an NDA for external users.<\/p>\n Previous steps, like creating consistent taxonomy and classification across labels, made it easier for users to understand the impact of new labels.<\/p>\n After migrating to sensitivity labels, we carefully examined the environment to make sure our workloads interacted as expected. This included testing multiple Microsoft 365 applications, provisioning groups in Viva Engage, and making sure that the correct labels were being applied by default.<\/p>\n Our team also checked to make sure users, legacy applications, and custom tooling were no longer able to make groups without labels. After investigating the Microsoft 365 environment, we felt confident that we could move forward with finalizing the migration to sensitivity labels for other product partners.<\/p>\n With sensitivity labels rolling out across Microsoft, it\u2019s easier for users and for us to support self-service and governance at the same time.<\/p>\n Empowering self-service is important to us at Microsoft. Every employee should be able to create the resources they need without engaging IT to do it for them. To support this level of freedom, we rely on a strong governance strategy to identify and protect valuable content. By ensuring accountability, our employees are able to create […]<\/p>\n","protected":false},"author":133,"featured_media":9162,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[137,263,90,306],"coauthors":[646],"class_list":["post-9160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-change-management","tag-microsoft-365","tag-sharepoint","tag-teams","program-microsoft-digital-technical-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\n![\"Infographic](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10230_image.png\")
Planning the migration<\/h3>\n
Synchronizing timelines with stakeholders<\/h3>\n
Mapping the scope of impact<\/h3>\n
\n
Resolving and retiring custom solutions<\/h3>\n
\n
Addressing label assignment to groups<\/h3>\n
Develop a rollback plan<\/h3>\n
Readying users<\/h3>\n
Post-deployment validation<\/h2>\n
![\"Key](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\")
Our labelling environment now supports modern productivity while keeping the company safe. Users can freely self-service new groups without accidentally violating our governance practices. Tying policy enforcement to labels transformed a reactive compliance process into a proactive model, reducing the workload on administrators and allowing us to retire several custom solutions.<\/p>\n\n
![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n