top of page

Recent and Upcoming Changes in Microsoft Purview Sensitivity Labels

Microsoft has rolled out some exciting changes to sensitivity labels within the Microsoft Purview portal, enhancing data protection capabilities and making access control options more intuitive. These updates help organisations streamline how they protect data across different assets, including newly supported platforms like Microsoft Fabric.


Here’s a breakdown of what’s new and what’s coming:

  • Label Scope Updates: The Items scope has been renamed to Files & other data assets. This change not only rebrands the scope but also expands it, incorporating items previously under the Schematized data assets scope and adding support for Microsoft Fabric assets.

  • Protection Policies for Microsoft Fabric (In Preview): Organisations using Microsoft Fabric can now leverage sensitivity labels that apply access control and encryption, allowing for seamless protection of data across this new platform.

  • New Naming for Encryption Permission Levels (In Preview): Microsoft has renamed some familiar permissions in an effort to clarify their functionality:

    • Reviewer is now Restricted Editor

    • Co-author is now Editor

    • Co-owner is now Owner

Alongside these changes, Microsoft has introduced a new dialog box in Microsoft 365 apps like Word, Excel, and PowerPoint. This dialog box displays the renamed permission levels in a more user-friendly way, helping users understand the scope of their permissions with sensitivity labels at a glance.

  • Default Labelling for Meetings: For organisations with licensing to apply sensitivity labels to Teams meetings, the Meetings scope is now included in default labels. This includes a Teams meeting label in the default sensitivity label policy and pre-configured settings to apply label protections to Teams meetings.


Notable Permissions Updates for Viewer and Editor Roles

Some of the most impactful changes in this update revolve around the Viewer and Editor permissions, particularly in how they handle access control for encrypted files. Let’s look at what’s changed and what you need to know:


1. Removal of "Save as, Export" from Editor Permission

The Editor role, previously known as Co-author, no longer includes the Save as, Export permission. This change means that users with Editor permissions can still view and edit content, but they won’t be able to save or export it as a new file.


2. Changes to Viewer Permissions: Reply and Reply All

For users assigned the Viewer role, which includes View, Open, Read access, two notable changes relate to Reply and Reply All permissions:

  • Reply (REPLY): The Viewer permission does technically support replying to emails, but this option isn’t prominently available in the Purview compliance portal or the Azure portal. Reply (REPLY) allows users to respond to an email in compatible email clients, but the email may open as an attachment if Save and Edit permissions aren’t added. This setup can lead to an extra step for recipients, who will need to authenticate separately to view the message.

Microsoft recommends using Restricted Editor instead to ensure that emails appear as intended, especially when interacting with users in other organisations or those exempt from Azure Rights Management.

  • Reply All (REPLYALL): Similar to Reply, Viewer permissions technically include Reply All functionality. Reply All (REPLYALL) operates similarly, allowing users to respond to all recipients. However, if you don’t add Save and Edit permissions, recipients may encounter the protected email as an attachment rather than an inline reply. Using Restricted Editor is again recommended for a smoother experience.


I'm not exactly sure when the Save as, Export permission for Editor and the Reply/Reply All permissions for Viewer were removed from the portal, but keep in mind that these changes could impact how recipients in your organisation consume encrypted data that’s been shared with them.

 

According to Microsoft documentation, Viewer roles include these Reply permissions, but these options may not appear in the Purview or Azure portals.

Same goes for the Save as, Export permission for the Editor role.  


For a detailed breakdown of the latest roles and their permissions, see the table below.


A printable sensitivity label permission chart can be downloaded below.



3. Copy/Extract Permission (EXTRACT): Special Considerations

The Copy/Extract permission - known as EXTRACT - is a key permission for users needing to copy content from labelled, protected documents. This permission is especially important for enabling Microsoft 365 Copilot to access and create new content based on labelled and encrypted documents. Here’s what EXTRACT allows:

  • Users with EXTRACT permission can copy content to other documents or emails, whether within the same file or across different files.

  • Essential for Copilot: EXTRACT allows Microsoft 365 Copilot to use protected information for generating new content, enhancing productivity without compromising security.

  • Screen Sharing Control: EXTRACT determines whether the document or email content will appear for other viewers when someone is sharing their screen in Teams or other apps. Without this permission, sensitive content will display as a black box, keeping protected information confidential.


Conclusion

There are plenty of changes rolling out to the Microsoft Purview portal, and keeping up with each update can feel like a full-time job! To stay on top of the latest features and modifications, be sure to check out the Microsoft Purview documentation for all the newest details and guidance.

Comments


bottom of page