Enterprise Mobility Information Protection

Creating New Sensitivity Labels with a PowerShell

Read Time: 3 minutes

Sensitivity Labels can be used to apply the information security classification for your organization to files & emails (and other areas) within Microsoft 365. Specifically to files inside of SharePoint Online, Microsoft Teams, OneDrive and all of your emails in Exchange.

Sensitivity Labels are created and managed within the Compliance Center in M365 and are available to both M365 E3 and M365 E5 licensed organizations.

One of the key advantages to using Sensitivity Labels over legacy methods to apply a classification is the label is not merely metadata, but we can automate and enforce classification standards on our files & emails.

We can use the user friendly user-interface in the Compliance Center, or we can build our own PowerShell script which will allow us to add configuration items otherwise not available to us. In additional to gaining access to additional features (e.g., providing a multilingual experience), PowerShell scripts allow us to build and test our Sensitivity Labels deployment in a structured and repeatable method. This reduces risk as it removes opportunity for human error and ensures the staging environment deployment will be identically deployed in our production environment.

1. PowerShell Pre-requisites

In order to create and configure our Sensitivity Labels, we need to install the Exchange Online Management Shell if we don’t have it using PowerShell ISE (Run as Admin).

Import-Module ExchangeOnlineManagement

2. Connect to the Security & Compliance PowerShell

Using Exchange Online Management module, we must connect to the Security & Compliance PowerShell.


3. Create the Label

In order to create the Label at its most basic level, we will run the New-Label command, and identify three (3) fields for the label

  1. DisplayName: The display name is what is seen by end users and can be updated based on business needs (in the event it must)
  2. Name: The name cannot be changed and is generally considered to be a unique value in your tenant. The name is what will be displayed in the Audit Log and various administrative consoles.
  3. ToolTip: The tool tip field should include language which communicates the sensitivity of the file which has the applied label.

In this case, we will create a label called “public” with an identical display name and a description of whom the file can be distributed to.

New-Label -DisplayName "Public" -Name "Public" -ToolTip "This content can be freely shared with the public."

With that simple line we created a Sensitivity Label which can be furthered configured from the Compliance Centre or with the Set-Label command.

Now that we have created the label, we will use PowerShell to apply the following (in future posts):

  • Multilingual Support
  • File & Email settings
    • Header, footer, and watermark markings
    • Encryption Settings
    • Default Share and Permissions Scope
  • Groups & Sites settings
    • Public and Private options for MS Teams membership
    • external access

Following completion of configuring our labels, we will create a Sensitivity Label Policy (or two).

Enterprise Mobility Information Protection

Co-authoring with MIP Encrypted Document

Read Time: 2 minutes

Co-authoring on Word, Excel, and PowerPoint document which are encrypted using Microsoft Information Protection (MIP) is now generally available.

This enhancement allows organizations various improvements, like the end-user productivity of collaboration on sensitive documents, or adding to their security posture overall, by encrypting a larger portion of their sensitive documents without restricting co-authoring.

Specifically, the change allows for MIP Protected files to be encrypted to specific end-users, while allowing them to edit the documents with their applications, as they would any other file.

Organizational Change Management

Co-authoring MIP encrypted files provides a benefit to the end-users, as such it should be communicated with them to understand how it is for their benefit, for the organization to realize the value of the feature.

For example, end-users can now share “need-to-know” files with specific individuals in an appropriate information repository, and collaborate on the document as they would any other document. They can rest assured their file is appropriately protected, while storing the file where it should reside, as opposed to using unauthorized or transitory workspaces such as OneDrive.

Technical Preparation

  1. Ensure Office has the latest updates deployed (either Current Channel or Monthly Enterprise Channel)
  2. Update any Azure Information Protection (AIP) unified labeling clients (version
  3. Enable the feature within the Compliance Center (Compliance Center)

Additional Reading

    Identity and Access

    Extend Audit Log Retention From 1 Year to 10

    Read Time: 2 minutes

    Advanced Audit in Microsoft allows retention of the Unified Audit Log for a period of 10 years.

    Audit logs. We need them for investigation and compliance purposes, and we generally need them for a very long time (e.g. 10 years). Up to recently, we did not have much flexibility.

    Very recently announced is the Advanced Audit in Microsoft 365 services. There are two key takeaways:

    • Advanced Audit in Microsoft 365 will provide a one-year retention period of audit logs for user and admin activities, with the ability to create custom retention policies for other Microsoft 365 services
    • An additional add-on (at additional cost) will provide the ability to enable a retention period of 10 years.

    Required Licensing

    Accounts with any of the following licenses can be included in Advanced Audit capabilities:

    • Office 365 E5
    • Microsoft 365 E5
    • Microsoft 365 E5 Compliance
    • Microsoft 365 eDiscovery and Audit

    As mentioned above, an additional licence is required to extend and ensure retention of audit logs for 10 years. The additional license is expected to be available early this year (2021).

    High-bandwidth API Access

    Large organizations may notice an improvement in performance when using the audit log API. Every organization will have allocated bandwidth for accessing their audit log based on the number of seats (licensed users) and number of E5 licenses.

    Key Benefits of the Advanced Audit Log

    • A standard retention term of 1 year for all auditable activities
    • The ability to extend retention of audit logs for 10 years without having to manage an additional service or application (e.g. Sentinel or Splunk) strictly for long term storage of all activity logs for compliance/policy purposes
    • Improved bandwidth for accessing the Audit Log via API.


    Thank you for Reading

    Questions? Comments? Feel free to reach out.

      Enterprise Mobility Information Protection

      Getting Started with Sensitivity Labels for Files and Emails

      Read Time: 3 minutes

      All information is not equal.

      Some documents or emails have private financial or health information and others have plans for lunch.

      Sensitivity Labels within Microsoft 365 provides end-users the ability to classify their documents and emails to ensure a certain level of information protection to both their and the organization’s content.

      Sensitivity Labels for files and emails allow staff to identify specific documents as more or less sensitive than others.

      For example, a briefing note to senior leadership could be tagged as ‘confidential’, which would then add a “confidential” watermark added to the document and restrict it from being shared externally. Compliance officers would also be able to filter reports on documents marked as confidential.

      Applying labels is easy.

      Once Sensitivity Labels are created and published, individuals can choose to tag content directly within the application, providing them a seamless and low friction experience.

      Emails can be tagged with their “sensitivity” when being drafted, and documents anytime they are opened. These features are available in both the installed applications and online browser based versions.

      Sensitivity Labels allow individuals to mark files and emails with both different controls (e.g. allow internal access only) or using an existing information classification adopted or published by the organization (e.g. Protected A).

      Options for controls are:

      • restrict/provide access to appropriate roles (and individuals)
      • create a watermarks, header, and/or footer on the document to communicate the document’s sensitivity.

      Planning Sensitivity Labels

      When planning Sensitivity Labels, it is important to consider certain key factors to ensure successful implementation and adoption.

      • Align to existing information security classification schemas where available
      • Leverage a cross-functional team to build the label business and technical requirements
      • A clear and concise set of details will ensure labels are used correctly, rather than providing too many options with language requiring a reference guide or training course
      • Ensure alignment, approval from all key stakeholders (not just IT or Cybersecurity), Sensitivity Labels can mark documents (potentially impacting existing templates) and more importantly can effect the ability to collaborate (restricting documents to internal only or subsets of internal users).


      • Pilot the labels with a small group and collect feedback prior to implementation
      • If introduced into an active environment, consider a phased approach – avoid restricting access in bulk to focus on training and adoption, to build a cultural practice within the organization without impacting day-to-day activities


      Learn about Sensitivity labels (Microsoft Docs)

      Thank you for Reading

      Questions? Comments? Feel free to reach out.


        Stay on top of Change in Microsoft 365

        Read Time: 4 minutes

        Change is Constant

        M365 apps and services are constantly being updated with new functionality and changes to our end-user experience. We may not need to worry about system downtime, but we do need to consider how we are going to lead our organization through frequent and impactful change.

        Whether we are change practitioners, M365 service owners, or simply advocates for cultural development within an enterprise, we need to:

        • Understand how changes will impact our organization, people, and their processes
        • Proactively planning to lead through the change rather than follow it
        • Communicate changes effectively to support our clients (e.g. users) and have them understand what is changing, why it is changing, and how they will be affected
        • Have a framework for measuring success based on the impact (e.g was there an increase in support calls due to a significant user experience update).

        Stay Ahead of Changes

        Microsoft provides multiple resources for us stay informed and understand upcoming changes to M365 services. We can access different information sources to collect, organize, and inform our required activities to manage change.

        Imminent Change: The M365 Weekly Digest (more info) provides summarized but critical information related to changes which should be planned for or communicated. This is typically only available to accounts with access to the Office 365 admin centre, but it can always be configured to email other users (or ideally a Microsoft Team for governing M365 without your organization).

        Future Change: The M365 Roadmap (link) provides a regularly updated list of features on the M365 Roadmap by application. Not only can we see what new features or tools which are in development (or rolling out) we can see the frequency of changes which are going to be implemented. For example, at the time of writing this, MS Teams has 22 features rolling out and 143 in development. The M365 Roadmap can also be used as a planning tool to identify and help prioritize (or de-prioritize) requests for custom development (when an out of the box tool may be available soon).

        Long Term Potential Change: Microsoft Office 365 User Voice (link) provides not only an opportunity to give feedback for consideration, but to see what activities have been added to the product backlog or are under consideration. It is not uncommon to have a capability requested by staff be an existing feature request in User Voice.

        Plan for Change

        Most organizations will establish a Microsoft 365 governance committee or steering committee to manage enhancements and updates to existing software or addition of new software and features. There is significant benefit to creating this group prior to M365 being implemented to ensure members are informed and aligned with decisions once operationalized.

        It is important upcoming changes and user impacts be reviewed and discussed with non-IT subject matter experts to ensure a well rounded understanding of the change and how it will affect the organization. Non-IT groups which can assist in planning can include cross-functional representation from teams such as Human Resources, Privacy, Information Management and Legal.

        Governance of M365 applications reaches far beyond technology needs and should have not only alignment, but cross-functional support. Cross-functional support is important not only to provide a unified front and incorporate business needs from different role groups within the organization, but also to incorporate organizational requirements not necessarily within the purview of IT staff. For example, some organizations disable recording of MS Teams meetings either due to internal privacy policies or information management retention requirements.


        M365 services are regularly updated and added to. Microsoft provides us the tools to under the changes, but we need to engage our organization’s experts to appreciate their impact and plan accordingly to ensure good adoption of tools with practices aligned to our organizational needs.


        Microsoft 365 change guide (Microsoft Docs)

        Becoming a Service Adoption Specialist (Microsoft Course)

        M365 Weekly Digest (Microsoft Docs)

        M365 Roadmap

        Office 365 User Voice

        Thank you for Reading

        Questions? Comments? Feel free to reach out.

          Enterprise Mobility

          Starting BYOD using Microsoft 365

          Read Time: 3 minutes

          Bring Your Own Device

          We want staff to work comfortably and provide flexibility. We also want to ensure it is within a secure and well managed ecosystem. The more appropriate flexibility we provide, the more our users will happily adhere to both required standards and recommended practices.

          Using Microsoft Enterprise Mobility allows us to support a Bring Your Own Device (BYOD) program within your organization which allows end-users to:

          • Use devices they like to use and already are comfortable with to access corporate cloud data – safely and securely
          • enforce access to devices which meet a minimum compliance level as defined by your organization (e.g. support operating system, device encryption, remote wipe, etc.)
          • Reduce spend on IT asset and asset support
          • Exclude devices not approved by your organizations (Hint – this also significantly cuts down on access from malicious agents).

          The two major Microsoft 365 (M365) services to implementing a successful BYOD program are Microsoft Intune and Azure Conditional Access.

          Microsoft Intune

          Using Intune, we can create device compliance policies to ensure devices meet specific standards. For example:

          • what operating systems and versions are authorized for access
          • require device encryption requiring a pin on boot and access
          • restrict devices which are rooted or jail broken.

          Intune supports iOS/iPadOS, Android, Windows, and macOS. From an operational perspective, a unified solution for managing devices greatly simplifies processes for IT Operations teams. Interoperability with other Microsoft services, such as Defender help to provide unparalleled capabilities to harden and protect the devices due to the integration of tools and unified system for accounts and access.

          Intune also reduces the burden on IT Operations teams for registered devices as it provides the ability for staff to self-enroll compliant devices.

          Azure AD Conditional Access

          Conditional Access helps enforce specific rules, for example ensures only Intune registered mobile devices can connect to your M365 tenant.

          Conditional Access also helps enforce rules using different signals. Signals include:

          • User or group membership
          • IP Location information
          • Device
          • Application
          • Real-time and calculated risk detection.

          Based on signals, Conditional Access will apply action to block or grant access. Granting access can also require one or more of the following options:

          • Require multi-factor authentication
          • Require device to be marked as compliant
          • Require Hybrid Azure AD joined device
          • Require approved client app
          • Require app protection policy

          Common behaviours with Conditional Access include:

          • Requiring trusted locations for Azure Multi-Factor Authentication registration
          • Restricting the use of apps on mobile devices to organization-managed devices
          • Blocking risky sign-in behaviours (e.g. authentication requests from different countries.)


          In closing, using Microsoft Intune with Microsoft Azure Conditional Access, an organization can:

          • register and manage devices (phone, tablet, computer) for compliance and defining standards
          • define requirements for accessing the organization’s M365 tenant
          • Improve employee satisfaction by letting them use the devices they want to use (and not carry additional devices)
          • Enhance productivity by enabling staff to work from anywhere, anytime, providing more flexibility and better overall engagement on a day to day basis.
          • Reduce resources required for IT asset and device management, allows IT Operations to focus on more complex and challenging tasks.

          Resources –

          • Azure AD Conditional Access (link)
          • Microsoft Intune (link)

          Thanks for reading.

          If you have any questions or would like to know more, please feel free to connect with me.


            Scheduling Meetings Effectively

            Read Time: 3 minutesUsing Technology to facilitate meetings in a geographically dispersed and complex environment solves many challenges.

            Establishing common practices, guidelines, and maintaining an awareness of technological limitations will provide a more productive experience.

            Below are some guidelines with best practices and limitations specifically around:

            1. Scheduling a Single or Series of Meetings (using Microsoft Outlook)
            2. Virtual Meetings (using Microsoft Teams)
            3. Maintaining a Series (recurring) of Meetings (using Microsoft Outlook)
            4. Making Changes to Meetings as an Attendee (using Microsoft Outlook)

            Scheduling a Single or Series of Meetings

            • Provide an agenda and the expected outcome of the meeting: Agendas and expected outcomes will provide participants context to the discussion and enough information to prepare in advance to use the meeting time (their time and your time) productively and effectively
            • Use the Scheduling Assistant to identify an appropriate time and location for the meeting: The scheduling agent will identify availability to ensure desired attendees are able to attend, sending invites and creating conflicts in people’s schedules will result in attendees not being present
            • Schedule recurring meetings with an end date: Distribution lists, attendees, agendas change over time, keeping a maximum length of 6 months minimizes excessive instances of recurring events across all user mailboxes
            • When a series of recurring meetings is over, edit the end don’t, don’t cancel the meeting: Cancelling a meeting series eliminates the historical records of meetings in the calendars of all attendees
            • Send Modern Attachments, not attachments to meetings when you can share via OneDrive for Business, Teams, and SharePoint: Sending attachments means updating invitations and sending multiple copies, it means a static document that is not intended to be updated. Inserting a Link to a meeting invite allows for a single source of truth and won’t require redistribution of content in the event of an update

            Virtual Meetings (using Microsoft Teams)

            • Create MS Teams meetings directly via Outlook or Teams, do not copy and paste meeting links into invitations: Copying and pasting links from different meetings creates uncertainty and security concerns. Meeting titles may be incorrect, attendees will not know who has access to the meeting call or chat

            Maintaining a Series (recurring) of Meetings

            • Do not cancel recurring meetings when no longer necessary, set an end date: Cancelling a reoccurring meeting will remove the meetings from the calendars of all participants and they will no longer be able to review the details. Rather than cancel or delete, the organizer can update the meeting to provide an end date.
            • Do not make changes to the day and time of a recurring meeting, set an end date, and create a new series: Changes will remove historical information from all attendees calendars. Rather than edit a series, the organizer can update the meeting to provide an end date and schedule a new series of meetings if necessary.
            • Always “send updates to all attendees” after changes are made: Ensure all attendees always stay informed on any changes.
            • Use the Outlook application or Web version as often as possible to make changes to meetings: Mobile applications can have undesired effects when makes changes. Calendars for Outlook on IOS and Android should be primarily used for review and information rather than scheduling or changing meetings.

            Making Changes to Meetings as an Attendee

            • Request the meeting organizer add additional attendees: Do not forward meeting invitations to additional participants as updates will not necessarily be provided to the unofficial participants should the organizer make changes.
            • Do not edit a meeting event to include notes: Create a separate meeting in your calendar to ensure your notes are not overwritten or lost.