Recently, a few clients came to Mirazon with, what seemed to be, a simple objective – sharing documents easily and securely with internal and external people via OneDrive or SharePoint, using sensitivity labels to automatically mark documents as confidential. Preferred markups would include dynamic watermarks showing the name of the file, IP Address, username, and time of access to help prevent sharing, downloading, printing, etc. of confidential files and documents.
Microsoft appeared to support this through their sensitivity labeling. However, there were several issues that arose throughout the process of achieving this objective, and the ending conclusion proved to be sub-par: Microsoft has severely exaggerated their sensitivity label feature capabilities.
Bottom line: If you are looking into incorporating the use of Microsoft 365 sensitivity labels, there are some things you should be aware of before handing over your payment information.
Microsoft greatly exaggerates the current functionality of this system and uses fine print (rather than bold) to let us know the critical flaws. So, just to name a few:
ONLY Office documents are supported for watermarking—not PDFs or images. This is perhaps the most critical flaw of them all. After all, majority of people use PDFs when sharing information or files. A big reason many people and businesses are turning to sensitivity labels is because they want to use them on PDFs and images – not only Office documents.
The label-making process itself is extremely time-consuming, and hours of delay is standard when waiting for labels to be available after creation. Troubleshooting can take days.
Dynamic watermarks are extremely limited—neither IP Address nor time of access are available as options – two major factors most people are looking for in their use of sensitivity labels.
“Automatic” AI-driven labeling only supports the identification of extremely specific items (such as social security numbers, etc.) and still does not support PDF or images. This makes it harder for end users to use – which is what clients are trying to avoid.
Labels can be applied to a SharePoint site, but this only applies to the site itself – containers and subitems are not automatically labeled if you apply a label to an entire SharePoint site.
Some labels can be applied through a web browser, but some can only be applied when using the desktop client—determining the difference between the two is not immediately obvious, which only increases difficulty and frustration.
The watermarks collide and push text around in both Word documents and Excel sheets—instead of overlaying. This breaks the formatting of most documents—it’s as if the watermark is inserted into a text box in Word, rather than doing a proper watermark.
According to Microsoft, the sensitivity labels ALWAYS require the absolute latest version of Microsoft Office. This is just another layer of complexity, and many organizations may not be able to use the latest version for a variety reasons.
Overall, the entire process from start to finish is confusing for system admins and absolutely impossible for most end-users, And for a package that’s being sold as a “feature” of Microsoft’s most expensive enterprise licensing, the feeling of disappointment rises to the surface.
In the current state, organizations that are using Exchange Online email or Office documents to share sensitive information, as well as organizations that are thoroughly invested and trained in Office365, SharePoint, and OneDrive.
NOTE: an email with a PDF attached will still not be labeled—the content must be within the email body itself to be labeled.
Microsoft is well aware of these weaknesses, and there are already feature requests for nearly everything that is outlined above, but we have no idea how long it will take Microsoft to respond. In the meantime, use the tips above and your best judgment. We are here if you need anything.
If you have any additional questions or concerns, please contact us and call 502-240-0404 or send us an email at info@mirazon.com.