Empowering self-service is important to Microsoft. Every employee should be able to create the resources they need without engaging IT to do it for them. To support this level of freedom, Microsoft relies on a strong governance strategy to identify and protect valuable content. By ensuring accountability, Microsoft’s employees are able to create the containers and content they need to stay productive.
With new sensitivity labels, Microsoft Digital, the organization that supports, protects, and empowers Microsoft, can now proactively enforce policies to keep shared workspaces safe. Microsoft 365 groups, SharePoint sites, Teams, Yammer communities, and any container used throughout Microsoft now utilize sensitivity labels to identify and proactively protect valuable information. In doing so, Microsoft can strengthen self-service without exposing sensitive information.
What sensitivity labels mean for Microsoft
Regardless of the technology behind it, labels represent a visual cue to people interacting with a shared workspace or document. Labels can inform an enterprise’s governance practices, letting the organization describe the landscape to properly manage it and enact the right policies.
At Microsoft, labels enable employees to identify different degrees of value. Based on the label, Microsoft can apply the right amount of protection.
Previously, when a Microsoft employee created a new group an Azure Active Directory (AAD) label would help classify it, denoting who should have access to the shared workspace according to Microsoft’s policies. On its own, an AAD label doesn’t do anything; it’s simply a string of descriptive text incapable of enforcement. Custom scripts run by administrators would apply policy rules based on these AAD labels. As a consequence of the gap between classification and enforcement, users could accidentally ignore the policies, creating circumstances where the group is out of compliance. Once the non-compliant container is recognized and remediated by the custom solutions, the user might be surprised or disrupted by enforcement actions taken to protect and secure the workspace.
In moving to sensitivity labels, Microsoft Digital is able to further empower users with compliant self-service right out of the box. Enforcement happens through sensitivity labels, so users are never disrupted or required to take additional compliance actions; they have a clear understanding of classification from the start, creating a better user experience while protecting the enterprise. The migration allows the organization to retire several custom solutions that are no longer necessary. Sensitivity labels have also enabled Microsoft Digital to unify content and container classifications, creating consistent taxonomy and the opportunity for centralized administration.
Labels define the culture
Applying labels to a workspace not only informs the organization as to what a site or container is, but drives a culture of good governance. To have a successful implementation of sensitivity labels, Microsoft Digital built strong, meaningful, and self-explanatory labels. Alignment with partners at Microsoft Digital Security and Resilience meant labels could communicate the level of sensitivity in the workplace or document without a technical explanation.
At Microsoft, there are four labels used for container and file classification:
Highly confidential. The most critical data for Microsoft. Share it only with named recipients.
Confidential. Crucial to achieving Microsoft’s goals. Limited distribution—on a need-to-know basis.
General. Daily work used and shared throughout Microsoft, like personal settings and postal codes. Share it throughout Microsoft internally.
Public. Unrestricted data meant for public consumption, like publicly released source code and announced financials. Share it freely.
These definitions inform policies from a technological side, and once taxonomy was established, Microsoft was able to enforce consistent security policies. From a user’s perspective, understanding these terms is easier to comprehend than the underlying rules and settings behind the classifications. Labels are intended to support security without creating an extra burden for users. It’s not always easy for users to understand the details of security, but they do understand constructs like “General,” “Confidential,” and “Highly Confidential.”
Aligning on label taxonomy also secured buy-in for company defaults. For some companies, governance policies are open by default, whereas Microsoft is closed.
With the new sensitivity labels, container classification communicates four things:
Privacy level. Labels determine whether the workspace is broadly available internally or a private site.
External permissions. Guest allowance is administered via the group’s classification, allowing specified partners to access teams when appropriate.
Sharing guidelines. Important governance policies are tied to the container’s label. For example, can this workspace be shared outside of Microsoft? Is this group limited to a specific division or team? Or is it restricted to specific people? The label establishes these rules.
Conditional access. While not implemented at Microsoft, tying identity and device verification to container labels introduces additional governance controls.
Unification makes things simpler
Prior to sensitivity labels, AAD tagged containers at a tenant level with document labeling being handled by security and compliance, or Microsoft Information Protection (MIP). As a consequence, the two artifacts lived in two separate locations, requiring administrators to visit different sites for managing governance.
The two locations also meant container labels worked a little differently than document labels. Where tenant-level AAD labels for a container would display an entire list of classifications, document labels only showed classifications that were appropriate to the user. Once unified, sensitivity labels for containers only populate appropriate classifications, limiting the list to valid labels for the users and groups.
Shifting labels from AAD to MIP, where data-loss prevention and retention takes place, unified labels across the company, reduced the workload for administrators, and allowed Microsoft to take another step forward in readying the environment.
Strategic governance with labels
By using terms for labels that mean something to people, label definition becomes intuitive and reinforces a culture of accountability. Establishing this level of awareness creates corporate buy-in. Getting the company to stand behind these specific label classifications not only supports a consistent experience, but informs corporate strategy decisions around privacy and sharing.
Rationalizing a hierarchy of policies establishes where you are today and where you’ll be tomorrow. Currently, there’s no concept of inheritance between a container and its content. Labeling a workspace highly confidential does not pass that trait on to documents stored inside. In the future, however, unified taxonomy and centralized administration creates the opportunity for an efficient connection between the workspace’s label and the classification of documents within.
Readying Microsoft for sensitivity labels
For some organizations, those coming from a green state with no existing AAD classifications in place, sensitivity labels can be easily onboarded, and offer a chance to introduce a strong culture of governance.
But for companies like Microsoft, where existing AAD labels and custom governance solutions were already established, moving to sensitivity labels required preparation and alignment across the company before migration could occur.
Aligning on label definition
Onboarding sensitivity labels gave Microsoft an opportunity to create consistent classification language for containers. This entailed conversations about balancing employee experience and enablement with security and legal implications. Agreeing on taxonomy and selecting terms with meaning allowed Microsoft to protect the enterprise while empowering self-service.
Planning the migration
With clear taxonomy and a strong governance strategy, Microsoft Digital was ready to start working on the logistics of applying sensitivity labels to existing containers. Careful coordination, including organized efforts and timing, prevented users from experiencing any disruptions in productivity or security while sensitivity labels were rolled out.
Synchronizing timelines with stakeholders
For a short period, Microsoft existed in a unique hybrid state, with both AAD and sensitivity labels active across the enterprise. To avoid any derailments or threats to the environment, Microsoft Digital had to time the conversion of existing labels to new sensitivity labels correctly.
Whether it be Teams, Yammer, or a Microsoft 365 group, certain user interface and backend changes had to be completed to enable sensitivity labels. All stakeholders agreed to tasks and workloads that needed to be completed during a specific release cadence. This allowed the hybrid environment to be resolved without placing Microsoft at risk.
Coordination between stakeholders also meant Microsoft Digital had to support teams with smaller engineering capabilities, empowering them to complete tasks on schedule.
Mapping the scope of impact
Microsoft has over 333,000 Microsoft 365 groups, 55,000 SharePoint sites, and thousands of Yammer communities. Planning out the migration meant closely surveying these environments to understand what might be encountered and require attention before, during, and after the migration.
- How many groups are already labeled? Whether they be sensitivity labels or AAD labels, the current environment was evaluated for labels and their classification. Roughly 86% of Microsoft’s groups had some kind of label prior to migration.
- Do existing containers map to sensitivity labels? Since previous tags were strings of text, they did not necessarily align with the new taxonomy. To reduce confusion, existing AAD labels were mapped to MIP container labels.
- Where are the reliances? Once Microsoft Digital understood the labelling conventions of containers, they could better understand if an area might break due to changes.
- Which groups have exceptions? Certain users required exceptions for policies relating to specific containers. Identifying these items meant Microsoft Digital could avoid disruptions to users with specialized needs, all without exposing valuable information.
Resolving and retiring custom solutions
Having mapped out the environment, Microsoft Digital could now reduce their reliance on the custom tooling that scanned AAD labels to trigger security and compliance settings. From an engineering perspective, this straightforward step meant labels would no longer call an API but make calls on behalf of users to get applicable labels.
- Remove old references.
- Locate and update calls and permissions.
- Ensure that anything still needing custom tooling is handled with delegate permissions.
Addressing label assignment to groups
Only group owners and global administrators can assign a label to a group directly. This posed a unique challenge for Microsoft Digital. Custom scripts run by global administrators could change the labels of these containers, but it was estimated to take at least 27 hours, which far exceeds Microsoft’s access policy for global administrators. Adding to the challenge, the administrator’s computer would be locked down and required to stay active throughout the duration.
Having a global administrator handle these responsibilities wasn’t going to happen and giving someone global administrator status for one job was a non-starter.
This required Microsoft Digital to develop a different solution.
Thinking through the problem, the team recognized that labels set in SharePoint through AAD will get synced back to Microsoft 365, which is also a container. Knowing this, Microsoft Digital was able to use custom workflows to map and migrate sensitivity labels for containers through an app, instead of a group owner, without compromising security.
Develop a rollback plan
Migrating to sensitivity labels would not use deployment rings. Once the PowerShell script was executed, the environment would be transformed by the new classification system. Extensive testing was done to identify break points and what the system could handle, but Microsoft Digital also built tools to revert to the last good state if needed.
Several scenarios were defined, and of these, key indicators and circumstances were recognized as trigger events that would necessitate a rollback. Simultaneously, certain scenarios also helped to identify if there were any points of failure that Microsoft Digital could coexist with until a fix was put in place.
Test tenants can only reveal so much about the real environment, and the team had the data points in place to demonstrate a successful migration but having a rollback plan in place meant they could reverse course and restore Microsoft’s environment to a working state in a pinch.
Part of Microsoft Digital’s duty is to inform and educate users about new features.
Sensitivity labels not only meant new label structures and compliance practices, but introduced new concepts, like parent and child labels for containers.
Child labels already existed for documents, but AAD labels were unable to offer this kind of granular definition for containers. The combination of parent and child labels in containers required users to understand how this relationship might impact shared workspaces, especially unique situations like containers that are internally confidential and require an NDA for external users.
Previous steps, like creating consistent taxonomy and classification across labels, made it easier for users to understand the impact of new labels.
Once a plan was in place, Microsoft Digital set out to find the right time to migrate Microsoft’s containers to sensitivity labels.
With feature freezes and other considerations accounted for, the team selected a weekend to avoid displacing users. Engineers, project managers, and stakeholders from across Microsoft met on a Friday night to start the migration. A global administrator activated the migration by running a few PowerShell scripts, and for several hours the teams watched in real time as the migration took place.
Since the entire migration was happening in Microsoft Azure, the team was able to leverage Application Insights for logging status and generating progress reports. This allowed Microsoft Digital to double-check exceptions, estimate statuses, and determine if they needed to reverse course before their Sunday deadline.
In all, once the migration started, it took almost 48 hours to complete. Around five hours was dedicated to creating and publishing the new sensitivity labels. The rest of the time was mapping AAD labels to MIP.
After migrating to sensitivity labels, Microsoft Digital carefully examined the environment to make sure workloads interacted as expected. This included testing multiple Microsoft 365 applications, provisioning groups in Yammer, and making sure that the correct labels were being applied by default.
The team also checked to make sure users, legacy applications, and custom tooling were no longer able to make groups without labels. After investigating the Microsoft 365 environment, Microsoft Digital felt confident that they could move forward with finalizing the migration to sensitivity labels for other product partners.
Sensitivity labels empower Microsoft
Microsoft’s new labelling environment supports modern productivity while keeping the company safe. Users can freely self-service new groups without accidentally violating Microsoft’s governance practices. Tying policy enforcement to labels transformed a reactive compliance process into a proactive model, reducing the workload on administrators and allowing Microsoft to retire several custom solutions.
- Labels now self-enforce. Users who create a group in Microsoft’s environment will now be prompted to select a label classification, which will apply the correct ruleset on creation. Sensitivity labels make tags more than just a string of descriptive text, but a way to assure compliance in a self-service environment.
- Ability to release new policies quickly. Microsoft has already created and released new policies and guiding principles, all enabled by the speed and agility surrounding sensitivity labels. Several compliance policies can be tied to sensitivity labels, which makes it easy to push and enforce rules.
- Managing the tenant is easier. Under AAD labels, changing taxonomy meant you had to re-write over string values on every group. Sensitivity labels make managing at a tenant level easier.
With sensitivity labels rolling out across Microsoft, it’s easier for users and Microsoft Digital to support self-service and governance at the same time.
© 2022 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.