Video

Thanks for the question. It will be hard to say without investigating. Maybe checking the logs and ensure the AIP service is running.

Yes that is correct. All the logs now are moved to Purview Activity Explorer

That is correct, and they have to be excluded from any other policies that may publish other labels to them. If a user is part of two different policies, they will get the labels included in both policies.

We will be back!. Due to lots of other priorities and resources constrains, we didn't want to release repeated material :).

@@m365compliance-scenariobas9 Awesome, thank you! Looking forward to it!

Thanks for the question. It is the level of data importance. You may need to have a different level of "confidential" based on your needs. "Recipient only" label - in our case - Does not include PII data that is shared with anyone (internal or external). The highly confidential does include PII.

@@m365compliance-scenariobas9 ok. But in this case, the settings on the labels, are going to be the same, right? What I mean is that from an IT configuration, this is exactly the same. I am not looking at this from an end user perspective

No not really, they are not the same. the "Recipient Only" label is a UDP label (User Defined permission), where you set "Let users assign permissions" setting, with "Do not forward" under the Outlook setting. The "Highly confidential" has "admin permission" configured, where you set the internal M365 group members, as well as external domain members for custom access permissions. Also the "content marking" settings will be different, but this is obvious. Hope this clarifies the question?

Thanks so much for your feedback!

There are no limitations per se, it is just how you designed and implemented (and what applications/clients you are using) to use MIP Sensitivity labels. on top of this series, please refer to (docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) for a complete list of official articles around the sensitivity labels. I am not sure I understood your question around the automation part, could you please be more specific? Thanks for reaching out :)

Glad it was helpful! thank you!

@@m365compliance-scenariobas9 yes - it indeed has cleared a lot of doubts around info protection.

are you referring to OCR?, if yes, then not yet :)

In this case, yes, we would recommend App Protection Policies (aka MAM) to protect corporate data on both iOS and Android. Using App Protection Policies, you can restrict the cut/copy/paste of corporate data to other corporate applications. Check out the docs here: docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies . Also have a look at the docs.microsoft.com/en-us/mem/intune/apps/app-protection-framework . And yes, you can specifically target Teams. In the Conditional Access policy, instead of targeting Office 365 like I did in the video, instead search for and target 'Microsoft Teams'. Hope this helps.

Thanks very much for this feedback. And that is correct, Mandatory label will always occur before any other auto-label mechanism taking action.

Thanks very much for letting us know. Ep09 has been now added to the playlist.

Thanks very much for your feedback, greatly appreciated!

Thanks for your comment and feedback. The “classification” button (in this case, the native client not AIP client) will appear once a classification label and a label policy are configured and published and the user is in its scope. Apart from AIP scanner in episode 4, the native client is used throughout the SBD series.

Thanks for your coolest and feedback!. Unfortunately this is not supported yet in the MIP solution.

Thanks for leaving a good question. E5 is required for the auto label policy to work. EMS is irrelevant to MIP (or compliance in general). You will always also need to ensure that you are license-compliant.

@@m365compliance-scenariobas9 perfect, for auto-labeling E5 is required for admins and end-users that require it in onedrive data at rest, sharepoint data at rest and exchange data in transit. thanks.

Generally speaking, you should not encrypt all your data, only the sensitive and confidential ones. For example, if a document was encrypted and it was not meant to, and the document is shared externally, access to content may not work for external parties. Moreover, you could have a 3rd party or an outdated system that may not know how to handle encrypted data, then you end up with usability and potentially compliance issue (think of an outdated system that needs access to user mailboxes or SPO site to scan or inspect data, or a DLP solution that inspects emails in the transport pipeline). In episodes 1 and 2 of this series, we went over data classification and how (potentially you may approach the categorization”

Thanks very much for your feedback!. The document (given it is an office document) will be encrypted as the email is labeled with a label that applies encryption. If the user has permission to access encrypted data, they will be able to access the attachment from their outlook client. When you label an email message that has attachments, the attachments inherit the label only if the label that you apply to the email message applies encryption and the attachment is an Office document isn't already encrypted. Because the inherited label applies encryption, the attachment becomes newly encrypted. An attachment doesn't inherit the labels from the email message when the label applied to the email message doesn't apply encryption or the attachment is already encrypted.

@@m365compliance-scenariobas9 Reg "given it is an office document" so only office documents will be classified either by server-side or client-side auto-classification? if so I think SharePoint Syntex is a much better solution as it can classify PDF, img files?

Ouch! great catch!.

Thanks so much for your feedback! greatly appreciated.

Glad it was helpful! Thanks so much.

Thanks for your comment. What did you mean by "local"? as in on-prem server (physical) or a VM?. There was no real need to configure multiple boxes in the demo, however it is do-able for larger environments. Please elaborate on issues you are facing when configuring additional nodes in your case.

​@@m365compliance-scenariobas9 so we did exactly as this video, the only difference is we put a SQLExpress instance on the demo box along with the scanner, not a separate SQL server or at least I assume that was a whole other SQL box in your demo. But I noticed out of my 3 repositories, (2 of which are on another server on prem, same network, can talk etc) the other is on the local machine that is the node withthe scanner, it never scans the other servers file location. But it never errors out. I can't figure out what I am missing there, I also have 0 SQL knowledge being as this SQLExpress instance was my first experience so the issue is likely in the chair at this point.

There could be a file-share permission issue, have you checked event logs? AIP client logs on the AIP server?. how about SQL logs? is the DB accessible to the AIP service? can you see AIP token issued?. As you can see there are a lot of moving parts and place you can look at for further troubleshooting.

Anyone help with my Q’s?

Thanks for your patience Steven. We will get to the questions as soon as we can. Apologies we are a little behind :(.

@@stevenjenkinson6586 Apologies for the delay! To answer your questions: 1) There are some differences such as MCAS has some stricter limits on the number files that can be labeled per day per tenant, but generally MCAS is best used for data in third party locations/services. Sarahzin (in the video) previously wrote a blog outlining this question: techcommunity.microsoft.com/t5/security-compliance-and-identity/mcas-data-protection-blog-series-do-i-use-mcas-or-mip/ba-p/2011039 2) This is outlined in the documentation under "Specific to auto-labeling for Exchange": docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide 3) The label actions performed by service side auto labeling and simulation are visible in Activity Explorer: docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide#activity-types

@@m365compliance-scenariobas9 Thank you for taking the time to provide me the answers. Sorry its taken me so long to say.

Good catch, and yes it was a typo, It should have been "applies a highly confidential label....". thanks for that Paul!

Sorry for the delay! You can create multiple service side auto-labeling policies to apply to more than 100 sites, or choose to apply to all sites (which excludes from the 100 site limit). As for the 1,00,000 limit - it applies to simulation mode. If a simulation exceeds 1m files, the admin will be forced to reconfigure the policy to match less than 1m files before being able to enable. The 1m limit does not apply to policies after being enabled/enforced. This is outlined here: docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide#learn-about-simulation-mode

Thanks for the question. Content Explorer is the feature responsible for data discovery for cloud workload. we have a demo'ed that as well.

@@m365compliance-scenariobas9 Thank you.

Thanks for your feedback, appreciated. While my team doesn’t do everything, but the next 2 episodes will be about Intune, so stay “tuned” :)

Thanks very much Lou for your valuable feedback!!

Currently only Microsoft office file types are supported. Also if the file was manually labeled, auto label won’t apply (at least for now). Thanks for your feedback :)

Thanks very much for your feedback :).

Greatly appreciated feedback. Thanks!!

Thanks very much for your feedback!!

Thanks very much for your feedback, greatly appreciated.

Thanks for watching and for your feedback!!

Thanks for the feedback. We will share this with the team managing the compliance portal.

Thanks for your feedback! We will try to discuss this topic in the MIG section of the series.

In “compliance manager”, you can create your own assessment template and assign the score to individuals items anyway you see fit according to your risk assessment exercise outcome. I hope this was the question?

Thanks very much for your kind feedback!!! Greatly appreciated :)

Thanks very much for your feedback George! We thought of not repeating the steps as they are the same as the “Recipient only” label (and only scoped to a specific group), it was recorded but didn’t make the cut :). Please keep providing your valuable feedback, greatly appreciated!

@@m365compliance-scenariobas9 Suggestion: For demo purposes, I suggest including all the possible steps, this will help the students to try to emulate and get the same results. If there is one missing step or assumend learned, it could be confusing. After the student repeats all the steps, he will be in the capacity to conclude that they are the same steps.

Always appreciate your feedback Paul :). Thanks again.

Thanks Paul. We have considered it for sure, and we will try to add a reminder at the beginning of each episode for viewers to subscribe. Thanks once again!!

Thanks very much for your feedback!! please keep watching and let us know how we are going :)