Utilizing label analytics to monitor label performance- Microsoft SC-400 Certification

Having the functionality to label content within the Microsoft 365 tenant is a good option to allow control of access and sharing. As part of this functionality, having the ability to look at the analytics on performance is also very important.

Obtaining a report

The reporting system within the Security and Compliance Center includes the ability to report on sensitivity labels. For this specific element of reporting, we will focus our attention on the compliance center reports.

If you have an existing sensitivity label, you can access a report for this by performing the following steps:

  1. Browse to the Microsoft 365 Compliance Center, https://compliance.microsoft.com, and log in with an account that has the required permissions.
  2. Browse to Reports:

Figure 5.25 – Reports

3. From the Sensitivity labels section, click on View details.

Permissions and roles for label analytics

Like most analytical services within Microsoft 365 and Azure, you need a certain level of permission, or a specific role assigned to your user account, to be able to view and run reports. To enable a user to create a log analytics workspace as well as custom queries, you will need to assign them one of the following roles:

  • Azure Information Protection administrator
  • Security administrator
  • Compliance administrator
  • Compliance data administrator
  • Global administrator

Once the workspace has been created you can assign a role to the user with limited access that will only allow them to view content and data that has been collected:

  • Security reader
  • Global reader

You will need to be wary of costs when it comes to storing all the analytics data. With the data being stored in Azure monitor and log analytics, it means there will be Usage and estimated cost features to aid you in estimating the amount of data you have stored, which will, in turn, enable you to estimate a cost.

Azure Sentinel integration

You can integrate Azure Sentinel with sensitivity label monitoring and analyzing. With this feature, log files are collected in an Azure Sentinel workspace to get an overview of the whole environment.

A lot of information has been covered so far in this chapter. The last section took a look at how you can monitor and manage your sensitivity labels within the Microsoft 365 and Azure tenant. In the final section of the chapter, we will look at applying protections and restrictions to data, specifically, emails and files.

Applying and managing protections and restrictions

Any user can apply a single label to each document and email. Email attachments added to messages do not inherit the label, apart from in the following scenario:

  1. If a label that does not apply encryption is applied to the attachment, and the file attached to the email is an office document, then the file will inherit the email label’s encryption settings.

In all other cases, the following applies:

  • The attachments will keep their original label if one has been applied.
  1. If the email attached has existing encryption that has not been applied via a label, it will keep that encryption, but it will not be applied by any label.
  2. If there are attachments within the email that do not have any labels applied, then they will stay that way.

Manual label application

It is possible to apply a sensitivity label in Outlook Desktop (for both Mac and Windows), a mobile Outlook app (iOS, Android), or in the web app manually.

Utilizing auto-apply to apply labels by default

You can utilize the auto-apply functionality to apply sensitivity labels by default. The following options are available when applying labels to a file and an email:

  • New emails and documents can get the default label.
  • Auto-apply via sensitive information types, including or not including a hint.
  • Auto-apply via trainable classifiers.

Summary

Within this chapter, we have covered a lot of different topics, including identifying roles and permissions for administering sensitivity labels, creating and managing sensitivity labels and applying them to Microsoft SaaS applications, configuring automatic labeling policies and monitoring label usage, applying bulk classification to on-premises data and managing protection settings, and applying and managing protections and restrictions.

By the end of this chapter, you will have completed multiple lab exercises; however, if you have not followed any of these, I strongly recommend that you do before moving on to the next chapter.

The next chapter will cover planning and implementing encryption for email messages.

Leave a Reply

Your email address will not be published. Required fields are marked *