The SharePoint and OneDrive behavior also doesn't change for existing files in these locations that are labeled with encryption using a single Azure-based key. So for these files, coauthoring, eDiscovery, data loss prevention, search, and other collaborative features won't work. If encryption has been applied with an on-premises key (a key management topology often referred to as "hold your own key" or HYOK), or by using Double Key Encryption, the service behavior for processing the file contents doesn't change. Office 365 eDiscovery supports full-text search for these files and data loss prevention (DLP) policies support content in these files. For more information, see Support for external users and labeled content. You can also use auto-labeling for these documents.Įxternal users can access documents that are labeled with encryption by using guest accounts. The permissions that were assigned with the encryption are enforced. Use Office for the web (Word, Excel, PowerPoint) to open and edit Office files that have sensitivity labels that apply encryption.
If they don't have this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents. For example, they can open the files outside SharePoint. When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least view rights to those files. For more information, see Information Rights Management (IRM) options and sensitivity labels. Ensure you provide user guidance to use only labels to protect documents.
When users download or access these files from SharePoint or OneDrive, the sensitivity label and any encryption settings from the label are enforced and remain with the file, wherever it is stored. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, Microsoft Purview data loss prevention, search, and other collaborative features won't work for these files.Īfter you enable sensitivity labels for Office files in SharePoint and OneDrive, for new and changed files that have a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Key Encryption:įor Word, Excel, and PowerPoint files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. When this feature is enabled, users will see the Sensitivity button on the ribbon so they can apply labels, and see any applied label name on the status bar.Įnabling this feature also results in SharePoint and OneDrive being able to process the contents of Office files that have been encrypted by using a sensitivity label. Microsoft 365 licensing guidance for security & compliance.Įnable built-in labeling for supported Office files in SharePoint and OneDrive so that users can apply your sensitivity labels in Office for the web.