High-Level Overview
Sensitivity labels are a Microsoft Information Protection (MIP) component deployed as a cloud-based solution that enables the classification and protection of content through the application of predefined sensitivity labels.
When sensitivity labels are enabled for your organisation, end users can manually apply them to the following (web or desktop applications):
- Exchange Online emails
- Microsoft Office documents (M365 apps for enterprise subscription) stored in SharePoint Online and OneDrive
- Groups, Microsoft Teams, and SharePoint sites
- Power BI
- Microsoft Teams Premium (if the user is licenced for Microsoft Teams Premium)
The requirements outlined below must be completed so that sensitivity labels can be successfully applied by end users.
Requirements
Technical Requirements
Licensing
- End users who wish to apply/use sensitivity labels must have been allocated (at least) an M365 E3R (Enhanced Services) or M365 F3 (Standard Services) licence
- End users wishing to use sensitivity labels in O365 desktop applications must also have the appropriate O365 Enterprise Applications subscription to be able to use the sensitivity labels in desktop
- To use sensitivity labels in Power BI, end users must have Power BI Pro or Power BI Premium licences assigned to them. Additionally, end users wishing to manually apply sensitivity labels in Power BI must have editing privileges to the content they wish to label. Sensitivity labels in Power BI are available on both Power BI service and Power BI Desktop
- End users wishing to use sensitivity labels in Microsoft Teams meetings must be licenced with Microsoft Teams Premium
Network
As sensitivity labels are a cloud-based solution, the following network requirements must be met and traffic to the following URL must be permitted from the end user devices:
- *.aadrm.com
- *.azurerms.com
- *.Informationprotection.azure.com
- Informationprotection.hosting.portal.azure.net
- *.aria.microsoft.com
Software Requirements
- The latest supported browser version for the web applications
- Supported operating systems for Mobile devices (Android & iOS)
- To use the sensitivity labels in older Office desktop applications, end users should also have Azure Information Protection unified labelling client add-on installed. The Azure Information Protection (AIP) unified labelling client provides an Office add-on that installs the Sensitivity button on the ribbon for users to select sensitivity labels and optionally displays the Azure Information Protection bar for better label visibility. Newer versions of Office disable the AIP add-in in favour of the built in labelling client, see the guidance here. To learn more about minimum application versions, please visit the Microsoft guidance for Office and Outlook.
Attempting to use sensitivity labels with application versions other than the latest advised by Microsoft may cause the sensitivity labels to not work as expected.
NHSmail Global Sensitivity Labels Opt-in Service Request
The NHSmail Global Sensitivity Labels can be enabled to organisations through an opt-in approach. This means that organisations interested in using sensitivity labels as part of their Security and Information Governance strategy must submit a Service Request via the NHSmail Helpdesk Self-Service.
Deployment of the NHSmail Global Sensitivity Labels is an opt-in process which is to be requested by an organisation’s Local Administrator based on their Security and Information Governance strategy and readiness
Prior to submitting the Service Request, please ensure that you have read all support documentation related to sensitivity labels available in the NHSmail Support site and that as an organisation, you are aware of the following information:
- Requirements that must be completed so that sensitivity labels can be used by end users
- Current known limitations of the service
- Impacts, use cases and recommendations
- Local Administrator’s responsibility to communicate this change to all end users in the organisation at ODS group level
- The Service Request process and next steps outlined below
Local Administrators should support with the completion of the requirements outlined in this article and communicate the upcoming change to all end users in the organisation at ODS group level ahead of submitting the Service Request for the enablement of Global Sensitivity Labels to their organisation. Please note the Service Request will be automatically approved once submitted.
Once submitted, the Service Request will be routed to the O365 team who will enable the NHSmail Data Sensitivity Label Global Policy for your organisation through the organisation’s ODS group. Please note that the sensitivity labels will become available to all (and only) users who are part of the specific ODS group. Please note that child ODS groups are not captured as part of this process and must submit their own Service Request. Additionally, the policy will be deployed as per the design outlined in the NHSmail Data Sensitivity Label Global Policy and will not be customisable.
Submitting a Service Request
The submission of Global Label Service Request is automatically approved for implementation.
Please see below for the high-level Service Request process for the enablement of Global Sensitivity Labels:
- Local Administrator logs into their NHSmail account to access the NHSmail Helpdesk Self-Service
- The Local Administrator selects ‘Raise a request’
- The Local Administrator will complete and submit the Service Request form ‘Global Sensitivity Labels Opt-in’
- The Local Administrator will complete the form by providing the organisation’s ODS code and confirming that they have read the guidance available in the NHSmail Support site, and that they understand the implications and requirements outlined prior to submitting the request
- The Local Administrator will then receive an email confirmation for the ticket submission
- Once completed, the Local Administrator will receive an email confirmation for the request completion/closure
If you have any issues using the NHSmail Helpdesk Self-Service for this Service Request, please contact helpdesk@nhs.net using the subject line ‘Organisation Name – Global Sensitivity Labels Opt-in Request’ and including the details outlined in step 4 above in the email.
Upon completion of this Service Request, it may take at least 24 hours for the sensitivity labels to be visible to end users. We recommend end users to restart their devices after confirmation that the service has been complete for your organisation.
Issue Management
Local Administrators
Local Administrators will be responsible for managing issues related to organisation-specific requirements and day-to-day activities that might impact end users using sensitivity labels. Some of these issues are listed, but not limited to, below:
- Liaise with the organisation Information Governance community and other decision makers regarding the Global Sensitivity Labels design and configurations, including communicating the upcoming change to all end users in the organisation at ODS group level
- Support with end users credentials/account and licensing issues that could prevent them from using sensitivity labels
- Support with ensuring end users have the latest Microsoft supported versions of the Office/Outlook applications on the desktop and latest supported browser version for the web app
- Support with ensuring that Azure Information Protection unified labelling client add-on is installed for the end user if required
- Assist with end users queries which are covered by this documentation
NHSmail Helpdesk
Prior to raising an issue with O365 team via the NHSmail Helpdesk Self-Service, please ensure that the requirements outlined in this section have been completed. Additionally, please ensure that you are familiar with the known limitations outlined in the article Sensitivity Labels Overview and the recommendations outlined in the NHSmail Data Sensitivity Label Global Policy.
| Last Reviewed Date | 16/05/2024 |
