Sensitivity Label Downgrades and Removals Could be Potentially Suspicious User Behavior

The publication of message center notification MC934733 on November 15, 2024 (Microsoft 365 roadmap item 466742) provoked some thought. The notification is about an update to Purview Insider Risk Management, a compliance solution to detect activities that might potentially expose the organization to risks like IP theft or data leakage. The solution is part of Microsoft’s E5 Compliance Suite and is also included in Office 365 E5/Microsoft 365 E5.

In this case, the update covers the detection of risk that might be indicated if people downgrade or remove sensitivity labels from files stored in SharePoint Online sites. This kind of behavior could indicate that a user is preparing to exfiltrate files from the organization, perhaps when they leave in the near future.

By removing sensitivity labels from files, they remove the block that Microsoft Information Protection would otherwise place on people who cannot prove their right to access the files. Normally, proof is secured by authentication, which is then compared against the set of rights defined for a file. Downgrading a label can have the same effect if the chosen label allows free access to files through a right like “any authenticated user.”

The ability to remove or change a sensitivity label for a file is governed by the rights assigned to a user in a label. If the user can edit the rights for a file, they can change or remove a sensitivity label. This right is included in the co-author role that is sometimes assigned to everyone in the organization or everyone in a group.

Use the Audit Log to Track Sensitivity Label Downgrades and Removals

This kind of check is very useful, but it might not be enough for an organization to invest in license add-ons or upgrades. If your tenant has Purview Audit Standard (check this PDF for product licensing information), then you can use PowerShell to analyze the events captured in the unified audit log to track and report sensitivity label downgrades and removals.

The idea is simple. Here’s what has to happen in a script.

• Connect to Exchange Online.
• Connect to the compliance endpoint.
• Run the Get-Label cmdlet to fetch details of the sensitivity labels used with files and store them in a hash table. In fact, two hash tables are used for fast lookup. One resolves label identifiers to return label display names. The other resolves label identifiers to return the label priorities. Each label has a priority number from 0 (least sensitive) up. By comparing the priority numbers when a label update occurs, you know if the update is a downgrade or an upgrade.
• Run the Search-UnifiedAuditLog cmdlet to look for FileSensitivityLabelRemoved and FileSensitivityLabelChanged events over whatever lookback period seems appropriate. See this article for more information about reporting sensitivity label events.
• Process each event to decide what happened and capture details in a PowerShell list.
• Do some analysis to figure out if an abnormal number of label downgrades or removals have happened and which accounts are involved.
• Report the details.

I put together a script to illustrate the principles involved in finding and analyzing the audit event information. You can download the script from GitHub. Figure 1 shows the results reported by the script when I ran it in my tenant. Clearly, the tenant administrators only have to worry about me…

Container Management Labels Are Changed Too

The sensitivity labels discussed so far are information protection labels that can apply rights management encryption to protect files. The other type are container management labels, which are used to apply settings to “containers” (teams, sites, and groups). Unhappily, just like someone can change a sensitivity label for a file, a container owner can change the assigned container management label. There’s no way for an organization to lock a label for a container.

However, you can monitor container label changes using the audit log using audit events and reapply the original label if a change is detected. The original article uses Exchange Online management PowerShell, and it’s also possible to monitor container management changes with the Graph APIs, albeit in a more complicated arrangement because of the need to store original label assignments for containers in a Graph-accessible location.

Detecting Sensitivity Label Downgrades Proves the Value of the Audit Log

Being able to track sensitivity label changes and removals for files is another example of how audit log information can prove useful for tenant administration. If you know what’s happening inside a tenant, there’s probably an audit log event captured for the action, and once you can find the audit log event, you can analyze it.

Learn about using the unified audit log and the rest of Microsoft 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.