New Names for Sensitivity Label Permissions Clarify Usage

Every time you look around, something is changing with sensitivity labels, like the introduction of dynamic watermarking. More prosaic but still important, a recent update posted by Microsoft covers changes to the names for the four default permissions used for sensitivity labels. The new names for the permissions are:

• Co-owner is now Owner.
• Co-author is now Editor.
• Reviewer is now Restricted Editor.
• Viewer retains the same name.

Microsoft changed the names to make their usage more apparent to end users. I think the change makes sense. Co-author was always a name that troubled me. If you’re the co-author of a document, surely it makes sense to share equal ownership rights for the document with the other authors?

Sensitivity Label Permissions and Usage Rights

Each permission is a set of usage rights deemed appropriate for a certain level of interaction with a file or email. Figure 1 shows the set of default usage rights for the Editor role. Notably, the Export usage right is excluded from the permission set, so anyone holding this role is unable to save a copy of a labelled item to remove encryption. They also can’t replace or remove a sensitivity label from an item.

It’s always best to assign sensitivity label permissions to groups, including the special groups defined for sensitivity labels like everyone in your organization and all authenticated users. The caveats are that everyone in your organization includes guests, and all authenticated users means anyone who can authenticate with Entra ID or a federated directory service, like Google. If you want to assign a permission to all full-time employees (or a similar category), use a dynamic Microsoft 365 group or security group to identify the recipients.

Changing the Usage Rights for Sensitivity Label Permissions

If you don’t like the usage rights assigned in one of the four default permissions, you can create a custom permission and include whatever rights you think users need. For example, you might decide that the OBJMODEL (right to run macros) is not required for the Viewer permission. This right was needed when Azure Information Protection displayed an information protection bar in the Office apps. That need disappeared when the Office desktop apps introduced the sensitivity bar. The Viewer permission allows people to read, edit, and save documents and doesn’t (as far as I see) need the right to run macros any longer.

The EXTRACT usage right gets a lot of attention these days because Microsoft 365 Copilot uses this right to copy content from protected documents to use to ground prompts to the LLM. Copilot runs in the context of the signed-in user, so if a sensitivity label assigns that person the right to extract content, Copilot can use the content in its generated responses, such as document summaries. For this reason, some organizations have removed the Extract right from all but the Owner and Editor permissions.

Stopping Copilot using content from sensitive documents won’t stop Copilot finding those documents. To hide documents from Copilot, you must limit search in some way, like blocking search results for sites or document libraries. Microsoft limits Copilot with the Restricted SharePoint Search (an allow list for sites available to Copilot) and Restricted Content Discoverability (a deny list for sites blocked for Copilot) features.

Figuring Out the Best Usage Rights for Sensitivity Labels

In any deployment, it’s important to make sure that sensitivity labels grant users the usage rights necessary to get their jobs done. Part of the design process to create sensitivity labels is to understand what information they will likely protect and how people interact with that content. This knowledge then guides the selection of permissions to define in each label. The change in permission names is a prompt to reflect on whether the permissions for existing labels are still the best mixture of protection and usability. If not, it’s easy to adjust.

Granting Owner permission for everyone in the organization is a step on the sorry path to oversharing while restricting people to Viewer permission is likely to be overly restrictive. Restricted Editor looks like the new baseline sensitivity label permission to give everyone, with higher level permissions assigned as dictated by what interaction people need with protected documents.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.