Protecting your data with Office365

Last year I wrote a series of blog posts looking at building a modern data platform one part of which discussed how you could use Office365 as part of your data protection strategy.

In this new series of posts I’m going to explore the capabilities inside of 365 in more detail and show how they can help you enhance your data protection, security and compliance posture.

Before we look at the capabilities of 365 let’s first take a look at the general elements we need to consider to build a robust data protection strategy;

Data Protection Cycle

The graphic highlights the continual cycle of data protection which starts with identifying what data we have through to classifying it and ensuring its security. The important part of this, is that it is a cycle, not a one-off activity and therefore requires consistent monitoring and review.

How then does 365 help us meet the demands of this data protection cycle?

Where do we start?

Microsoft have worked hard on making security a core part of 365 and this includes aggregating all of the security elements of the platform into the Security and Compliance center accessible via the main 365 admin portal, or directly via, once there you will see a wide range of facilities including a dashboard providing insight into how you are doing against a range of Microsoft compliance measures.

However, for this post we are going to focus on a subset of these capabilities which will help us take initial steps to meet the demands of our data protection cycle.


We start by needing to understand what kind of data we are holding in our 365 tenant. We do this via the “Search and Investigation tab” which allows us to search across all of our 365 estate for sensitive data types so we can begin to understand the make up of the data we hold.

We start by defining our query, in the graphic you can see we have created a query to look for credit card numbers across our SharePoint sites, once the query is triggered, we can preview as well as export the results for further analysis. This allows us to quickly identify any sensitive data we have so we can start to define appropriate policies to maintain the security of this information.

This ability to identify that we hold sensitive data is a crucial first step in our security cycle, if we don’t know it’s there how are we supposed to protect it?


Now we have identified this data it’s important that we classify it and employ rules to ensure its security and appropriate use. 365 uses labels to define and apply these rules via two distinct label types, security and retention, which allow us to protect data from accidental (or malicious) misuse and ensure we keep it for the appropriate amount of time and are defined as follows;

Sensitivity Labels

Define the security settings for our files, as can be seen in the graphic we can apply a range of useful controls. For example, we can define that all of the documents or emails that contain certain types of information are forcibly encrypted and only certain users allowed to access them, we can even limit the time for which that information is accessible.

We can also use these labels to define data loss prevention policies on our endpoints via Microsoft Information Protection (which we’ll explore in the 2nd part of this series).

Finally we have the ability to automatically label our data when we discover a sensitive data type, which removes the dependency on users correctly labeling data.

The important part of these types of controls is the security we apply here lives with the file and is not defined by the location, so once a document leaves our environment it still remains secure and under our control.

Retention Label

A key part of a data governance policy is the ability to control how long we retain our data for and retention labels are our method for delivering this inside of 365. As you can see from the graphic, we can define how long we keep the data for and what to do with it when the retention period expires. The ability to do this is crucial in ensuring robust data management.

Applying Labels

Now we have identified our data and created some appropriate labels, how do we apply them and use them?

When it comes to applying labels, there are differences in the way they are applied.

Retention labels can only be applied within the 365 tenant as they are specific to our organisation and not anywhere else we may send our data to.

Policies can be either applied in a SharePoint or OneDrive library or applied to an email via Outlook Web App or Outlook (2010 onward) and as discussed previously either applied manually or automatically dependent on contents.

Sensitivity labels differ in that they are applied at an item level, within an Office document or directly to an email and also require the addition of the Information Protection elements of your 365 subscription as well as access to the “Sensitivity” feature of your Office application (via plug-in for Office for desktops and natively in mobile Office apps). This again makes sense, Sensitivity labels are defining the usage of this item regardless of its location, so must be applied directly to the item at point of creation and not applied at a storage repository level.

Powerful, but how to use them?

Labels inside of 365 provide us with very powerful capabilities that can play a significant part in enhancing our data security and governance posture. In this post we have looked at how to identify our information, how to classify it with labels and the options we have to apply them.

In the next part, we will look at how we use these labels to build an understanding of how our data is used and how to ensure it doesn’t leak outside of our organisation.

Look out for part 2 of this series soon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.