Setting to Scan Uploaded Files to Sharepoint

Skip to chief content

• Article
• 03/28/2022
• 16 minutes to read

Is this page helpful?

Feedback will be sent to Microsoft: Past pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

In this commodity

Microsoft 365 licensing guidance for security & compliance.

Enable built-in labeling for supported Part files in SharePoint and OneDrive and then that users can apply your sensitivity labels in Office for the web. When this feature is enabled, users will come across the Sensitivity button on the ribbon so they tin can utilise labels, and run into any practical label proper noun on the status bar.

Enabling this characteristic also results in SharePoint and OneDrive being able to process the contents of Office files that have been encrypted past using a sensitivity label. The label can be applied in Role for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until y'all enable this feature, these services can't process encrypted files, which ways that coauthoring, eDiscovery, Data Loss Prevention, search, and other collaborative features won't piece of work for these files.

After you lot enable sensitivity labels for Office files in SharePoint and OneDrive, for new and changed files that take a sensitivity label that applies encryption with a cloud-based key (and doesn't use Double Primal Encryption:

• For Word, Excel, and PowerPoint files, SharePoint and OneDrive recognize the label and can now process the contents of the encrypted file.

• When users download or access these files from SharePoint or OneDrive, the sensitivity characterization and whatever encryption settings from the label are enforced and remain with the file, wherever it is stored. Ensure you provide user guidance to use only labels to protect documents. For more than information, come across Information Rights Management (IRM) options and sensitivity labels.

• When users upload labeled and encrypted files to SharePoint or OneDrive, they must have at least view rights to those files. For example, they tin can open the files outside SharePoint. If they don't accept this minimum usage right, the upload is successful but the service doesn't recognize the label and can't process the file contents.

• Utilise Part for the web (Word, Excel, PowerPoint) to open and edit Function files that have sensitivity labels that apply encryption. The permissions that were assigned with the encryption are enforced. You lot can besides use auto-labeling for these documents.

• External users tin can access documents that are labeled with encryption past using invitee accounts. For more data, meet Back up for external users and labeled content.

• Office 365 eDiscovery supports full-text search for these files and Information Loss Prevention (DLP) policies back up content in these files.

Note

If encryption has been applied with an on-premises central (a fundamental management topology oft referred to as "hold your own key" or HYOK), or by using Double Key Encryption, the service behavior for processing the file contents doesn't modify. So for these files, coauthoring, eDiscovery, Information Loss Prevention, search, and other collaborative features won't work.

The SharePoint and OneDrive beliefs also doesn't change for existing files in these locations that are labeled with encryption using a single Azure-based key. For these files to benefit from the new capabilities after you lot enable sensitivity labels for Role files in SharePoint and OneDrive, the files must be either downloaded and uploaded once more, or edited.

Afterwards you enable sensitivity labels for Office files in SharePoint and OneDrive, three new audit events are available for monitoring sensitivity labels that are applied to documents in SharePoint and OneDrive:

• Applied sensitivity label to file
• Changed sensitivity label practical to file
• Removed sensitivity label from file

Watch the following video (no audio) to come across the new capabilities in action:

You lot ever take the choice to disable sensitivity labels for Office files in SharePoint and OneDrive (opt-out) at whatever time.

If yous are currently protecting documents in SharePoint past using SharePoint Information Rights Management (IRM), be certain to check the SharePoint Information Rights Management (IRM) and sensitivity labels department on this page.

Requirements

These new capabilities work with sensitivity labels only. If yous currently have Azure Information Protection labels, first migrate them to sensitivity labels so that y'all tin can enable these features for new files that you upload. For instructions, see How to drift Azure Information Protection labels to unified sensitivity labels.

Use the OneDrive sync app version 19.002.0121.0008 or afterward on Windows, and version 19.002.0107.0008 or afterwards on Mac. Both these versions were released January 28, 2019, and are currently released to all rings. For more data, run across the OneDrive release notes. After you enable sensitivity labels for Part files in SharePoint and OneDrive, users who run an older version of the sync app are prompted to update information technology.

Limitations

• SharePoint and OneDrive can't process some files that are labeled and encrypted from Role desktop apps when these files contain PowerQuery data, data stored by custom add-ins, or custom XML parts such equally Cover Folio Properties, content type schemas, custom Document Information Panel, and Custom XSN. This limitation also applies to files that include a bibliography, and to files that have a Document ID added when they are uploaded.

  For these files, either apply a label without encryption and then that they tin can after be opened in Function on the web, or instruct users to open the files in their desktop apps. Files that are labeled and encrypted but in Office on the web aren't affected.

• SharePoint and OneDrive don't automatically apply sensitivity labels to existing files that you've already encrypted using Azure Information Protection labels. Instead, for the features to work later y'all enable sensitivity labels for Office files in SharePoint and OneDrive, complete these tasks:

  1. Make sure yous have migrated the Azure Data Protection labels to sensitivity labels and published them from the Microsoft 365 compliance middle.
  2. Download the labeled files and then upload them to their original location in SharePoint or OneDrive.

• SharePoint and OneDrive can't procedure encrypted files when the characterization that practical the encryption has any of the post-obit configurations for encryption:

  • Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions is selected. This setting is sometimes referred to as "user-divers permissions".

  • User access to content expires is ready to a value other than Never.

  • Double Central Encryption is selected.

    For labels with any of these encryption configurations, the labels aren't displayed to users in Role for the web. Additionally, the new capabilities tin can't be used with labeled documents that already have these encryption settings. For example, these documents won't be returned in search results, even if they are updated.

• For functioning reasons, when you upload or relieve a document to SharePoint and the file's label doesn't apply encryption, the Sensitivity cavalcade in the certificate library tin take a while to display the label proper name. Factor in this delay if you apply scripts or automation that depend on the label name in this cavalcade.

• If a document is labeled while it'southward checked out in SharePoint, the Sensitivity cavalcade in the document library won't brandish the label name until the certificate is checked in and next opened in SharePoint.

• If a labeled and encrypted document is downloaded from SharePoint or OneDrive by an app or service that uses a service principal proper name, and then uploaded again with a label that applies different encryption settings, the upload will neglect. An example scenario is Microsoft Defender for Cloud Apps changes a sensitivity characterization on a file from Confidential to Highly Confidential, or from Confidential to Full general.

  The upload doesn't fail if the app or service first runs the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, every bit explained in the Remove encryption for a labeled document section. Or, before the upload, the original file is deleted, or the file name is inverse.

• Users might feel delays in beingness able to open encrypted documents in the following Save Equally scenario: Using a desktop version of Office, a user chooses Save As for a document that has a sensitivity label that applies encryption. The user selects SharePoint or OneDrive for the location, and so immediately tries to open that certificate in Office for the web. If the service is still processing the encryption, the user sees a message that the document must exist opened in their desktop app. If they try over again in a couple of minutes, the document successfully opens in Part for the web.

• For encrypted documents, printing is not supported in Role for the spider web.

• For encrypted documents in Office for the web, copying to the clipboard and screen captures are not prevented. For more than information, see Can Rights Management prevent screen captures?

• By default, Office desktop apps and mobile apps don't support co-authoring for files that are labeled with encryption. These apps continue to open labeled and encrypted files in exclusive editing way.

• If an admin changes settings for a published label that'southward already applied to files downloaded to users' sync client, users might be unable to save changes they brand to the file in their OneDrive Sync binder. This scenario applies to files that are labeled with encryption, and likewise when the label change is from a label that didn't utilize encryption to a label that does apply encryption. Users come across a reddish circumvolve with a white cross icon error, and they are asked to save new changes as a split up copy. Instead, they tin can shut and reopen the file, or use Role for the web.

• Users tin feel save problems afterward going offline or into a sleep mode when instead of using Office for the spider web, they employ the desktop and mobile apps for Give-and-take, Excel, or PowerPoint. For these users, when they resume their Part app session and endeavor to relieve changes, they see an upload failure message with an selection to relieve a copy instead of saving the original file.

• Documents that have been encrypted in the following ways tin can't be opened in Office for the web:

  • Encryption that uses an on-premises fundamental ("agree your own key" or HYOK)
  • Encryption that was applied past using Double Cardinal Encryption
  • Encryption that was applied independently from a label, for example, by directly applying a Rights Direction protection template.

• Labels configured for other languages are not supported and brandish the original language merely.

• If yous delete a label that's been practical to a document in SharePoint or OneDrive, rather than remove the label from the applicable label policy, the document when downloaded won't exist labeled or encrypted. In comparing, if the labeled document is stored outside SharePoint or OneDrive, the certificate remains encrypted if the label is deleted. Notation that although you might delete labels during a testing phase, information technology's very rare to delete a label in a production environment.

You tin can enable the new capabilities by using the Microsoft 365 compliance center, or by using PowerShell. As with all tenant-level configuration changes for SharePoint and OneDrive, it takes about xv minutes for the change to have effect.

Utilise the compliance center to enable support for sensitivity labels

This selection is the easiest way to enable sensitivity labels for SharePoint and OneDrive, but you lot must sign in as a global ambassador for your tenant.

1. Sign in to the Microsoft 365 compliance center as a global administrator, and navigate to Solutions > Information protection

   If you don't immediately run across this option, first select Show all.

2. If you run across a message to turn on the ability to process content in Office online files, select Turn on now:

   

   The control runs immediately and when the page is next refreshed, you no longer run into the bulletin or button.

Note

If you accept Microsoft 365 Multi-Geo, yous must utilize PowerShell to enable these capabilities for all your geo-locations. See the side by side department for details.

Utilise PowerShell to enable support for sensitivity labels

Every bit an alternative to using the compliance centre, you can enable support for sensitivity labels by using the Prepare-SPOTenant cmdlet from SharePoint Online PowerShell.

If you have Microsoft 365 Multi-Geo, yous must use PowerShell to enable this support for all your geo-locations.

Prepare the SharePoint Online Management Shell

Before you run the PowerShell command to enable sensitivity labels for Office files in SharePoint and OneDrive, ensure that you're running SharePoint Online Management Crush version sixteen.0.19418.12000 or later on. If you already have the latest version, you can skip to side by side procedure to run the PowerShell command.

1. If you have installed a previous version of the SharePoint Online Management Vanquish from PowerShell gallery, you can update the module by running the following cmdlet.

                     Update-Module -Name Microsoft.Online.SharePoint.PowerShell                                  

2. Alternatively, if you have installed a previous version of the SharePoint Online Management Beat from the Microsoft Download Eye, you lot tin also get to Add or remove programs and uninstall the SharePoint Online Direction Crush.

3. In a web browser, become to the Download Center folio and Download the latest SharePoint Online Management Vanquish.

4. Select your language and then click Download.

5. Cull between the x64 and x86 .msi file. Download the x64 file if you run the 64-bit version of Windows or the x86 file if y'all run the 32-bit version. If y'all don't know, see Which version of Windows operating organisation am I running?

6. After you lot have downloaded the file, run the file and follow the steps in the Setup Wizard.

Run the PowerShell command to enable back up for sensitivity labels

To enable the new capabilities, utilize the Set-SPOTenant cmdlet with the EnableAIPIntegration parameter:

1. Using a work or school business relationship that has global administrator or SharePoint admin privileges in Microsoft 365, connect to SharePoint. To learn how, see Getting started with SharePoint Online Direction Vanquish.

   Note

   If y'all accept Microsoft 365 Multi-Geo, use the -Url parameter with Connect-SPOService, and specify the SharePoint Online Assistants Center site URL for 1 of your geo-locations.

2. Run the post-obit command and press Y to confirm:

                     Ready-SPOTenant -EnableAIPIntegration $true                                  

3. For Microsoft 365 Multi-Geo: Echo steps i and 2 for each of your remaining geo-locations.

Publishing and changing sensitivity labels

When you utilize sensitivity labels with SharePoint and OneDrive, go on in mind that you lot need to allow for replication time when you publish new sensitivity labels or update existing sensitivity labels. This is especially important for new labels that apply encryption.

For instance: You create and publish a new sensitivity label that applies encryption and information technology very speedily appears in a user's desktop app. The user applies this label to a document and and so uploads information technology to SharePoint or OneDrive. If the characterization replication hasn't completed for the service, the new capabilities won't be applied to that document on upload. As a outcome, the document won't be returned in search or for eDiscovery and the certificate can't be opened in Office for the spider web.

For more information about the timing of labels, run across When to expect new labels and changes to take effect.

As a safeguard, we recommend publishing new labels to just a few examination users get-go, look for at least one hour, and and so verify the label behavior on SharePoint and OneDrive. Wait at least a twenty-four hours earlier making the label available to more users by either adding more users to the existing label policy, or adding the characterization to an existing label policy for your standard users. By the time your standard users see the characterization, it has already synchronized to SharePoint and OneDrive.

SharePoint Information Rights Management (IRM) is an older technology to protect files at the listing and library level past applying encryption and restrictions when files are downloaded. This older protection engineering science is designed to prevent unauthorized users from opening the file while information technology's outside SharePoint.

In comparison, sensitivity labels provide the protection settings of visual markings (headers, footers, watermarks) in addition to encryption. The encryption settings back up the full range of usage rights to restrict what users tin can exercise with the content, and the same sensitivity labels are supported for many scenarios. Using the same protection method with consistent settings across workloads and apps results in a consistent protection strategy.

However, y'all can use both protection solutions together and the behavior is as follows:

• If y'all upload a file with a sensitivity characterization that applies encryption, SharePoint can't process the content of these files and then coauthoring, eDiscovery, DLP, and search are non supported for these files.

• If you characterization a file using Office for the web, whatever encryption settings from the label are enforced. For these files, coauthoring, eDiscovery, DLP, and search are supported.

• If you download a file that's labeled past using Function for the web, the label is retained and any encryption settings from the label are enforced rather than the IRM restriction settings.

• If you download an Office or PDF file that isn't encrypted with a sensitivity characterization, IRM settings are applied.

• If you take enabled any of the additional IRM library settings, which include preventing users from uploading documents that don't support IRM, these settings are enforced.

With this behavior, y'all can exist assured that all Office and PDF files are protected from unauthorized access if they are downloaded, even if they aren't labeled. Even so, labeled files that are uploaded won't benefit from the new capabilities.

Search for documents past sensitivity label

Utilize the managed property InformationProtectionLabelId to find all documents in SharePoint or OneDrive that take a specific sensitivity label. Employ the following syntax: InformationProtectionLabelId:<GUID>

For example, to search for all documents that have been labeled as "Confidential", and that label has a GUID of "8faca7b8-8d20-48a3-8ea2-0f96310a848e", in the search box, type:

              InformationProtectionLabelId:8faca7b8-8d20-48a3-8ea2-0f96310a848e                          

Search won't detect labeled documents in a compressed file, such as a .cypher file.

To get the GUIDs for your sensitivity labels, employ the Get-Label cmdlet:

1. Showtime, connect to Part 365 Security & Compliance Eye PowerShell.

   For example, in a PowerShell session that you lot run as administrator, sign in with a global administrator business relationship.

2. And then run the following command:

                     Get-Characterization |ft Proper name, Guid                                  

For more information well-nigh using managed properties, run across Manage the search schema in SharePoint.

Remove encryption for a labeled certificate

At that place might be rare occasions when a SharePoint administrator needs to remove encryption from a document stored in SharePoint. Whatever user who has the Rights Management usage correct of Export or Full Command assigned to them for that document can remove encryption that was practical by the Azure Rights Direction service from Azure Information Protection. For instance, users with either of these usage rights can replace a label that applies encryption with a label without encryption. A super user could also download the file and save a local copy without the encryption.

As an culling, a global admin or SharePoint admin tin can run the Unlock-SPOSensitivityLabelEncryptedFile cmdlet, which removes both the sensitivity label and the encryption. This cmdlet runs even if the admin doesn't have access permissions to the site or file, or if the Azure Rights Management service is unavailable.

For example:

              Unlock-SPOSensitivityLabelEncryptedFile -FileUrl "https://contoso.com/sites/Marketing/Shared Documents/Doc1.docx" -JustificationText "Need to decrypt this file"                          

Requirements:

• SharePoint Online Direction Shell version sixteen.0.20616.12000 or later.

• The encryption has been practical by a sensitivity label with admin-divers encryption settings (the Assign permissions now label settings). Double Fundamental Encryption is not supported for this cmdlet.

The justification text is added to the audit event of Removed sensitivity characterization from file, and the decryption action is likewise recorded in the protection usage logging for Azure Information Protection.

If you disable these new capabilities, files that y'all uploaded after you enabled sensitivity labels for SharePoint and OneDrive continue to be protected by the label because the label settings continue to exist enforced. When yous apply sensitivity labels to new files after you disable these new capabilities, total-text search, eDiscovery, and coauthoring will no longer work.

To disable these new capabilities, yous must use PowerShell. Using the SharePoint Online Direction Shell and the Set-SPOTenant cmdlet, specify the same EnableAIPIntegration parameter as described in the Use PowerShell to enable support for sensitivity labels section. But this time, set the parameter value to false and printing Y to confirm:

              Set-SPOTenant -EnableAIPIntegration $simulated                          

If you have Microsoft 365 Multi-Geo, you must run this control for each of your geo-locations.

Next steps

After yous've enabled sensitivity labels for Office files in SharePoint and OneDrive, consider automatically labeling these files by using auto-labeling policies. For more information, run across Employ a sensitivity characterization to content automatically.

Need to share your labeled and encrypted documents with people exterior your organization? Run across Sharing encrypted documents with external users.

Feedback

Submit and view feedback for

innocentkepand.blogspot.com

Source: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files