How sensitive labeling works outside of Office 365.
Eventually, you will come across the need to label files that are not Office 365 specific such as text files or PDFs. This is still possible using sensitive labeling, however, the steps are slightly different and there are a few important details to keep in mind.
Here is a quick list of things to keep in mind.
- You can not share these types of files with anyone outside the organization at all.
- You can’t prevent an individual from copying or printing data from the file
- The file type of the file you label will mostly likely change and end with .pfile instead of the original extension.
- You can only have one owner (yourself) of the file.
There are a few exceptions to this rule. For example, PDF files from Adobe support Microsoft Sensitive Labeling and will behave the same as Office 365 files (Excel, Word, Power Point) without any of the limitations above. Unfortunately, due to the limitations, it’s recommended to avoid entering data into any files that do not support sensitive labeling.
Labeling a file
How to label the file
While there are a lot of limitations to keep in mind for most files. Labeling a file is easy.
First, right click the file you want to sensitive label. Once clicked, you will see an option that says Apply sensitivity label with Microsoft Purview as shown below:
Windows 11, by default, does not have the full context menu as you see above. If you do not see the option, try holding down your SHIFT key before right clicking the file you want to label.
Once click the sensitivity label option, a new window will appear that includes the same labels you see in Office 365:
Once you select a label and click Apply the file will become labeled and protected. Depending on the file type, you will also notice the file icon and type change.
If the file name and type change, you can still access the file as normal. The only difference will be the limitations previously mentioned and a prompt will appear asking you to honor your permissions. This is not always the case as some file types are considered “supported” such as PDF files by Adobe.
How to tell if a file is supported
You can label almost any file you want. However, there are some limitations to files unless they are considered “supported”. The easiest way to tell if a file will be “supported” is to look for the below warning when labeling a file:
Any file that is considered unsupported will have the warning. You can still label the file if you wish. But you will encounter the below limitations:
- You can not share these types of files with anyone outside the organization at all.
- You can’t prevent an individual from copying or printing data from the file
- The file type of the file you label will mostly likely change and end with .pfile instead of the original extension.
- You can only have one owner (yourself) of the file.
Files that are supported, such as PDFs, will not have the message and will behave with little or no limitations listed above.
The files that support labeling will grow over time. As of right now, the known supported files are below:
- PDFs
- Photos (JPG,PNG,TIFF)
- Microsoft Project
- Microsoft Publisher
- Microsoft Excel (CSVs are not supported)
- Microsoft Word
- Microsoft PowerPoint
How to handle sharing sensitive data outside XGS when you can’t avoid an unsupported file type.
If you absolutely must share a file in an unsupported file type, the best solution is to instead sensitive label the email and then add the file as an attachment to that email. This will encrypt the email (Which supports external access) and the external user can then view the file. This still leaves the file unencrypted, so, if possible, avoid unsupported file types. But in the event that you cannot do this, labeling the email instead of the file is the best alternative.
Opening a labeled file
Opening a file is straight forward and opens just as a normal file would by double clicking the file. However, in most cases, you will get a special message before being granted access as shown below:
This screen will show you what permissions you’re supposed to have and state that it expects you respect the permissions granted. This warning is displayed for any files that are not supported. The reason this appears is due to one of the limitations above, individuals can’t be prevented from copying or printing the data protected. If the file supports sensitive labeling (Office 365 files, PDFs, etc) then the message doesn’t appear and the file opens without any prompt at all.
Regardless of the warning, you will be able to click Continue and the file it continue with it’s typical process of opening, just like a regular file would.
How PDFs behave when a file is labeled
By far, the most common file type that will be sensitive labeled are PDFs. Thankfully, Adobe supports Microsoft Sensitive Labeling. Because Adobe supports the sensitive labeling, there is no difference at all in opening PDF files as long as they are opened in Microsoft Edge or Information Protection Viewer. If a user opens a protected PDF file in Google Chrome or Adobe Acrobat Reader, at this time, they will not work.
If you attempt to open a protected PDF in anything other than Microsoft Edge or Information Protection Viewer, this will appear:
The warning is because the application you chose to open this PDF in does not support reading protected PDF documents. Even Adobe’s own Adobe Acrobat Reader does not support it at this time.
How to open PDF in Microsoft Edge
If Microsoft Edge is not your default PDF Viewer (By default, it is), you can also Shift + Right Click a file and choose Open With to select Microsoft Edge.
If you want to always open PDFs in Microsoft Edge, you can choose to do so by Shift + Right Click the file and choose Properties. Within that menu, you can click on Opens With and change the default application for every PDF.
Labeling a folder
When labeling a folder, you are mass sensitive labeling every single file in that folder! It is recommended to never do this and is only discussed so that you are aware of the functionality and do not unintentionally do it. Depending on how many files you label at once, this can appear as a ransomware attack and will trigger IT alert systems.
You can label a folder the same as you do a file with no deviation in steps. However, the behavior is different. You will not sensitive label the folder itself. Instead, what will happen is you will sensitive label every single file in that folder with the settings you choose. Think of it as bulk sensitive labeling files individually rather than sensitive labeling the folder itself.
This means that any files added into the folder after you before this bulk operation will not be protected. You would need to perform the same steps again to have them also protected.
Another important detail regarding this option is, while it’s okay to do on your local computer files if you feel the need, do not do this on any folders located in SharePoint or the XGS File share (X drive, for example) without first notifying IT.
There are situations where you may want to do this. For example, if you decide to make folders specifically designed to organize protected files. And thus, the option is available to you. The reason IT needs to be notified first is because sensitive labeling too many files at once on the network is indistinguishable from a ransomware attack. It will most likely set off security alerts that IT will then need to investigate. Sensitive labeling shared files individually will not set off these security alerts.
If you have any questions, need help, or need to notify IT of bulk folder changes, please contact Service desk at servicedesk@xgsi.com