Forum Discussion
Solved
Approval for Sensitive Label change
Hello everybody!
I have some sensitivity labels available to users, each with its definite priority.
In DLP, there is a policy that limits the external shipping of an email according to the chosen label.
It happens that this way, the user can exchange to any label just by justifying.
We need to create an approval of the manager or another specific person, or even another way to prevent the user from choosing a label that allows him from sending the document or email externally.
Would that be possible?
Or any other way to meet this?
Best regards,
Breno Padovan
Hello brenoacp!
It's possible to set up an approval process for label changes. You can use Microsoft Information Protection (MIP) to create policies that require approval before a user can apply certain sensitive labels. This approval can be routed to a manager or designated person for review. Alternatively, you could restrict label changes based on user roles or enforce automatic blocking of external sharing for specific labels. These settings can help control which labels users can apply and prevent unauthorized external sharing.
In case you're still a bit lost i would do it this way:
To implement the approval process, you would need to create a policy within Microsoft Information Protection (MIP) and use "auto-labeling" for sensitive content. You can configure the policy to restrict which labels can be applied to emails or documents, and then set up an approval workflow using Power Automate or Microsoft 365 Compliance Center.
For example, when a user tries to apply a sensitive label that permits external sharing, an approval request can be triggered to a designated manager. This can be set up so the manager has to review and approve the action before the user can proceed.
Additionally, within the Data Loss Prevention (DLP) policy, you can restrict the external sharing of content based on the selected label. You can set conditions where certain labels are automatically blocked from sharing outside the organization unless explicitly approved.
I hope it gives you some ideas!
Regards
If I may add to this.
The solution above will likely cause IT service desk to receive more support calls from frustrated end-users and IT Security will have to do more work as I will list the reasons below.
- For users creating/modifying file labels of files that is in their desktop and selecting the label with external sharing option. Power Automate's automation triggers only if the file is created in Microsoft 365. Anything outside of that, you need a manual trigger. (FYI: This is also the expected behaviour if the file is opened as an attachement in Outlook on Desktop as Outlook will open the attached file in the Outlook temp folder (inside of C:)
- In short, this will not work if the users have these files stored in their local devices.
- If the file is in Microsoft 365 (SharePoint or OneDrive). You will likely use the Power Automate trigger in SharePoint ("When a item or a file is modified"). This becomes a challenge as this will require you to do the following:
- Create a Power Automate workflow for each site that you want Power Automate to monitor for a file change. As Power Automate needs to understand where to look for said changes. If you have hundreds or 1000's of sites, this becomes an Microsoft 365 Admin headache.
- If you try to set this up in Purview DLP, the Power Automate option is the same as above, you'll have to create a policy rule for each SharePoint that you have.
- Even If you do know which specific sites to use in the policy or power automation, the results would be that end-users workflow will still be hampered as they await for an approval before they could send the file.
An alternative option would be to:
- Allow the user to change the file label and continue using justification.
- If the intention of the user was to try circumventing the label policy, then you can instead use Purview DLP to monitor the SIT inside the document (either through built-in, custom, trainable or Fingerprint) and if it matches any of those SIT, either Block it or re-apply encryption to the email as part of the DLP Action.
- Then you can even include a user notification to (1) Inform user about the action that was taken (ex. "Hey user, we saw that you sent an email with file that contains data, we encrypted it") and (2) create a power automate workflow to inform the users manager of what they did. (see the screenshot above for the DLP policy violation)
- For users creating/modifying file labels of files that is in their desktop and selecting the label with external sharing option. Power Automate's automation triggers only if the file is created in Microsoft 365. Anything outside of that, you need a manual trigger. (FYI: This is also the expected behaviour if the file is opened as an attachement in Outlook on Desktop as Outlook will open the attached file in the Outlook temp folder (inside of C:)
Hello brenoacp!
It's possible to set up an approval process for label changes. You can use Microsoft Information Protection (MIP) to create policies that require approval before a user can apply certain sensitive labels. This approval can be routed to a manager or designated person for review. Alternatively, you could restrict label changes based on user roles or enforce automatic blocking of external sharing for specific labels. These settings can help control which labels users can apply and prevent unauthorized external sharing.
In case you're still a bit lost i would do it this way:
To implement the approval process, you would need to create a policy within Microsoft Information Protection (MIP) and use "auto-labeling" for sensitive content. You can configure the policy to restrict which labels can be applied to emails or documents, and then set up an approval workflow using Power Automate or Microsoft 365 Compliance Center.
For example, when a user tries to apply a sensitive label that permits external sharing, an approval request can be triggered to a designated manager. This can be set up so the manager has to review and approve the action before the user can proceed.
Additionally, within the Data Loss Prevention (DLP) policy, you can restrict the external sharing of content based on the selected label. You can set conditions where certain labels are automatically blocked from sharing outside the organization unless explicitly approved.
I hope it gives you some ideas!
Regards
