Sensitivity labeling for calendar items and Teams meetings for Australian Government compliance with PSPF
This article provides guidance for Australian Government organizations on the application of sensitivity labels to meetings and calendar items. Its purpose is to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
There are two options available to assist the protection of meetings and meeting content:
- Organizations with E5 or A5 licensing can apply sensitivity labels to calendar items.
- Organizations that have Teams Premium add-on license can extend these protections to the Team meeting.
Labeling of calendar items
The sensitivity label meetings scope option is available to customers with E5 or A5 licensing and allows for labels to be published to Outlook or Teams calendars. Calendar items can be subject to mandatory labeling configuration. If enabled in label policies, users are prompted to apply a label before they can create a calendar item or send a calendar invitation.
Labeled calendar items receive client-based visual markings to indicate the sensitivity of the invite and/or the meeting's content. Invites forwarded via email receives any configured text-based headers. For example:
Important
If a label applies encryption, then the meeting invite, calendar entry, and any attachments are encapsulated via the label's Azure Rights Management encryption settings, ensuring that only authorized users are able to access the enclosed content. This includes external recipients of the meeting invite.
To enable labeling for calendar items, the Meetings option needs to be selected from within label scope.
Consideration should be given to which labels require the meeting scope option to be enabled. As with groups and sites labels, it's appropriate to only enable meetings scope for labels without Information Management Markers (IMMs).
The following example demonstrates this configuration:
| Sensitivity label | Meetings scope option |
|---|---|
| UNOFFICIAL | ON |
| OFFICIAL | ON |
| OFFICIAL Sensitive (Category) | OFF |
| • OFFICIAL Sensitive | ON |
| • OFFICIAL Sensitive Personal Privacy | OFF |
| • OFFICIAL Sensitive Legal Privilege | OFF |
| • OFFICIAL Sensitive Legislative Secrecy | OFF |
| • OFFICIAL Sensitive NATIONAL CABINET | OFF |
| PROTECTED (Category) | OFF |
| • PROTECTED | ON |
| • PROTECTED Personal Privacy | OFF |
| • PROTECTED Legal Privilege | OFF |
| • PROTECTED Legislative Secrecy | OFF |
| • PROTECTED CABINET | ON |
The configuration setting from the previous table demonstrates that any meeting attachments (which are more likely to contain actual sensitive data) can have IMMs applied without impacting the label applied to the meeting as auto-labeling doesn't recommend label changes within a set of sublabels.
However, if a meeting is labeled with a lower tier label, such as OFFICIAL, and then a higher tier attachment, such as PROTECTED is added to it, then label inheritance settings take effect. The result is a PROTECTED label is applied to the meeting, ensuring that the meeting invitation's content is treated in line with the highest label applied to it. Label inheritance doesn't change text-based markings applied to meeting invites. Label-based Data Loss Prevention (DLP) policies outlined in preventing inappropriate distribution of security classified information applies, including those applying subject markings to email.
Note
Label inheritance applies via item attachments only. Sharing links included in meeting invites won't uplift the label applied to a meeting. Label inheritance doesn't currently have the ability to check labels applied to Azure Rights Management encrypted attachments. DLP policies are required to protect such content attached to meeting invitations.
Government organizations should consider the correlation between the Meetings label scope option and PSPF Policy 8 core requirements:
| Requirement | Detail |
|---|---|
| PSPF Policy 8, Core Requirements (v2018.6) | Each entity must: i. Identify information holdings, ii. Assess the sensitivity and security classification of information holdings, and iii. Implement operational controls for these information holdings proportional to their value, importance, and sensitivity. |
Enabling labeling for meetings allows us to extend marking capabilities to calendar items (aligned to PSPF Policy 8 Requirement 4), and allows for the application of operational controls (for example, item encryption) relevant to the sensitivity of items.
| Requirement | Detail |
|---|---|
| PSPF Policy 8, Requirement 4: Marking information (v2018.6) | The originator must clearly identify sensitive and security classified information, including emails, using applicable protective markings. |
| PSPF Policy 8, Core Requirement C (v2018.6) | Implement operational controls for these information holdings proportional to their value, importance, and sensitivity. |
For more information on the application on sensitivity labels to calendar items, see Use sensitivity labels to protect calendar items, Teams meetings, and chat.
Teams Premium label configuration
Important
This article assumes you have Teams Premium licenses and they are enabled. Without this licensing applied, you are unable to enable Teams Premium label scope options.
E5 licensing allows us to enable the Meetings label scope option and apply sensitivity labels to meetings. Microsoft Teams Premium is an add-on license that includes a range of features, some of which are out of scope of the current article. However, it also includes several enhanced security controls that can be applied to Teams meetings. These features are grouped into a category of capabilities referred to as Protected meetings, and include:
- Watermarks for meetings
- Policies and templates to control settings like lobby bypass and copy and paste of chat content
- Granular control over recording permissions
- End-to-end encryption for online meetings (including multiple-participant meetings)
These controls extend markings and the capabilities referred to in the previous section, all the way through to actual Teams meetings, where visual markings can be applied to the Teams interface to indicate the sensitivity of the content being discussed.
The watermark feature can be applied to meeting backgrounds that containing the signed in user's User Principal Name (UPN). These watermarks are intended to help dissuade users from inappropriately disclosing information. If session recordings were to be recorded via a non-Teams application or external device, the recording is marked with the attendee's identity. The user is identified as the originator of the unauthorized recording.
Meetings templates
Teams Premium introduces Teams meeting templates that allow Teams administrators to preconfigure meeting settings selected by users when scheduling a meeting. These templates allow control of the following settings:
| Setting | Description |
|---|---|
| Chat | Control chat for meeting attendees, including whether chat is available before and after the meeting. Also allows control over copying chat content to the clipboard. |
| End-to-end encryption | Control end-to-end encryption for meeting video and audio. |
| Lobby | Control who can bypass the lobby and join the meeting directly. |
| Manage what attendees see | Control whether meeting organizers can preview and approve content being shared on screen before other meeting participants can see it. |
| Mic and camera for attendees | Controls mute and camera use for meeting attendees. |
| Notify when callers join and leave | Play a sound when people calling in by phone join or leave the meeting. |
| Q&A | Control use of the Q&A feature during the meeting. |
| Reactions | Control use of reactions and hand raising in the meeting. |
| Recording | Control who can record and if the meeting is recorded automatically. |
| Sensitivity label | Specify the sensitivity label to be used for the meeting. |
| Watermarks | Apply watermarks to camera feeds and content that is shared on screen in the meeting. |
These templates can be made available to users by targeting the templates at specific groups of users.
These templates can be targeted to users via Teams admin configuration or can be aligned with label configuration, allowing for settings to be controlled based on the sensitivity of a meeting.
This is an example of granular control of meeting settings based on the label applied to the meeting:
| Setting | OFFICIAL | OFFICIAL: Sensitive | PROTECTED |
|---|---|---|---|
| Allow Camera | On | On | On |
| Allow mic | On | On | On |
| Apply watermark | Off | On | On |
| End-to-end encryption | Off | Off | On |
| Meeting chat | On | In-meeting only | In-meeting only |
For more information about these features, see Overview of custom meeting templates in Microsoft Teams.
Sensitivity labels application to meetings
Once the Meetings label scope option is enabled and Teams Premium licensing is applied to the environment, Teams meeting scope options become available within the label configuration.
Some options, such as lobby and presentation settings, can be configured via other methods, such as via the Teams admin center. Configuring these options per-label allows for granular control of these settings based on the sensitivity of items.
Teams meeting end-to-end-encryption
Microsoft Teams end-to-end meeting encryption (E2EE) allows for extended encryption of Teams meetings. Without this feature enabled, Teams data is still encrypted. However E2EE adds extra layers of protection by ensuring that only meeting participants can decrypt meeting data. This prevents all nonspecified parties from accessing the content.
When Teams meetings are encrypted via E2EE, a padlock icon is visible at the top of the Teams call screen. This padlock icon is like that which is visible on label encrypted email and documents.
Teams meeting encryption controls align with PSPF Policy 8 Annex A - transmission requirements (v2018.6):
| Security classification | Transmission requirements |
|---|---|
| OFFICIAL Sensitive | Encrypt OFFICIAL: Sensitive information transferred over public network infrastructure, or through unsecured spaces (including Zone 1 security areas), unless the residual security risk of not doing so has been recognized and accepted by the entity. |
| PROTECTED | Encrypt PROTECTED information for any communication that isn't over a PROTECTED network (or network of higher classification). |
Important
Enabling E2EE disables some Teams services features. For these reasons, careful consideration of the impact of E2EE is required.