Technology prerequisites for use of Microsoft Purview Information Protection for Australian Government compliance with PSPF
This article provides guidance for Australian Government organizations on the services and components that should be deployed to an organization to make best use of sensitivity labeling and other Microsoft Purview capabilities. Its purpose is to help organizations to understand the prerequisites for deployment of Microsoft Purview Information Protection to meet requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
To make best use of the configurations outlined in this guide, organizations should implement the following core set of Microsoft 365 services:
- Exchange Online
- Microsoft Office Online or Microsoft 365 Apps Office clients
- SharePoint Online
- Microsoft Teams
The configurations discussed in this guide refer to markings and classifications up to and including PROTECTED, organizations should also use PROTECTED environment requirements beyond the scope of this guide.
Note
Implementing a PROTECTED label doesn't automatically mean that the environment is suitable for housing PROTECTED data. Government organizations must have underlying controls in place as per the Informations Security Manual (ISM) and the ASD's Blueprint for Secure Cloud.
Microsoft Office client support
Client support is key to successful implementation of Microsoft Purview Information Protection capabilities. The clients used by users to interact with Office files, email, and other services, need to be label aware in order to facilitate label application. This section discusses Microsoft Office client versions capable of this integration and seeks to identify any prerequisite work that is needed ahead of Purview deployment.
Microsoft 365 Apps for Enterprise
Microsoft 365 Apps for Enterprise is a version of Microsoft Office, which allows for integration with the Microsoft 365 suite of services. As Microsoft 365 is a cloud-based service that is continually evolving, the Microsoft 365 Apps version of the Office client receives a high frequency of updates to keep up with the cloud platform. This integration between the Office client and Microsoft 365 cloud services allows for a broader feature set to be made available to users than is achievable via standalone Office clients. Traditional clients offer a static feature-set and receive security updates, but typically won't get access to newly released capabilities or cloud-centric capabilities.
For more information on update channels available to Microsoft 365 apps, see Overview of update channels for Microsoft 365 Apps.
Microsoft Purview Information Protection client
Previously, organizations running traditional Office clients used Azure Information Protection (AIP) Unified Labeling Client to enable label selection on non-Microsoft 365 Apps clients. AIP has been replaced by the in-build Microsoft 365 Apps client capabilities.
Microsoft Purview Information Protection client features that are still relevant from AIP continues to be supported. These include Windows shell extensions, Information protection scanner, and Information protection file labeler and Information protection viewer. For more information on these capabilities, see Extend sensitivity labeling on Windows.
Mac, iOS, and Android client support
New Purview features are typically made available to the Windows-based Microsoft 365 Apps version of the Office first and then to other Office versions. For the status of client versions capabilities, see minimum versions for sensitivity labels in different clients. Organizations deploying Microsoft 365 should be assessing this information to ensure that all desired capabilities are available on the versions being used by the organization.
Microsoft 365 web clients
In the Minimum versions for sensitivity labels in Microsoft 365 Apps tables, many Purview features are listed as 'Yes – opt in' in for the Web version of Office clients. This wording is intended to articulate that the features are available but will require enablement for certain scenarios. For example, the ability to apply a label to a file or email is enabled by default for web-based Office and Outlook clients, but needs to be enabled before labels can be applied to SharePoint sites. Therefore, Web is listed as 'opt-in' for this feature. Features listed as 'under review,' are typically new and are still in development for the web-based platform.
It's also worth noting that some web browsers, such as Microsoft Edge Chromium, Chrome, and Firefox, have Microsoft Purview Data Loss Prevention capabilities built into the product or available via add-in. These DLP capabilities prevent the loss of security classified or otherwise sensitive items, so should be considered for deployment.
Tip
As part of DLP setup, organizations should use a DLP-aware client. See conditional access for how to implement this inline with Essential 8.
Mandating client requirements
The bulk of the Protective Security Policy Framework (PSPF) Policy 8 requirements, including the three core requirements, are concerned with either identifying sensitive information, or controls, which depend on sensitive information first being identified. Client applications that have an understanding of a user’s requirement to apply markings to items can help us to meet requirements by forcing users to apply markings at time of item creation. Once marked, operational controls to protect an item's enclosed content can then be enforced. Within this article, we refer to such configuration as 'Mandatory Labeling.' Within Microsoft 365 this is primarily achieved via a label policy option, which is discussed in mandatory labeling.
As an example of the importance of mandatory labeling, consider an email, which has been sent but without a protective marking first being applied. This could occur due to lack of client support. In such situations, we must assume that the user hasn't had an opportunity to assess the sensitivity of the enclosed information (as per PSPF Policy 8 Core Requirement 2). As the item is high risk in terms of data breach, ISM controls such as ISM-0565 should apply:
| Requirement | Detail |
|---|---|
| ISM-0565 (June 2024) | Email servers are configured to block, log, and report emails with inappropriate protective markings. |
Application of a protective marking, or sensitivity label, provides assurance that the sensitivity of the item has been assessed by the owner or creator of the content, and allows appropriate controls to the contained information.
Options to enforce mandatory labeling can only be applied by clients that are aware of an organization’s Microsoft Purview labeling policies. Therefore, we should consider ensuring that users only have access services via clients that support Microsoft Purview labeling policies. To achieve this, a Conditional Access policy should be implemented.
For information on applying conditional access under the Essential 8, see application control and conditional access.
Mandatory labeling in place ensures a user’s ability to send unlabeled email can't happen. However, there are still scenarios where unlabeled email is generated by an organization, including that generated by applications or multifunction devices and scanners. In order to enforce configuration that requires all email to be labeled, organizations can implement controls, which block the transmission of user generated email, which doesn't have appropriate marking in place. For information on implementing these controls, see blocking transmission of unlabeled email.
PDF integration
Windows-based Microsoft 365 Apps clients include the ability to maintain labels applied to Office documents when they're exported or saved as PDF files. These PDFs maintain protection settings to their source Office files, including encryption.
Protected PDF documents can be read in label-aware PDF readers including Microsoft Edge, Chrome, Foxit Reader, and Adobe Reader (with the Information Protection plug-in for Acrobat and Acrobat Reader plugin installed).
Government organizations should deploy and use label-aware PDF clients or client plugins. Such clients help to maintain clear identification of sensitive information and application of controls when items are exported to PDF.
More information on these capabilities can be found via the following links:
- Apply sensitivity labels to PDFs created with Office apps
- General Availability of Adobe Acrobat Reader Integration with Microsoft Purview Information Protection
Required licensing
Basic use of Purview Information Protection capabilities requires a minimum of an E3 license. However, most Government organizations need to use Microsoft 365 E5 (or equivalent E5 compliance add-ons) for mature use of Purview capabilities.
The following table has a subset of common government use cases and their minimum required license to perform that use case.
| Use Case | License |
|---|---|
| Manually apply a sensitivity label to items. | E3 |
| Prevent the distribution of labeled items to unauthorized users. | E3 |
| Apply subject markings to labeled items to indicate item sensitivity. | E3 |
| Automatically apply sensitivity labels based on markings applied by other organizations. | E5 |
| Monitor and report on label usage across the environment. | E5 |
| Apply labels to meetings and calendar items. | E5 |
| Recommend the application of a sensitivity label based on detection of sensitive content. | E5 |
| Monitor and control the use of labeled items on devices. | E5 |
| Identify malicious users based on activity with labeled or otherwise sensitive items. | E5 |
| Detect sensitive content and controls its distribution via Teams chat. | E5 |
| Browse where labeled and otherwise sensitive content resides across an environment. | E5 |
As should be evident from the above table, Government organizations with E3 licensing can implement Purview at a basic level and achieve ad hoc or developing levels of the PSPF maturity model. However, to ensure that items are protected via controls relevant to their sensitivity, capabilities included in E5 or equivalent licensing is required. Organizations can achieve Managing or Embedded levels of PSPF maturity using E5.
An important factor to achieving higher levels of compliance maturity is the use of sensitivity auto-labeling. Auto-labeling allows Government organizations to honor classifications that have been applied externally. If an email is classified and marked by one entity, when it's sent to a second entity, the item is still marked but, by default isn't labeled. Because it lacks a label, it's out of scope of a range of label-based data security controls, such as Data Loss Prevention (DLP) policies. Auto-labeling allows for protective markings (as defined in PSPF Policy 8 Annex F: Australian Government Email Protective Marking Standard) to be interpreted on email as it is received. Once interpreted, a matching label is applied during transmission, ensuring that all relevant controls apply to the enclosed information when it's received by the user.