Dynamic Watermarking
Dynamic Watermarking for Documents!
Microsoft has introduced a powerful new feature in Sensitivity Labels - Dynamic Watermarking! Previously, watermarking was available but remained static, displaying only the predefined text set during label configuration.
Now, dynamic watermarking enhances document security by embedding real-time details such as User Principal Name (UPN) and Timestamp. Sensitivity labels already help restrict unauthorized access, prevent copy-pasting, and block printing. But what happens if someone takes a photo of a sensitive document? Identifying the source would be nearly impossible—until now!
With Dynamic Watermarking, once enabled for a sensitivity label, every document protected by that label will display the user’s email (UPN) and the exact time as a watermark.
Example:
A file labelled "Credit Card DLP" with dynamic watermarking is opened using the account souravs@souravlabs.xyz at 11:27 AM—this information appears as a watermark across the document.
The best part? It even works with external email accounts!
Yes! The watermark displays the account details even if the document is opened by a user outside your organization.
This feature can be rolled out to all existing sensitivity labels that have encryption or protection enabled. If a data breach occurs, you’ll know who accessed the document and when, helping you trace the source of the leak instantly.
Dynamic watermarks display the User Principal Name (UPN) (email address) of the account used to open the file, making it easier to trace potential leaks back to specific users. While users can still view, edit, and collaborate on their files as usual, the watermark remains consistently visible over the document content.
Only the file owner can open the file anywhere. Other users must use an Office app that supports dynamic watermarking to access it. If they try to open the file in an unsupported Office version, they’ll get an "access denied" message. If their Office app doesn’t support dynamic watermarking, they should use Office for the web to view and work with the file.
The watermark is highly visible when viewing the file on a device and remains even when printed, though it does not appear in exported versions. It offers stronger security than standard content markings, as users cannot easily remove or modify it manually.
How to enable Dynamic Watermarking?
You can adjust these settings in the label settings under Access Control. Simply enable Dynamic Watermarking and customize the required fields. Currently, it supports UPN (email address) and Timestamp.
Example: "Highly Confidential ${Consumer.PrincipalName} ${Device.DateTime}" would appear as "Highly Confidential user@example.com September 7, 2024 at 4:00 PM"
You can optionally use the PowerShell cmdlet Set-Label with the DynamicWatermarkDisplay parameter to set a custom watermark text. This text can include variables such as date and time for added customization.
Note: Dynamic watermarking is only supported for Word, Excel, and PowerPoint files. It does not affect emails with the applied label.
