General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint

Deter leakage and attribute leaks of highly sensitive information by configuring dynamic watermarking on protected sensitivity labels​

In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking innapropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shottting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public.

Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks.

What is Dynamic Watermarking?​

Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information.

This feature can be configured by the compliance admin on any senstivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint.


Figure 1: Word file with dynamic watermarks.

Key Features​

• User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document.
• Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string.
• Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android.
• Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell.
• Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks.

Benefits & Differentiators​

Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators:

1. Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage.
2. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once.
3. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android.
4. Cross-platform support: Web, Windows, Mac, iOS, and Android.

Figure 2: PowerPoint file with dynamic watermarks in slide show view.

When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files.

Get Started with Dynamic Watermarking​

When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption.


Figure 3: When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption.

You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here.

For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks.

To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.