Sensitivity Labels and Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Sensitivity Labels and Policies: Protecting Data in the Modern Workplace
In the old days of corporate security, we relied on the "castle and moat" strategy. We built a strong perimeter around our office network, and as long as your data stayed inside those walls, it was considered safe. However, the way we work has fundamentally changed. Data now lives in the cloud, travels on personal mobile devices, and is shared across organizations via Microsoft Teams, email, and SharePoint. The "moat" is gone. In this environment, security must be data-centric. This means the protection must stay with the file itself, regardless of where it is stored or who it is shared with.
Microsoft Purview Sensitivity Labels are the primary tool for achieving this data-centric security. Think of a sensitivity label as a digital stamp that you apply to a document or email. This stamp is more than just a visual marking; it is embedded into the file's metadata. Because it is part of the file, the protection follows the data even if it leaves your organization's tenant. Whether a file is sitting on a thumb drive, attached to a Gmail message, or stored in a personal Dropbox account, the sensitivity label ensures that only authorized users can access the content.
In this lesson, we will explore the mechanics of sensitivity labels and policies. We will look at how to design a labeling taxonomy, how to configure encryption and visual markings, and how to automate the labeling process to reduce the burden on your end users. By the end of this guide, you will understand how to implement a comprehensive information protection strategy that balances security with user productivity.
What are Sensitivity Labels?
At its core, a sensitivity label is a tag that classifies data based on its level of importance or risk. When a user applies a label to a document, several things happen behind the scenes. First, the label is written into the document's properties as clear-text metadata. This allows other services—like Data Loss Prevention (DLP) or Cloud App Security—to read the label and take action. Second, the label can trigger specific protective actions, such as encrypting the file or adding a "Confidential" watermark to the header.
The beauty of sensitivity labels is their persistence. Because the metadata is stored within the file format (like .docx, .pdf, or .pptx), the classification remains intact through various file operations. If a user renames the file, the label stays. If they move it to a different folder, the label stays. This persistence is what makes sensitivity labels so much more effective than traditional folder-based permissions, which are easily bypassed once a file is moved out of its original location.
The Scope of Sensitivity Labels
Sensitivity labels are not limited to just Word documents and emails. Microsoft has expanded the "scope" of these labels to cover a wide variety of assets. When you create a label, you define where it can be applied:
- Items: This includes files (Word, Excel, PowerPoint, PDF) and emails. This is the most common use case.
- Groups & Sites: You can apply labels to Microsoft Teams, Microsoft 365 Groups, and SharePoint sites. This allows you to control the "container" settings, such as whether the site is public or private and whether guest access is allowed.
- Schematized Data Assets: Through Microsoft Purview Data Map, you can apply labels to columns in SQL databases, Azure Data Lake storage, and other structured data sources.
Callout: Sensitivity Labels vs. Retention Labels
It is common to confuse Sensitivity Labels with Retention Labels, but they serve very different purposes.
- Sensitivity Labels focus on protection and access. They answer the question: "Who can see this data and what can they do with it?" They are used for encryption, watermarking, and classification.
- Retention Labels focus on lifecycle management. They answer the question: "How long must we keep this data, and when can we delete it?" They are used for legal compliance and data minimization.
You can apply both a sensitivity label and a retention label to the same document simultaneously.
Designing a Labeling Taxonomy
Before you start clicking buttons in the Purview portal, you need a plan. A common mistake is creating too many labels, which confuses users and leads to "label fatigue." If a user has to choose from 20 different labels, they will likely pick the first one on the list or ignore labeling altogether.
The industry standard is to follow a simple, hierarchical structure. Most organizations find success with 3 to 5 top-level labels. A typical taxonomy might look like this:
- Public: Data that is intended for public consumption (e.g., marketing brochures, press releases). No protection is applied.
- General: Internal business data that isn't particularly sensitive but shouldn't be shared publicly (e.g., internal memos, project timelines).
- Confidential: Sensitive data that could cause harm if leaked (e.g., employee handbooks, department budgets). This usually triggers encryption for internal employees.
- Highly Confidential: Extremely sensitive data (e.g., trade secrets, M&A documents, PII). This involves strict encryption and might limit access to a specific group of people.
Sub-labels for Granularity
If you need more specific categories, use sub-labels. For example, under "Confidential," you might have "Confidential \ All Employees" and "Confidential \ Finance Team." This keeps the top-level list clean while providing the necessary detail for specific departments.
Tip: Always start with the broadest possible labels. You can always add more specific sub-labels later, but it is very difficult to "un-ring the bell" if you start with a complex system that users hate.
Configuring Label Actions
Once you have defined your taxonomy, you need to decide what each label actually does. There are three primary actions a sensitivity label can take: Encryption, Content Marking, and Container Protection.
1. Encryption and Rights Management
Encryption is the most powerful tool in the sensitivity label toolkit. Microsoft uses the Azure Rights Management service (Azure RMS) to handle this. When a label applies encryption, the document is locked, and an "issuance license" is embedded in the file. This license defines who has the right to open the file and what they can do with it.
You have two main ways to configure encryption:
- Assign permissions now: You, as the admin, define exactly who has access. For example, you can specify that only people in the "HR Department" group can open files with the "HR Confidential" label.
- Let users assign permissions: When the user applies the label, a prompt appears asking them to specify the recipients and their access levels (e.g., "Read Only" or "Co-Author").
Warning: Be careful with "Let users assign permissions" in Outlook. While it is great for ad-hoc sharing, it can lead to inconsistent security if users aren't trained on which permissions to choose.
2. Content Marking
Content marking provides a visual cue to the user that the document is sensitive. This is helpful for preventing accidental disclosure (e.g., someone printing a sensitive file and leaving it on the printer). You can configure:
- Headers and Footers: Text that appears at the top or bottom of every page.
- Watermarks: Faint text that appears diagonally across the background of the document (e.g., "DO NOT COPY").
3. Container Settings
When a label is scoped to "Groups & Sites," it doesn't encrypt the files inside the site automatically. Instead, it controls the settings of the container itself. You can enforce:
- Privacy: Force the Team or Site to be "Private" so only owners can add members.
- External Member Access: Prevent owners of a Team from adding guests (people outside the organization).
- Unmanaged Devices: Block or limit access to the site if the user is logging in from a device that isn't managed by Intune or joined to the domain.
Sensitivity Label Policies: Publishing Labels
Creating a label is only half the battle. After the label is created, it exists in a "draft" state until you publish it using a Sensitivity Label Policy. Policies allow you to target specific labels to specific users or groups.
This is useful for phased rollouts. You might create a "Legal" label but only publish it to the Legal department. This prevents the Marketing team from seeing labels that aren't relevant to their work.
Policy Settings
When you create a policy, you can also configure several important behaviors:
- Default Label: You can choose a label that is applied to all new documents and emails by default. Many organizations set this to "General" to ensure that every file has at least a baseline level of classification.
- Mandatory Labeling: You can require users to apply a label before they can save a document or send an email. This ensures 100% coverage but can be frustrating for users if not implemented thoughtfully.
- Justification: If a user tries to change a label to a lower sensitivity (e.g., changing "Confidential" to "Public"), you can require them to provide a business justification. This justification is logged and can be reviewed by auditors.
Automation: Auto-labeling and SITs
Manually labeling every document is a big ask for busy employees. To solve this, Microsoft offers auto-labeling capabilities. There are two ways this works: Client-side and Service-side.
Client-side Auto-labeling
This happens in real-time as the user is working in Word, Excel, or Outlook. As the user types, the Office app scans the content for Sensitive Information Types (SITs)—like credit card numbers, social security numbers, or bank account details.
If the app detects a match, it can either:
- Automatically apply the label: The label is applied without user intervention.
- Recommend a label: A small banner appears at the top of the screen saying, "This file looks like it contains sensitive info. Click here to apply the 'Confidential' label."
Service-side Auto-labeling
Service-side auto-labeling (also known as "auto-labeling policies") happens at the cloud level. It scans data already stored in SharePoint, OneDrive, and Exchange. This is incredibly useful for "cleaning up" years of legacy data that was never labeled.
Service-side labeling runs in Simulation Mode first. This allows you to see what the policy would have labeled without actually changing any files. You can review the results, tune your SITs to avoid false positives, and then turn the policy on for real.
Callout: Sensitive Information Types (SITs)
A Sensitive Information Type is a pattern-based classifier. Microsoft provides over 300 built-in SITs (like "U.S. Social Security Number" or "Swift Code").
SITs don't just look for a number; they look for corroborative evidence. For example, to identify a Credit Card number, the system looks for a 16-digit string that passes the Luhn check (a mathematical formula) and looks for keywords nearby like "CVV," "Expiry," or "VISA." This significantly reduces false positives.
Managing Labels with PowerShell
While most admins use the Purview portal, PowerShell is essential for bulk operations or advanced configurations. To manage sensitivity labels, you use the Exchange Online PowerShell module or the Security & Compliance PowerShell.
Here is an example of how you might use PowerShell to view all sensitivity labels currently configured in your tenant:
# Connect to Security & Compliance PowerShell
Connect-IPPSSession -UserPrincipalName [email protected]
# Get a list of all sensitivity labels
Get-Label | Select-Object Name, ContentType, Sensitivity, Guid
# Get details for a specific label policy
Get-LabelPolicy -Identity "Global Publishing Policy" | Select-Object -ExpandProperty Labels
Explanation of the code:
Connect-IPPSSession: This command establishes a secure connection to the Microsoft Purview (formerly IPP - Information Protection Policy) backend.Get-Label: This retrieves the configuration of the labels themselves, including their display names and the "Sensitivity" value (which determines the priority/rank of the label).Get-LabelPolicy: This shows you which labels are bundled together in a policy and who those policies are assigned to.
PowerShell is also the only way to perform certain advanced tasks, such as configuring "Label Priorities." If a file meets the criteria for two different auto-labeling rules, the label with the highest priority (the highest numerical value) wins.
Practical Example: Protecting a "Project X" Team
Let's look at a real-world scenario. Your company is working on a secret merger called "Project X." You need to ensure that all discussions and documents related to this project are protected.
- Create the Label: You create a label called "Project X - Highly Confidential."
- Scope the Label: You check the boxes for "Items" and "Groups & Sites."
- Configure Item Protection: You set encryption so that only members of the "Project X Core Team" mail-enabled security group can open files.
- Configure Container Protection: You set the SharePoint site associated with the Project X Team to "Private." You also disable guest access so no external consultants can be accidentally added to the Team.
- Publish the Label: You create a label policy that publishes this label only to the members of the Project X Core Team.
Now, when a team member creates a document in the Project X Team site, they can apply the label. Even if they accidentally email that document to a reporter, the reporter won't be able to open it because they aren't in the authorized security group. Furthermore, the Team itself is "locked down" by the container settings, preventing accidental over-sharing of the entire workspace.
Comparison of Labeling Methods
| Feature | Manual Labeling | Client-side Auto-labeling | Service-side Auto-labeling |
|---|---|---|---|
| User Effort | High (User must choose) | Low (User gets a prompt) | Zero (Happens in background) |
| Trigger | User judgment | Content matching (SITs) | Content matching (SITs) |
| Location | Office Apps/Mobile | Word, Excel, PPT, Outlook | SharePoint, OneDrive, Exchange |
| Best For | Contextual/Subjective data | New documents with PII | Legacy data and "at rest" files |
| Licensing | Microsoft 365 E3/E5 | Microsoft 365 E5 / E5 Compliance | Microsoft 365 E5 / E5 Compliance |
Industry Best Practices
Implementing sensitivity labels is as much a cultural change as it is a technical one. Follow these industry standards to ensure a smooth rollout:
- Executive Sponsorship: Data classification projects often fail without support from the top. When the CEO tells the company that protecting data is a priority, users are much more likely to take labeling seriously.
- Start with "Silent" Labeling: Before you enforce mandatory labeling, publish your labels and encourage people to use them. Monitor the usage reports in the Purview "Data Classification" dashboard to see how people are classifying data naturally.
- Use Meaningful Tooltips: When you create a label, you can provide a "Description for users." Use this to explain exactly what kind of data belongs in that label. Instead of "Confidential," use "Confidential: Use for documents containing customer PII or internal financial records."
- Test the External Experience: Encryption can sometimes be tricky for external recipients. If you send an encrypted file to a partner using Gmail, they will receive a link to a secure portal. Make sure your partners and clients are aware of this so they don't think it's a phishing attempt.
- Review SITs Regularly: Language and data formats change. Periodically review your auto-labeling rules to ensure they aren't generating too many false positives, which can lead to users ignoring the system.
Common Pitfalls and How to Avoid Them
Even with the best intentions, things can go wrong. Here are the most common mistakes admins make with sensitivity labels:
Over-complicating the Taxonomy
As mentioned earlier, having too many labels is the number one cause of project failure. If a user has to think for more than three seconds about which label to choose, they will choose incorrectly. Keep it simple.
Forgetting about Mobile Devices
Users access data on iPhones and Android devices. Ensure you are using the latest versions of the Office mobile apps, which natively support sensitivity labels. If you use third-party mail apps, they may not be able to read the label metadata or handle encrypted content.
Ignoring "Simulation Mode"
When setting up service-side auto-labeling, some admins are tempted to go straight to "Enable." This is dangerous. A poorly written auto-labeling rule could potentially encrypt thousands of files that shouldn't be encrypted, causing a massive headache for the helpdesk. Always run simulation mode for at least a week.
Neglecting User Training
You cannot simply "turn on" labels and expect everyone to understand them. You need to provide short training videos, "cheat sheets," and clear examples of what each label means. Labeling is a habit that needs to be built.
Summary and Key Takeaways
Microsoft Purview Sensitivity Labels are a foundational component of a zero-trust security strategy. By moving protection from the network to the data itself, you ensure that your organization's most valuable assets remain secure no matter where they go.
Here are the key points to remember:
- Data-Centric Security: Labels stay with the file metadata, providing persistent protection (encryption, watermarks) regardless of the file's location.
- Hierarchical Taxonomy: Success depends on a simple, easy-to-understand set of labels (e.g., Public, General, Confidential).
- Encryption is Key: Labels can trigger Azure Rights Management to encrypt files, ensuring only authorized users can view, edit, or print them.
- Container Protection: Labels can be applied to Teams and SharePoint sites to control privacy settings and external guest access, not just individual files.
- Automation Reduces Friction: Use Auto-labeling (client-side and service-side) and Sensitive Information Types (SITs) to identify and protect data without relying solely on user input.
- Policies Drive Deployment: Labels aren't visible to users until they are published via a label policy, which allows for targeted rollouts to specific departments.
- Simulation is Vital: Always use simulation mode for auto-labeling to test your rules against real data before enforcing them.
By following these principles, you can transform your organization's approach to data security, moving from a reactive "hope for the best" model to a proactive, governed, and secure digital environment.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons