Sensitivity Labels

Classify and protect content across Microsoft 365 with sensitivity labels. Apply encryption, watermarks, and access controls to emails, documents, and sites based on their sensitivity level.

Note: Sensitivity labels are part of Microsoft Purview Information Protection (formerly Azure Information Protection). Requires E3/E5 or equivalent licensing.

Label Overview

8 — Active Labels
156K — Labeled Items
4 — With Encryption
2 — Auto-Labeling Policies

Label Hierarchy

Typical label structure from least to most sensitive:

Public — Information approved for public distribution
General / Internal — Standard business content, not for external sharing
Confidential — Sensitive business data with restricted access
Highly Confidential — Critical data requiring encryption and strict controls

Label Settings

Encryption

Protect content with Azure Rights Management encryption:

Assign permissions now — Admin defines who can access
Let users assign — Users choose recipients (Do Not Forward)
User-defined permissions — Outlook or Office prompts for permissions

Permission levels: Viewer, Reviewer, Co-Author, Co-Owner, Full Control

Content Marking

Visual indicators on documents and emails:

Watermarks — Text across document body
Headers — Text at top of each page
Footers — Text at bottom of each page

Configure font, size, color, and text including dynamic values like user name.

Scope

Define where the label can be applied:

Files and emails — Office documents and Outlook messages
Groups and sites — Teams, SharePoint sites, Microsoft 365 Groups
Schematized data assets — Azure Purview data catalog

Label Policies

Publish labels to users and configure behavior:

Target Users

Publish to all users or specific groups. Different groups can see different labels.

Default Label

Automatically apply a label to new documents/emails. Users can change if allowed.

Require Labeling

Force users to select a label before saving or sending. Ensures all content is classified.

Justification for Downgrade

Require users to provide reason when removing or lowering a label. Creates audit trail.

Auto-Labeling

Client-Side Auto-Labeling

Office apps detect sensitive content and recommend/apply labels as users type. Based on sensitive info types or trainable classifiers.

Service-Side Auto-Labeling

Policies scan content at rest in SharePoint, OneDrive, and Exchange. Labels applied automatically to matching content.

Auto-Labeling Conditions

Content contains sensitive info types (SSN, credit cards, etc.)
Content matches trainable classifier (financial docs, legal contracts)
Content shared externally
Content from specific senders/recipients

Container Labels

Apply labels to Teams, Groups, and SharePoint sites:

Privacy Settings

Control whether group/team is Public or Private based on label.

Restrict external sharing for sensitive sites. Block, allow, or limit guest access.

Unmanaged Device Access

Block or limit access from non-compliant/unmanaged devices.

Set default sharing link type (People with existing access, Specific people, etc.)

Label Analytics

Activity Explorer

View labeling activity: applied, changed, removed. See who labeled what and when.

Content Explorer

Browse labeled content across locations. Identify sensitive data by label.

Best Practices

Start with a few labels — 4-6 labels is optimal. Too many confuses users and reduces adoption.
Use clear, business-friendly names — Label names should be obvious: “Confidential - Internal Only” not “Label3”
Set a default label — Apply “General” by default so all content is classified.
Test before enabling encryption — Encryption can break workflows. Pilot with a small group first.

API Reference

GET /api/security/sensitivity-labels — List all sensitivity labels
GET /api/security/sensitivity-labels/policies — List label policies
GET /api/security/sensitivity-labels/analytics — Get label usage statistics
GET /api/security/sensitivity-labels/auto-labeling — List auto-labeling policies