All you need to know about sensitivity labels in Microsoft 365

Sensitivity labels in Microsoft 365 OG

Microsoft 365 admins have many tools they can use to secure documents and emails. Sensitivity labels configured in the Microsoft Purview portal are one of them. In this article, I’ll explain in detail what sensitivity labels are, how to set them up, and test if they work well.

What is a sensitivity label?

A sensitivity label is a kind of digital stamp added to your email or document (such as a Word document or Excel workbook) in order to secure it. Most commonly, sensitivity labels are used to indicate that a message or file is confidential, secret, or intended for a specific audience only. For example, a sensitivity label may be applied to inform users that a document contains personal information and should not be shared with unauthorized recipients.

Going beyond traditional role-based access control, sensitivity labels come with a bunch of unique features. For instance, with a sensitivity label, you can prevent users from viewing or downloading certain documents – and even if a document is downloaded by a user who isn’t intended to view it, a label can continue to limit the access and protect sensitive information.

In Microsoft 365, you can set up multiple sensitivity labels and configure them for different purposes, depending on your company needs. For example, you can:

  • create labels for the whole company or for specific groups or users only,
  • use labels to specify different levels of access to company data for different groups,
  • apply labels to emails or documents to allow or block specific actions (for example, preventing users from copying, downloading, or printing a document).

For most organizations, it makes sense to create multiple labels that correspond to different levels of data sensitivity. This way, for instance, critical business assets can be assigned a Top Secret label, making them read-only and accessible only to selected people, while HR documents containing employee personal data can be labeled Personal Data to help prevent potential data breaches.

What to consider before setting up sensitivity labels?

Although extremely useful, this security-focused feature can make your life a bit harder. Much depends on how you configure your labels, but if you decide to use them, some trade-offs will be inevitable. Here’s what you should consider.

First, every time you open a labeled document or email, your Outlook, Word, Excel, or another relevant app needs to communicate with Azure Information Protection (AIP). As a result, it takes longer to access your resources.

Second, keep in mind that sensitivity labels are smart. For example, when they prevent copying content, it’s not only your Ctrl+C key combination that’s blocked – you also won’t be able to capture content using Print Screen, scan it with OCR software, or share it via Teams. In other words, labels prevent almost every capture scenario, apart from taking a picture with an external device. From security perspective, that’s a great feature, until you need to discuss a labeled document during an online meeting, and it turns out nobody can see it.

Finally, I’ve seen situations in which labeled documents cause extremely bizarre issues. For example:

  • Microsoft Word informs you that you can’t access the document because it’s checked out to someone else, even though it’s checked out to you.
  • Microsoft Word or Outlook (especially the classic Outlook for Windows) crashes on saving or opening a labeled document or sending an email.

Are the labels worth the trouble, then? Definitely! Just remember it’s not a good idea to over-protect documents if you value productivity, that is.

Default sensitivity labels in Microsoft 365

Default sensitivity labels provided by Microsoft are a fast-track solution that you can use to secure your data quickly. While they may not be perfectly suited to your specific business context, they can serve as a preliminary security scaffolding that you can build upon by adding other labels or modifying the default ones.

Take a look at the table below for a list of default labels.

Label nameApplies toAdditional info
Personal1. Files & other data assets
2. Email
3. Meetings
Intended for personal, non-business data.
Public1. Files & other data assets
2. Email
3. Meetings
Intended for publicly distributed content.
General1. Files & other data assets
2. Email
Intended for content that shouldn’t be publicly distributed but that might be shared with external recipients, such as internal phone numbers or company standards.
It contains two sublabels (applicable to meetings, too) that can be used to further specify the scope of recipients:
1. Anyone (unrestricted),
2. All Employees (unrestricted) – used when the shared data shouldn’t leave the organization.
Confidential1. Files & other data assets
2. Email
Intended for sensitive business data, such as contracts, reports, or sales figures.
It contains three sublabels (applicable to meetings, too) that further specify the scope of recipients:
1. Anyone (unrestricted) – used when the data doesn’t need to be encrypted,
2. All Employees,
3. Trusted People – used when the confidential data can be shared with trusted external recipients.
Highly Confidential1. Files & other data assets
2. Email
Intended for the most sensitive information, such as passwords, source code, or employee and customer data.
It contains two sublabels (applicable to meetings, too) that further specify the scope of recipients:
1. All Employees
2. Specific People

Default sensitivity labels can be generated in the Microsoft Purview portal, but only as long as no other labels have been created yet. Here’s how you can generate default labels in your organization:

  1. Sign in to the Microsoft Purview portal.
  2. Go to Solutions > DSPM for AI (classic). Ignore the “for AI” part in the solution’s name – that’s actually the one you’re looking for.
DSPM for AI in the Microsoft Purview portal.
  1. Go to Recommendations and select Protect your data with sensitivity labels. A separate pane will open.
Protect your data with sensitivity labels option.
  1. Click Create policies and wait for the labels and a related label policy to be created.

You can preview and edit the generated labels by going to Solutions > Information Protection > Sensitivity labels in the Microsoft Purview portal. In turn, the global sensitivity label policy that publishes the labels across Microsoft 365 apps, groups, and SharePoint sites is available in Solutions > Information Protection > Label publishing policies.

Now, let’s unpack how to create sensitivity labels and label policies from scratch or to edit existing ones.

Creating a new sensitivity label

To create a new sensitivity label in your organization, go to the Microsoft Purview portal, select Information Protection from the list of solutions, and click Sensitivity labels.

Sensitivity labels in Microsoft Purview.

To add a new label, simply click Create a label.

Creating a sensitivity label.

Label details and scope

In the first step of the label creation wizard, specify the following label details:

  1. Name – visible in the Microsoft Purview portal.
  2. Display name – visible to users, for instance, in Microsoft Word.
  3. Label priority – set as Highest by default; you can only change it after you finish creating the label.
  4. Description for users – appearing as a tooltip when users hover over the sensitivity label.
  5. (Optional) Description for admins – available from the Microsoft Purview portal.
  6. (Optional) Label color – used for an easy identification of the label.
Providing label details.

In the Scope step, you can define the scope for the label. In our example, I’ll apply the label to Files & other data assets and Emails.

Tip: If you want to select the Groups & sites option, you need to complete the steps described in this Microsoft article first.

Protection settings

The Items step allows you to decide which label protection settings you want to configure for files, emails, and meetings. It contains three options:

  • Control access – lets you control who can access and see the content with your label applied.
  • Apply content marking – lets you add the label’s name (or other text notes) to headers, footers, and watermarks in your documents.
  • Protect Teams meetings and chats – allows you to label meeting invites and enforce protection for Teams meetings and chats.

In our example, let’s select the first two options only. After you click Next, separate sub-steps are displayed for the selected options, allowing you to configure the corresponding settings.

Label protection settings.

Access control

In the Access control step, you can choose whether applying the label should enforce specific access restrictions or, conversely, remove any previously applied access control settings. In our example, the primary reason for creating the label is to secure files and emails, so I’ll keep the Configure access control settings option selected and focus on the associated fields:

  • The Go to co-authoring setting button lets you enable co-authoring for labeled documents in Office desktop apps (unless you’ve already enabled this feature). Co-authoring allows your users to work with the same files at the same time – super helpful in some scenarios.
  • In the Assign permissions now or let users decide? field, you can decide if users should be able to assign content permissions on their own when they apply the created sensitivity label. To predefine permissions that are automatically applied when the label is used, select Assign permissions now.
  • In the User access to content expires field, you will usually choose the Never option, since it lets users access files without any time limit.
  • In the Allow offline access field, you can allow or deny offline access to your data. If offline access is denied, users will need to be reauthenticated each time they want to open a document or email.
  • The Assign permissions link lets you choose which users or groups should be able to access data with the new label applied. Clicking the link opens a separate wizard in a flyout pane – I’ll cover it in the next section.
Label access control.
Assigning permissions

You have several options for defining the right audience. For our purposes, let’s click Add users or groups to choose a single Microsoft 365 group. Next, click Choose permissions to define an access level for this group. You can choose from four predefined levels – Owner, Editor, Restricted Editor, and Viewer – or set a non-standard level with the Custom option. In this example, I will choose the Editor permission set.

Assigning permissions.

Once you’re ready, click Save to apply your settings and leave the permission wizard. Then, click Next to continue.

Content marking

The Content marking step allows you to add clear information about the applied labels directly to your documents and emails. You can choose if you want to add a watermark, header, and footer, and define the text for each.

Content marking.

Auto-labeling

In the Auto-labeling for files and emails step, you can turn on the auto-labeling mechanism. That way, documents or emails containing certain types of data (for instance, sensitive information) can be automatically marked with your label.

This may be useful if you want to make sure nobody forgets about securing their documents. It also helps you make sure that all data will be classified in a correct way. On the other hand, auto-labeling can create problems if you intend to share some documents outside your organization.

To specify content that should be auto-labeled, you need to create one or more groups of conditions that would trigger the auto-labeling mechanism. Within such groups, you can select predefined data types from two categories:

  • Sensitive info types – it includes data such as national bank account numbers, passport numbers, IDs, driver’s license numbers, etc., but also medical information, or user credentials.
  • Trainable classifiers – it contains broader categories of content, such as tax, invoicing, or HR data, as well as profane content, or source code.

For each of your condition groups, you can choose whether auto-labeling should be applied when any or all of the specified data types are detected. Multiple condition groups can also be combined using the AND or OR operator.

Finally, under the list of condition groups, you can choose whether you want your label to be automatically applied or only recommended to users when certain content matches the specified data types. You can also enter a default text to be displayed after the automatic label is applied.

Auto-labeling.

Groups and sites

In the next step, you can define protection settings for groups and sites. Those settings, unlike the previous ones, apply to teams, groups, or sites, and not the documents stored in them, so I’ll skip over this part for now.

Groups and sites.

Settings review

The last step is about revising the configuration. Once you revise your settings, click Create label. Users won’t be able to use the label just yet – you’ll need to publish it first as part of a label policy.

Settings review.

Publishing a sensitivity label

You can move on to publishing your label right away by selecting Automatically apply label to sensitive content (if you use auto-labeling) or Publish label to users’ apps (to let users apply the label themselves) and clicking Done in the last step of the New sensitivity label wizard. In this example, I’ll choose the Publish label to users’ apps option.

Publishing a sensitivity label.

If you choose not to publish the label for now, choose Don’t create a policy yet and click Done. You can always publish it later by going to Information Protection > Sensitivity labels, selecting your label from the list and clicking Publish label. Next, skip directly to this step.

Publish label button.

Creating a label policy

In this guide, I’m going to create a new label policy from scratch to show you all the configuration steps. To do this:

  • click Create new label policy in the pane that opens after creating a new label in the Microsoft Purview portal (as shown below), or
  • go to Solutions > Information Protection > Policies > Label publishing policies and click Publish label.

Tip: You can also add your newly created label to an existing policy, if you have one.

Creating a new label policy.

After the new policy wizard opens, click Choose sensitivity labels to publish and pick the label you’ve created earlier. Click Add and Next.

Selecting sensitivity labels to publish.

If your organization uses Microsoft Entra ID admin units, the next step allows you to restrict the policy to relevant units only. In our example, I won’t assign any admin units to my policy.

Next, choose which groups or users should have the label available. By default, labels are published for all users and groups. To change this, select the Users and groups location and click Edit in the Actions column. Next, select the Specific users and groups option in the pane that opens and click Include users and groups.

Defining scope for users and groups.

Once you select relevant users and groups, click Done and Next.

Next, you can choose whether to apply various policy settings. In our example, I’ll only select the first one – Users must provide a justification to remove a label or lower its classification – to make sure that no label is removed without a legitimate reason.

Policy settings.

The next step allows you to apply a default label to documents. If you leave the default None option, users will have the choice to apply the label or use the document without enhanced protection.

Default settings for documents.

In the Emails step, you can also choose which label should be applied to email messages by default.

The option Email inherits highest priority label from attachments lets you enable auto-inheriting of higher priority labels from attachments. For example, if your user attaches a labeled file to an email, the email will get the same label. The email label won’t be changed only if the attachment’s label is of a lower priority. If you attach multiple protected documents, an email message will inherit the label of the highest priority.

To make the inheriting mechanism less strict, you can choose to display a recommendation to change a label to your users instead of doing it automatically.

Default settings for emails.

Two next steps of the wizard let you configure the default labels for:

  • meetings & calendar events,
  • Fabric & Power BI.

Afterwards, you can name your label policy and provide its description.

Naming a policy.

Finally, review your policy. Click Submit and Done when everything is set.

Reviewing a policy.

It might take up to 24 hours for the label policy to be effectively published. I’ve seen one label published in 50 minutes and another one in 14 hours, so any value in between is also possible. You can check if your labels started working by using Outlook on the web or Word for the web.

Testing a sensitivity label

After creating and publishing the Confidential sensitivity label for the Sales and Marketing team, I created and published a few additional labels, including another Confidential label – this time, for the Finance team. Then, I waited for the labels to be provisioned. Now, let’s check out if they work as expected.

Emails

When Lynne (a user belonging to the Finance team) launches Outlook on the web and creates a new test message, she can see the sensitivity button with the list of created labels, including the Confidential – Finance label, but she can’t see the Confidential – Sales and Marketing label that I added first.

Sensitivity button in OWA.

On the other hand, Megan (a member of Sales and Marketing) can see the Confidential – Sales and Marketing label, but not the Confidential – Finance label available to Lynne and other members of the Finance team.

Now, let’s see what happens when we apply the Confidential – Sales and Marketing label to encrypt an email from Megan and send it to Lynne (the user without permissions for this label) and to Alex, who has permissions for pretty much anything.

Confidential label in OWA.

All that Lynne can see is a notification stating that she doesn’t have the required permissions. That’s the expected behavior. Also, if you look right above the email, Outlook shows that the label has been applied, exactly as intended.

No permissions notification in OWA.

Sending the labeled email to any other mailbox without the required permissions results in the same behavior: a notification is displayed and access to the original message’s body is blocked. Thanks to this, even if an email is sent to the wrong recipient, it doesn’t lead to a security incident, since only authorized users are able to open it.

The other recipient of Megan’s labeled email is Alex. He has no problems opening the message, just like any standard, unlabeled email. The only visible difference for such an email is the Confidential header and footer set up in the Content marking step. While the user can’t delete the label, he can reply to the message without any problems.

Confidential header and footer in OWA.

Documents

All the tests in this part of the article have been conducted using Word for the web, with files saved to OneDrive for Business. It will work the same in SharePoint Online or when trying to open a file locally (when it’s sent as an attachment, for example). To enable using sensitivity labels with Office for the web apps, follow the instructions from this Microsoft article.

When Megan, the user with permissions for the Confidential – Sales and Marketing label, opens a document in Word for the web, she can use the Sensitivity button on the ribbon and pick the label to protect her document.

Sensitivity button in Word for the web.

If a watermark, header, and footer have been set up for the label in the Content marking step, they are displayed in the document after the label is applied. If you don’t see the header or footer, turn on Reading View to display those elements.

Reading View button in Word for the web.

Now, when Megan sends the document to Lynne, who doesn’t have permissions for this label (or when Lynne tries to open this file in SharePoint Online), the following notification is displayed:

Access denied message for a Microsoft Word document protected with a sensitivity label.

Removing an applied sensitivity label

Since I’ve set the label policy settings to Users must provide a justification to remove a label or lower its classification, each time someone wants to change or remove a label, they need to specify why they’re doing it.

To remove a label, open a document, go to Sensitivity and click the name of the currently applied label. The Justification Required popup will show up. Pick an appropriate option and click Change. The label should be removed at this point.

Providing a label change justification.

The label change and justification are logged and stored in activity explorer.

Conclusion

That concludes our overview of sensitivity labels for emails and documents in Microsoft 365. Still, the topic of sensitivity labels is a broad one. To learn more about advanced configuration options and see additional use cases, check out Microsoft’s documentation.

Stay safe!

Tools for Exchange Server

Recommended articles

Inside the new Outlook for Windows – key changes, dates, and features

Inside the new Outlook for Windows – key changes, dates, and features

The new Outlook for Windows is gradually becoming the default version. Let’s see how it compares to the classic Outlook experience.
Reject Direct Send – level up your Exchange Online security

Reject Direct Send – level up your Exchange Online security

Reject Direct Send is a simple Exchange Online setting that can help you secure your Microsoft 365 tenant against phishing.
How to deploy and configure Microsoft Outlook for Android via Intune: A complete guide

How to deploy and configure Microsoft Outlook for Android via Intune: A complete guide

It's the Intune guide you've been waiting for. See how to onboard an Android mobile device.

Comments

  1. Thanks for the steps. Wondering where and how to find the Justification Text in Activity Explorer or Audit Log? Text is not shown in Activity Explorer when lowering a sensitivity label.

    • avatar
      Adam the 32-bit Aardvark says:

      Hello,
      As an admin, you should be able to read the justification in activity explorer. Make sure you have an appropriate justification prompt set up in the label settings.

  2. Hi,

    How can we search for SensitiveLabels in emails when using the content search in the Purview Portal?

    What is the name of property when using the query builder / KQL editor?

    Thank you.

  3. Hi, when we use sensivity labels with access control, no signature will be attached. I guess the signature tool dont have access to modify the mail and add a signature.

    Can you add a part what to look out for with CodeTwo e-mail signatures?

    • avatar
      Adam the 32-bit Aardvark says:

      Hello Thomas,
      Messages with applied sensitivity labels are of course supported by CodeTwo Email Signatures 365. Please consult our manual for details.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.