Sensitivity Labels¶
Sensitivity labels classify and optionally protect content (emails, documents, meetings) with encryption, watermarks, and access restrictions.
Purview portal → Information protection → Sensitivity labels
Recommended Label Taxonomy¶
Design a label hierarchy that maps to your business classification scheme. A typical structure:
| Label | Sublabels | Description |
|---|---|---|
| Public | — | Cleared for public release |
| Internal | — | General internal content, no special handling |
| Confidential | All Staff | Confidential — all employees can view |
| Confidential | Finance | Finance team only |
| Confidential | Legal | Legal team only |
| Confidential | Management | Management only |
| Highly Confidential | — | Highest sensitivity, strict access control |
Tip
Keep the taxonomy simple — users must be able to choose a label without guidance every time. 4–6 labels is usually the right number.
Creating Labels¶
Purview portal → Information protection → Sensitivity labels → Create a label
Example: Confidential — All Staff¶
Label settings¶
| Setting | Value |
|---|---|
| Name | Confidential - All Staff |
| Display name | Confidential - All Staff |
| Description for users | Confidential content for all company employees. Do not share externally. |
| Colour | Orange |
| Priority | 3 (after Public and Internal) |
Scope¶
- Items: Files & emails
- Meetings (if using Teams Premium)
- (Optional) Groups & sites for SharePoint/Teams container labelling
Protection for files and emails¶
| Setting | Value |
|---|---|
| Encryption | Apply encryption |
| Assign permissions now or let users decide | Assign now |
| User access expires | Never |
| Allow offline access | Always |
| Assign permissions: Add all users in your organisation | View, Edit, Reply, Forward, Print, Save |
| Add any authenticated users | Do not add (restrict to org) |
Content marking¶
| Setting | Value |
|---|---|
| Add a header | CONFIDENTIAL (font size 11pt, red, centred) |
| Add a footer | CONFIDENTIAL - {Company Name} |
| Add a watermark | CONFIDENTIAL (diagonal, grey, font size 24) |
Auto-labelling (requires E5 Compliance)¶
Configure if you want the label applied automatically when sensitive content is detected.
Publishing Labels via Label Policy¶
Purview portal → Information protection → Label policies → Publish label
| Setting | Value |
|---|---|
| Labels to publish | Select all your labels |
| Publish to users and groups | All users (or a pilot group) |
| Default label for documents | Internal |
| Default label for emails | None (or Internal) |
| Default label for meetings | None |
| Require users to justify removing a label | Yes |
| Require users to apply a label to their email | No (recommended to start — add later) |
| Provide users with a link to a custom help page | Optional — link to intranet policy page |
Label policy propagation
After publishing, labels appear in Office apps within 24 hours. Users must restart Office apps to see new labels.
Auto-Labelling Policies¶
Apply labels automatically without user interaction based on content detected in Exchange, SharePoint, and OneDrive.
Purview portal → Information protection → Auto-labelling policies → Create auto-labelling policy
Example: Auto-label content containing Australian TFN¶
| Setting | Value |
|---|---|
| Name | Auto-label — Australian Tax File Number |
| Label to apply | Confidential - Finance |
| Locations | Exchange, SharePoint, OneDrive |
| Rules: condition | Content contains sensitive info type: Australia Tax File Number (confidence: High) |
| Run policy in simulation mode | Yes — run for 7 days, review, then enforce |
SharePoint / Teams Container Labels¶
Apply labels to SharePoint sites and Teams to control external sharing, guest access, and privacy settings:
| Label applied to site | Privacy | External sharing | Guest access |
|---|---|---|---|
| Public | Public | Enabled | Allowed |
| Internal | Private | Disabled | Blocked |
| Confidential | Private | Disabled | Blocked |
| Highly Confidential | Private | Disabled | Blocked |
Configure in the label's Groups & sites scope settings.
Useful PowerShell¶
Connect-IPPSSession -UserPrincipalName admin@domain.com
# List all sensitivity labels
Get-Label | Select-Object DisplayName, Priority, IsActive | Sort-Object Priority
# List label policies
Get-LabelPolicy | Select-Object Name, Labels, ExchangeLocation
# Check what label is applied to a document (requires PnP PowerShell)
# Install-Module PnP.PowerShell
Connect-PnPOnline -Url https://tenant.sharepoint.com/sites/sitename -Interactive
Get-PnPFile -Url "/sites/sitename/Shared Documents/document.docx" -AsListItem |
Select-Object @{N="SensitivityLabel";E={$_["_vti_ItemDeclaredRecord"]}}