Sensitivity Labels in Microsoft 365: A Practical Guide

Sensitivity labels are one of the most useful and most underused features in Microsoft 365. They let organizations classify and protect documents and emails based on how sensitive the content is. A file labeled "Highly Confidential" can be encrypted, watermarked, and restricted so only specific people can open it -- automatically, without relying on users to remember the right steps. The feature lives inside Microsoft Purview (formerly Microsoft 365 Compliance), and it works across Word, Excel, PowerPoint, Outlook, Teams, and SharePoint.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Licensing details and feature availability in Microsoft 365 change frequently. Consult Microsoft's official documentation and a qualified IT advisor for guidance specific to your organization.

Despite the clear benefits, many small and mid-sized businesses never set up sensitivity labels. The configuration interface can feel overwhelming, licensing requirements are confusing, and it is not always obvious where to start. This guide walks through the practical steps: what the built-in labels do, how to create and publish labels, how auto-labeling works, and what to watch out for during deployment.

What Sensitivity Labels Actually Do

A sensitivity label is a tag that gets applied to a document, email, or container (like a SharePoint site or Teams channel). The label itself is just metadata -- a classification marker. But labels can also trigger protective actions:

Encryption -- restricts who can open and edit the file, even if it is shared outside the organization
Content marking -- adds headers, footers, or watermarks to documents
Access control -- limits what users can do with labeled content (no copy, no print, no forward)
Data loss prevention (DLP) -- DLP policies can reference labels to block or flag the sharing of sensitive content

Labels travel with the content. If someone downloads a labeled Word document and emails it to an external contact, the encryption and access restrictions stay in place. This is a significant step up from folder-based permissions, which stop protecting files the moment they leave the folder.

The Built-In Labels

Microsoft Purview provides a default set of sensitivity labels that cover the most common classification tiers:

Personal -- non-business data that does not require any protection
Public -- business data that is intended for public consumption
General -- everyday business data that is not intended for a public audience but does not require special protection
Confidential -- sensitive business data that could cause harm if shared with unauthorized people
Highly Confidential -- the most sensitive business data, requiring the strictest access controls

These built-in labels provide a reasonable starting point, but they are not published by default. An administrator still needs to create a label policy and assign the labels to users before they appear in Office applications.

When to Customize

The default labels work well for many small businesses. Customization becomes necessary when the organization has specific regulatory requirements, handles data that does not fit neatly into the default tiers, or needs different protection settings for different departments. For example, a healthcare company might add a "PHI" label with strict encryption, or a financial services firm might need a "Client Confidential" label distinct from internal confidential material.

The general advice: start with the defaults, use them for a few weeks, and customize only when a clear gap appears.

Setting Up Sensitivity Labels

Step 1: Create Labels

Labels are created in the Microsoft Purview compliance portal (compliance.microsoft.com) under Information Protection > Labels. Each label needs a name, a description for users (explaining when to apply it), and a description for administrators. Then configure the protection settings: encryption, content marking, or both.

For encryption, decide whether to assign permissions now (specifying exactly which users or groups can access labeled content) or let users assign permissions when they apply the label. The first option is more restrictive and consistent. The second gives users flexibility but introduces variability.

Step 2: Publish Label Policies

Creating a label does not make it available to users. Labels must be published through a label policy. A policy defines which labels are available, which users or groups see them, and whether a default label is applied automatically to new documents.

Key policy settings include:

Default label -- automatically applies a specified label to all new documents and emails (commonly set to "General")
Justification -- requires users to provide a reason before removing or downgrading a label
Mandatory labeling -- requires users to apply a label before saving a document or sending an email

For initial deployment, enabling a default label of "General" and turning on mandatory labeling is a practical combination. It ensures every document gets classified without requiring users to make a decision on routine content.

Step 3: Auto-Labeling Rules

Auto-labeling takes the manual step out entirely. Rules can scan content for sensitive information types -- credit card numbers, Social Security numbers, medical record numbers -- and apply the appropriate label automatically. This is especially relevant for businesses that handle what is a DSAR requests, where knowing exactly where sensitive personal data lives is critical.

Auto-labeling can be configured in two modes:

Client-side -- the Office application recommends or applies a label as the user works on a document
Service-side -- labels are applied to content already stored in SharePoint, OneDrive, or Exchange, scanning files at rest

Service-side auto-labeling requires a simulation mode first, which scans content and shows what would be labeled without actually applying changes. Always run the simulation before enabling auto-labeling in production.

Practical Deployment for Small Businesses

A phased approach works best:

Phase 1 (Week 1-2): Publish the built-in labels with a default of "General." Enable mandatory labeling. Do not configure encryption yet. The goal is to get users comfortable with the labeling interface.

Phase 2 (Week 3-4): Add content marking (headers or footers) to "Confidential" and "Highly Confidential" labels. This makes classification visible without restricting access, which helps reinforce the habit of labeling correctly.

Phase 3 (Month 2): Enable encryption on "Highly Confidential." Configure auto-labeling rules for the most obvious sensitive data types (credit card numbers, national ID numbers). Run simulations before going live.

Phase 4 (Month 3+): Review label usage reports in the Purview portal. Adjust labels and policies based on actual usage patterns. Add department-specific labels if needed.

This gradual rollout avoids the most common failure mode: deploying everything at once, overwhelming users, and generating a wave of support tickets that leads to the whole initiative being rolled back.

Common Issues and Licensing Requirements

Licensing Confusion

Sensitivity labels are not available on every Microsoft 365 plan, and the specific capabilities vary significantly:

Microsoft 365 Business Basic and Standard -- manual sensitivity labeling is included, but auto-labeling and advanced features are not
Microsoft 365 Business Premium -- includes manual labeling plus some auto-labeling capabilities
Microsoft 365 E3 -- includes manual labeling and client-side auto-labeling
Microsoft 365 E5 or E5 Compliance add-on -- includes the full feature set: service-side auto-labeling, advanced classifiers, and detailed analytics

The most frequent licensing surprise is service-side auto-labeling, which requires E5-level licensing. Businesses on E3 or Business Premium plans that try to configure service-side rules will find the option grayed out or unavailable.

"Sensitivity Labels Are Not Supported" Errors

This error typically appears when the tenant does not have the correct licensing, when labels have not been published through a policy, or when the user is not included in the policy's scope. Check three things: the license assigned to the affected user, whether a label policy has been published, and whether that policy targets the correct users or groups.

Labels Not Appearing in Office Apps

After publishing a policy, labels can take up to 24 hours to propagate to Office desktop applications. This delay catches many administrators off guard. If labels still do not appear after 24 hours, verify that the user is signed into Office with an account that is covered by the label policy and that the Office version supports sensitivity labels (Microsoft 365 Apps, not the standalone Office 2019 or earlier versions).

Conflicts with Existing Protections

Organizations that previously used Azure Information Protection (AIP) labels may encounter conflicts when migrating to unified sensitivity labels in Purview. The migration path involves converting AIP labels to sensitivity labels in the Purview portal. Running both systems simultaneously causes unpredictable behavior and should be avoided.

Getting the Foundation Right

Sensitivity labels are not a set-and-forget feature. They require ongoing attention -- reviewing usage reports, adjusting policies as the business evolves, and training new employees on what each label means. But the initial setup does not have to be complicated. Start with the built-in labels, publish a simple policy, and build from there. The goal is consistent classification across all documents and emails, which becomes the foundation for stronger data protection over time.