Sensitivity Labels and Monitoring
Implement sensitivity labels and policies to classify and protect content, then monitor label usage with Content explorer, Activity explorer, and label reports.
Classification that travels with the content
Retention labels control how LONG you keep data. Sensitivity labels control WHO can access it and WHAT they can do with it.
Think of sensitivity labels like security classifications on government documents: “Public”, “Internal”, “Confidential”, “Top Secret.” Each level adds protections — encryption, access restrictions, watermarks. The label stays with the document wherever it goes — emailed, downloaded, shared to another tenant. The protection travels with the content.
Sensitivity label hierarchy
Elena designs MedGuard Health’s label taxonomy:
| Label | Sub-label | Encryption | Content Marking | Auto-label |
|---|---|---|---|---|
| Public | — | None | Footer: “MedGuard Health — Public” | No |
| Internal | — | None | Footer: “Internal Use Only” | No |
| Confidential | General | Org-wide encryption | Header + footer | No |
| Confidential | Patient Data | Healthcare team only | Header + footer + watermark | Yes (patient SITs) |
| Highly Confidential | Board Only | Board members only, no forwarding | Header + watermark, no print/copy | No |
| Highly Confidential | Regulated | Compliance team only, no external sharing | All markings, no extract content | Yes (regulatory SITs) |
Label priority and order
Labels are ordered by priority (highest sensitivity at the bottom). A user can upgrade a label (Public → Confidential) freely but needs justification to downgrade (Confidential → Internal). Admins can require justification for all downgrades.
Exam tip: Label scope and sublabel selection
Sensitivity labels have two scope options that determine where they appear:
- Items (Files and emails) — labels available in Office apps, Outlook, and SharePoint
- Groups and sites — labels available for Teams, M365 Groups, and SharePoint sites (control privacy, guest access, and external sharing)
A label can have both scopes. Also: when a parent label has sublabels, users must select a sublabel — they cannot apply the parent label directly. If “Confidential” has sublabels “General” and “Patient Data,” users see the sublabels in the picker, not the parent.
Encryption options
| Setting | What It Controls | Example |
|---|---|---|
| Assign permissions now | Admin defines who can access and what they can do | ”Only MedGuard employees can open; no copy/paste” |
| Let users assign | Users choose recipients when applying the label | ”User encrypts email and selects who can read it” |
| Double Key Encryption | Your org holds one key, Microsoft holds the other | Highest security — even Microsoft can’t read the content |
| No encryption | Label is for classification only (with content markings) | “Internal” label — visual marking without access restriction |
Exam tip: Sensitivity labels vs retention labels
The exam frequently tests whether you can distinguish between sensitivity and retention labels:
- Sensitivity label = WHO can access and WHAT they can do (encryption, access controls, markings)
- Retention label = HOW LONG to keep it and WHEN to delete it (lifecycle management)
A document can have BOTH a sensitivity label AND a retention label simultaneously. They serve different purposes and don’t conflict.
Publishing labels with label policies
Labels are created but not visible to users until published via a label policy:
| Policy Setting | What It Does | Example |
|---|---|---|
| Users and groups | Who sees these labels | All users, or specific departments |
| Default label | Automatically applied to new documents/emails | ”Internal” as default for all new files |
| Justification | Require reason when removing or downgrading a label | ”Explain why you’re changing from Confidential to Public” |
| Mandatory labeling | Users must apply a label before saving/sending | Required for all emails and documents |
| Help link | Custom URL for users learning about labels | Link to internal data classification guide |
Auto-labeling policies
For content at rest (SharePoint, OneDrive) and in transit (Exchange), auto-labeling applies labels automatically:
- Define conditions — SITs, keywords, or trainable classifiers
- Choose the label — which label to apply when conditions match
- Simulation mode — test the policy to see what would be labeled
- Turn on — enable automatic labeling
Elena auto-labels any document containing patient IDs with “Confidential / Patient Data” — even if the user forgets to label it manually.
Client-side vs service-side auto-labeling
| Feature | Client-side auto-labeling | Service-side auto-labeling |
|---|---|---|
| Where it runs | Office desktop apps (Word, Excel, Outlook) | Microsoft 365 cloud services |
| When it triggers | As users create or edit documents | Scans content at rest and in transit |
| Existing content | No — only new/edited content | Yes — can label existing SharePoint/OneDrive files |
| User interaction | Can recommend label (user accepts/dismisses) | No user interaction — fully automatic |
| Configuration | Label policy settings | Auto-labeling policy in Purview |
Monitoring label usage
Content explorer
Purview compliance portal > Data classification > Content explorer shows what sensitive data exists and where:
- Browse by SIT, sensitivity label, or retention label
- Drill into specific items to see content
- Requires Content Explorer Content Viewer role (sensitive data is visible)
Activity explorer
Purview compliance portal > Data classification > Activity explorer shows what’s happening with labeled content:
| Activity | What It Tracks |
|---|---|
| Label applied | When and by whom a label was applied |
| Label changed | Upgrades and downgrades with justification |
| Label removed | When labels are removed |
| File read | Encrypted files accessed |
| DLP policy matched | Content that triggered DLP rules |
Label analytics (reports)
Purview > Reports provides dashboards showing:
- Label usage across workloads (how many files have each label)
- Top labels used
- Label changes over time
- Auto-label policy effectiveness
Deep dive: Content Explorer roles
Content Explorer has two separate roles for security:
- Content Explorer List Viewer — can see the list of items and their labels but NOT the actual content
- Content Explorer Content Viewer — can see the actual content of items (sensitive data is visible)
Elena gives auditors the List Viewer role (see what’s labeled and where) but reserves Content Viewer for the compliance team (who need to verify classification accuracy). This follows least privilege — not everyone who reviews labels needs to see patient data.
Key concepts to remember
Knowledge check
Elena discovers that many MedGuard Health documents containing patient data are stored in SharePoint without sensitivity labels. Manual labeling hasn't been consistent. What should she implement?
Priya needs to give an external auditor the ability to see which sensitivity labels are applied to GlobalReach documents and where they're stored — but the auditor should NOT be able to read the actual document content. Which role should Priya assign?
🎬 Video coming soon
Next up: DLP Policies Across M365 Workloads — preventing sensitive data from leaving your organisation.