Sensitivity Labels: Create & Protect
Sensitivity labels are the enforcement layer of information protection. Create labels that encrypt documents, add watermarks, restrict access, and follow your data wherever it goes.
What are sensitivity labels?
Think of colour-coded wristbands at a concert.
A green wristband gets you into the general area. A blue wristband gets you backstage. A gold wristband gets you into the VIP lounge. The wristband travels with you — security checks it at every door.
Sensitivity labels are the wristbands for your data. When you label a document “Confidential,” that label travels with the file — even if someone downloads it, emails it, or copies it to a USB drive. The label tells every Microsoft 365 service (and even third-party apps) what level of protection to enforce.
Labels can encrypt content, add watermarks, block external sharing, restrict copy/paste, and more. SITs detect the data. Labels protect it.
Labels for items vs labels for containers
Sensitivity labels apply to two scope types:
| Feature | Item Labels (Files & Emails) | Container Labels (Teams, Groups, Sites) |
|---|---|---|
| What they protect | Individual documents, emails, meetings | Teams, Microsoft 365 Groups, SharePoint sites |
| Protection type | Encryption, content marking, access restrictions | Privacy settings, external sharing, guest access, device access |
| Travels with content? | Yes — label persists when file is downloaded, copied, or forwarded | No — label applies to the container, not individual files inside |
| Applied by | Users manually, auto-labeling policies, default labels | Users when creating a Team/Group, or admins via policy |
| Example | 'Confidential' label encrypts a Word doc so only Sales team can read it | 'Confidential' label on a Team prevents guest access and external sharing |
Key exam concept: A container label does NOT automatically label the files inside it. A Team labelled “Highly Confidential” controls who can join and share, but individual documents in that Team still need their own item-level labels for encryption.
Roles and permissions
Not everyone should create or manage sensitivity labels. Microsoft Purview uses specific admin roles:
| Role | What It Can Do |
|---|---|
| Compliance Administrator | Full access to create, edit, delete labels and label policies |
| Compliance Data Administrator | Same as above — create and manage labels |
| Security Administrator | Can view labels and policies but typically focused on security alerts |
| Information Protection role group | Create and manage labels, view reports |
| Information Protection Admin | Full label management in Purview |
| Information Protection Reader | View-only access to labels and policies |
Exam tip: who can create sensitivity labels?
The exam tests whether you know which roles can create and manage sensitivity labels. The key roles are:
- Compliance Administrator — yes, full management
- Information Protection Admin — yes, full management
- Global Administrator — yes (but overprivileged — use least privilege)
- Security Reader — no, view-only
- Helpdesk Administrator — no, not a compliance role
The principle of least privilege says: use Information Protection Admin for label management, not Global Admin.
Creating a sensitivity label
Step 1: Define the label
In Microsoft Purview portal → Information protection → Labels → Create a label:
| Setting | What It Controls |
|---|---|
| Name | Internal name (admins see this) |
| Display name | What users see in Office apps |
| Description for users | Tooltip explaining when to use this label |
| Description for admins | Internal notes about the label’s purpose |
| Label colour | Visual indicator in the label picker |
| Scope | Items (files/emails), Containers (Teams/Groups/Sites), or both |
Step 2: Choose protection settings
| Protection | What It Does | Best For |
|---|---|---|
| Encryption | Restricts who can open and what they can do (view, edit, print, forward) | Confidential and highly confidential content |
| Content marking | Adds headers, footers, and/or watermarks to documents | Visual indicators of classification |
| Auto-labeling for files and emails | Automatically applies this label when SITs are detected in content | Hands-free classification of sensitive documents |
Step 3: Encryption options
When encryption is enabled, you configure access:
| Option | What It Controls |
|---|---|
| Assign permissions now | You define exactly who can access and what actions they can perform (view, edit, print, copy, forward) |
| Let users assign permissions | Users choose recipients when they apply the label (e.g., “Do Not Forward” in Outlook) |
| Offline access | How long users can access encrypted content without an internet connection (days or never) |
| Content expiration | When access expires — a specific date or number of days after labeling |
Scenario: Priya designs Meridian's label taxonomy
Priya creates four sensitivity labels for Meridian Financial, ordered by priority (highest last):
| Priority | Label | Encryption | Content Marking | Container |
|---|---|---|---|---|
| 0 | Public | None | Footer: “Meridian Financial — Public” | Open sharing |
| 1 | General | None | Footer: “Meridian Financial — Internal” | Standard Teams |
| 2 | Confidential | Yes — internal users only, full edit rights | Header + footer + watermark | No guest access |
| 3 | Highly Confidential | Yes — named users only, view-only, no print/copy | Header + footer + watermark “RESTRICTED” | No guest, no external sharing, managed devices only |
The priority order means: a user can upgrade from General to Confidential freely, but downgrading from Highly Confidential to General requires a justification reason.
Content marking
Content marking adds visual indicators to documents:
| Marking Type | Where It Appears | Customisable? |
|---|---|---|
| Header | Top of every page | Text, font size, colour, alignment |
| Footer | Bottom of every page | Text, font size, colour, alignment |
| Watermark | Diagonal across each page | Text, font size, colour |
Important: Content markings are applied when a user saves a document in an Office app. They are NOT applied retroactively to existing documents until the document is opened and saved.
Label priority and downgrade justification
Labels have a numeric priority. Lower numbers = lower sensitivity. Higher numbers = higher sensitivity.
Upgrade (lower → higher): Users can freely apply a more restrictive label.
Downgrade (higher → lower): Requires justification. The user must provide a reason, which is logged in the audit log. Admins can make justification mandatory via label policy settings.
Removal: Same as downgrade — requires justification if configured in the label policy.
Dr. Liam at St. Harbour Health creates a sensitivity label called 'Patient Data' with encryption that restricts access to the Clinical Staff security group. He also adds a header ('CONFIDENTIAL — Patient Data') and a watermark. A nurse applies this label to a discharge summary. What happens when someone outside the Clinical Staff group tries to open the file?
Zara at Atlas Global notices that files in a SharePoint site labelled 'Confidential' (container label) are being downloaded by external consultants. The container label restricts guest access to the site. Why are the files not encrypted?
🎬 Video coming soon
Next up: Sensitivity Labels: Publish & Auto-Apply — get labels into users’ hands with publishing policies and automatic application.