Sensitivity Labels: Publish & Auto-Apply
Labels only work if users can see them. Publish labels via policies, configure auto-labeling to classify at scale, and extend labels to containers like Teams and SharePoint sites.
Publishing labels — making them visible
Creating a label is like printing a “Confidential” stamp. Publishing it is like handing that stamp to your team.
Until you publish a label, nobody can use it. A label policy is the delivery mechanism — it decides which users see which labels, sets defaults, and controls behaviour like mandatory labeling and downgrade justification.
Auto-labeling goes further — Purview automatically stamps documents without users lifting a finger, based on what sensitive data it finds inside.
Label publishing policies
A label policy has three components:
1. Which labels to publish
Select which sensitivity labels appear in users’ label pickers. You can publish different label sets to different groups — interns may see only Public and General, while executives see all labels including Highly Confidential.
2. Who receives the labels
| Scope | Example |
|---|---|
| All users | Entire organisation sees the published labels |
| Specific groups | Only Finance team sees “Financial — Restricted” |
| Specific users | Test labels with pilot users before broad rollout |
3. Policy settings
| Setting | What It Controls |
|---|---|
| Default label for documents | Automatically applies a label (e.g., “General”) to new Office documents |
| Default label for emails | Automatically applies a label to new emails |
| Require users to apply a label | Mandatory labeling — users must choose a label before saving or sending |
| Require justification to downgrade | Forces users to explain why they’re removing or lowering a label |
| Help link | Custom URL for label guidance (e.g., your org’s data classification policy) |
Scenario: Priya rolls out labels at Meridian
Priya’s rollout plan at Meridian Financial:
Phase 1 — Pilot (50 users): Publish all four labels (Public, General, Confidential, Highly Confidential) to the compliance team. Default label: General. No mandatory labeling yet. Observe usage patterns for 2 weeks.
Phase 2 — Broad deployment: Publish to all users. Enable mandatory labeling for documents and emails. Default label: General. Require justification for downgrades.
Phase 3 — Enforcement: Enable auto-labeling for content containing credit card numbers and client account numbers. Add default container labels for new Teams.
This phased approach lets Priya identify issues early before affecting 3,000 users.
Auto-labeling — two approaches
Auto-labeling removes the dependency on users to classify correctly. There are two distinct methods:
| Feature | Client-side Auto-Labeling | Service-side Auto-Labeling |
|---|---|---|
| Where it runs | In Office apps on the user's device (Word, Excel, Outlook) | In the Microsoft 365 service (SharePoint, OneDrive, Exchange) |
| When it triggers | In real time as the user edits | Asynchronously — scans content at rest |
| Configured in | The sensitivity label definition itself | A separate auto-labeling policy in Purview |
| Can recommend? | Yes — can show 'We recommend labeling this as Confidential' | No — applies the label directly (no user interaction) |
| Can auto-apply? | Yes — if set to auto-apply instead of recommend | Yes — always auto-applies |
| Scope | New and edited content only (as the user works) | Existing content at rest (retroactive) + new content |
| Best for | Real-time guidance during document creation | Classifying large volumes of existing content |
Service-side auto-labeling policies
Created separately in Microsoft Purview portal → Information protection → Auto-labeling:
| Step | What You Configure |
|---|---|
| 1. Name and describe | Policy name and admin description |
| 2. Choose locations | SharePoint sites, OneDrive accounts, Exchange mailboxes |
| 3. Set conditions | Which SITs trigger the label (e.g., credit card numbers with high confidence) |
| 4. Choose the label | Which sensitivity label to apply |
| 5. Simulation mode | Test the policy first — see what WOULD be labelled without actually labeling |
| 6. Turn on | Switch from simulation to enforcement when satisfied with results |
Exam tip: simulation mode is critical
Auto-labeling policies always start in simulation mode. This shows you exactly which items would be labelled — without actually applying labels. You MUST review simulation results and explicitly turn on the policy for it to take effect.
The exam frequently tests this. If a question says “an admin configured an auto-labeling policy but no labels are being applied,” the answer is often: the policy is still in simulation mode.
Labels for containers
Container labels protect the environments where data lives:
What container labels control
| Setting | What It Does |
|---|---|
| Privacy | Public, Private, or default — controls who can discover and join |
| External user access | Allow or block guest access to the Team/Group |
| External sharing from SharePoint | Control sharing: anyone, new/existing guests, only internal, or no sharing |
| Access from unmanaged devices | Full, limited (web-only), or block |
| Authentication context | Require Conditional Access — e.g., MFA before accessing |
Where container labels apply
| Container | Supported? |
|---|---|
| Microsoft Teams | Yes — applied when creating or updating a Team |
| Microsoft 365 Groups | Yes — applied to the underlying Group |
| SharePoint sites | Yes — applied to team sites and communication sites |
| Microsoft Power BI | Yes — applied to workspaces |
Enabling container labels
Container labels require additional prerequisites beyond item labels:
- Enable sensitivity labels for containers in the Microsoft Purview portal
- Azure AD (Entra ID) group settings must be configured via PowerShell:
EnableMIPLabels = Truein the directory settings template
- After enabling, it can take up to 24 hours to propagate
Labels via Defender for Cloud Apps
Microsoft Defender for Cloud Apps extends sensitivity labels to third-party cloud applications and provides additional governance actions:
| Capability | What It Does |
|---|---|
| Apply labels to third-party files | Label documents in Box, Dropbox, Google Workspace |
| File policy + label action | Automatically apply a label when a file policy condition matches |
| Monitor label activity | See who changed or removed labels in cloud apps |
| Alert on label changes | Trigger alerts when high-priority labels are downgraded |
Scenario: Marcus extends labels to NovaTech's cloud apps
NovaTech uses Microsoft 365 plus Google Drive for some client projects. Marcus wants sensitivity labels to protect files in both environments.
He connects Google Drive to Defender for Cloud Apps, creates a file policy that detects unprotected documents containing source code (using the pre-trained classifier), and configures the action: automatically apply the “Confidential — NovaTech IP” sensitivity label.
Now, even files in Google Drive get NovaTech’s labeling and appear in Activity Explorer alongside M365 content.
Priya at Meridian Financial enabled mandatory labeling in the label policy. An analyst creates a new Excel spreadsheet but tries to save it without choosing a label. What happens?
Dr. Liam at St. Harbour Health configured a service-side auto-labeling policy to label documents containing patient health identifiers as 'Patient Data — Confidential'. After a week, he checks and finds that only 200 of an estimated 50,000 matching documents have been labelled. What is the MOST likely cause?
🎬 Video coming soon
Next up: Email Encryption: Lock Down Messages — protect messages with Microsoft Purview Message Encryption and Advanced Message Encryption.