Search Tutorials


SC-401 Sensitivity Labels | Microsoft Purview | JavaInUse

SC-401 - Sensitivity Labels

Quick Navigation

Sensitivity Labels Overview

Sensitivity labels in Microsoft Purview mark and protect content based on its classification. Labels are created once and travel with the content - protecting documents in SharePoint, email in Exchange, Teams conversations, and even third-party apps via Defender for Cloud Apps.

The sensitivity label lifecycle:

  1. Create - define the label name, description, and protection settings in Purview
  2. Publish - deploy via a label policy to specific users/groups or all users
  3. Apply - users apply manually, auto-labeling applies automatically, or default label applies on creation
  4. Enforce - the label's protection settings (encryption, watermarks, DLP rules) are enforced
Sensitivity labels require an Azure Information Protection (AIP) plan, which is included in Microsoft 365 E3/E5 and Microsoft 365 Business Premium. The label metadata is stored in the file itself (for Office documents and PDFs) or in the email headers, so protection travels with the content outside Microsoft 365.

Creating Labels and Label Policies

Label Order and Hierarchy

Labels can be organized with parent labels and sub-labels. The label order in the Purview admin UI matters for user experience (labels are displayed in order) and for downgrade justification logic.

ConceptDescription
Parent labelTop-level label (e.g., "Confidential"). Can have its own protection settings or be a grouping header only.
Sub-labelInherits the parent label name prefix. Users choose sub-labels, not parent labels, when sub-labels exist.
Label orderHigher position in the list = lower sensitivity. Label policy's "more sensitive label requires justification to downgrade" uses this order.

Label Policies

A label policy deploys labels to users and sets behavioral rules:

Policy SettingDescription
Default labelAutomatically applies this label to unlabeled documents or emails when a user creates them
Require justification to downgradeForces users to enter a reason when changing to a lower-sensitivity label
Require labelingUsers must apply a label before saving or sending - cannot leave content unlabeled
Label bar visibilityShow or hide the sensitivity bar in Office apps
ScopeTarget specific users, groups, or all users
Users get the union of all label policies assigned to them. If two policies publish different labels, the user sees all those labels. If two policies have conflicting default label settings, the policy with the higher priority wins.

Label Protections and Settings

Each sensitivity label can configure one or more protection actions:

Encryption

Apply Azure Rights Management (Azure RMS) encryption directly through the label:

  • Assign permissions now - define who can access labeled content and with what rights (view, edit, print, copy, etc.) at label creation time
  • Let users assign permissions - users choose recipients and rights when applying the label (Do Not Forward or Encrypt-Only)
  • Configure expiration - set a date after which decryption is no longer possible
  • Offline access - control how long encrypted content can be opened without contacting the RMS service
When a label applies encryption, only authorized users with appropriate Azure AD credentials can decrypt the content. External users can be authorized if they have a Microsoft account or Azure AD identity. For fully external recipients without Microsoft accounts, use Microsoft Purview Message Encryption (OME) workflows instead.

Content Marking

Marking TypeWhere Applied
HeaderText inserted above content (Office documents, emails)
FooterText inserted below content (Office documents, emails)
WatermarkDiagonal text overlay on Word documents and PowerPoint slides (not Excel or email)

Auto-marking vs Manual marking

Content marking from label settings is applied immediately when the label is applied. Markings can use dynamic variables: , , .

Auto-Labeling

Auto-labeling applies sensitivity labels automatically without user intervention. There are two distinct auto-labeling mechanisms in Purview:

MechanismWhere ConfiguredWhen AppliedScope
Client-side auto-labelingLabel policy settings (Office apps)When user is editing a document in Office apps - shows recommendation or applies automaticallyDocuments being edited in Word, Excel, PowerPoint, Outlook
Service-side auto-labelingSeparate Auto-labeling policy in PurviewApplied by the service to existing and new content at rest, even without user interactionSharePoint Online, OneDrive, Exchange Online (email in transit and at rest)

Service-Side Auto-Labeling Policy

  1. Create a new auto-labeling policy in Purview (Information Protection - Auto-labeling)
  2. Define conditions: SITs, trainable classifiers, or both
  3. Choose locations (Exchange, SharePoint, OneDrive)
  4. Run in simulation mode first to see what would be labeled without actually labeling
  5. Review simulation results and enable the policy to start labeling
Service-side auto-labeling runs in simulation mode by default. Always review simulation results before enabling to avoid unexpected bulk labeling. Auto-labeling policies can label millions of files - for Exchange, they apply to email in transit; for SharePoint/OneDrive, they crawl existing content and apply labels retroactively.

Priority Rules When Multiple Labels Apply

If a document already has a label, auto-labeling only replaces it if the auto-labeling policy is configured to override existing labels, AND the new label is higher sensitivity. Lower-sensitivity auto-labels will not downgrade an existing manual label.

Container Labels

Container labels apply sensitivity to Microsoft 365 Groups, SharePoint sites, and Teams teams - controlling the container's privacy, external access, and unmanaged device access settings rather than encrypting individual files.

SettingOptionsEffect
PrivacyPublic, Private, NoneSets whether the Microsoft 365 Group (Team) is public or private
External user accessAllow/prevent guestsControls whether external guests can be added to the Group/Team
External sharing (SharePoint)Anyone, Existing guests, New/existing guests, Only org membersSets the SharePoint site's external sharing level
Unmanaged device accessFull access, Web-only, Block accessControls SharePoint/OD access from non-Intune-enrolled devices via Conditional Access
Container label settings require Azure AD Premium P1 (for Conditional Access integration with unmanaged device control) and SharePoint/Teams admin enablement of sensitivity label support (Set-SPOTenant -EnableAIPIntegration $true). Container labels protect the container but do not encrypt the files inside - file-level labels are separate and can be configured independently.

Defender for Cloud Apps Integration

Microsoft Defender for Cloud Apps (MDCA) extends Purview sensitivity label protection to third-party cloud apps (Salesforce, Box, Google Workspace, etc.) and provides session-level controls.

Key Integration Capabilities

CapabilityDescription
File scan and labelingMDCA can scan files in connected cloud apps and apply Purview sensitivity labels or trigger DLP alerts
Session controlsBlock download of labeled files from sanctioned apps via Conditional Access App Control (requires Azure AD Premium P1)
Alert policiesCreate alerts when high-sensitivity labeled files are shared publicly or downloaded in bulk
Governance actionsAuto-quarantine, change sharing permissions, or remove external collaborators on files with specific sensitivity labels

Conditional Access App Control

When a user accesses a sanctioned app (e.g., Salesforce) through Azure AD Conditional Access, MDCA can proxy the session and enforce real-time controls:

  • Block download of files labeled "Highly Confidential"
  • Block upload of files containing sensitive information types
  • Require step-up authentication before accessing sensitive labeled content
  • Monitor and log all file access and sharing activities
Defender for Cloud Apps file scanning for sensitivity labels requires that the relevant cloud apps (Box, Salesforce, etc.) are connected via the MDCA API connector. Session controls require routing through the MDCA proxy via Conditional Access policies. Both capabilities require an MDCA or Microsoft 365 E5 Security license.

Popular Posts

1Z0-830 Java SE 21 Developer Certification Prepare with Notes and Real Time Practice Tests Azure AI Foundry Hello World What is Azure AI Foundry Azure AI Agent Hello World Set up and run your first agent Foundry vs Hub Projects When to choose Foundry or hub-based Build Agents with SDK Threads, messages, runs in Python Bing Web Search Agent Ground agents with real-time data Function Calling Agent Custom functions & tool integration Spring Boot + Azure Key Vault Hello World Example Fetch secrets from Azure Key Vault in Spring Boot Spring Boot + Elasticsearch + Azure Key Vault Example Secure Elasticsearch config using Azure Key Vault Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Connect Spring Boot to Azure AD using OAuth2 Deploy Spring Boot App to Azure App Service Host Spring Boot application on Azure App Service Secure Azure App Service using Azure API Management Protect deployed Spring Boot app with API Management Deploy Spring Boot JAR to Azure App Service Deploy executable JAR directly to Azure Deploy Spring Boot + MySQL to Azure App Service Host Spring Boot with MySQL database on Azure Spring Boot + Azure Managed Identity Example Access Azure Key Vault using Managed Identity Secure Spring Boot Azure Web App with Managed Identity + App Registration Secure Spring Boot app via Azure Portal configuration Elasticsearch 8 Security - Integrate Azure AD OIDC Integrate Azure AD OIDC with Elasticsearch & Kibana
��