Get started with sensitivity labels

Microsoft 365 licensing guidance for security & compliance.

For information about what sensitivity labels are and how they can help you protect your organization's data, see Learn about sensitivity labels.

If you have Azure Information Protection and are still using Azure Information Protection labels that were managed from the Azure portal, you must migrate these labels to the unified labeling platform. We then recommend you disable the AIP add-in for Office apps, to benefit from the newer, built-in labeling experience. For more information, see Migrate the Azure Information Protection (AIP) add-in to built-in labeling for Office apps.

When you're ready to start protecting your organization's data by using sensitivity labels:

  1. Create the labels. Create and name your sensitivity labels according to your organization's classification taxonomy for different sensitivity levels of content. Use common names or terms that make sense to your users. If you don't already have an established taxonomy, consider starting with label names such as Personal, Public, General, Confidential, and Highly Confidential. You can then use sublabels to group similar labels by category. When you create a label, use the tooltip text to help users select the appropriate label.

    For more extensive guidance for defining a classification taxonomy, download the white paper, "Data Classification & Sensitivity Label Taxonomy" from the Service Trust Portal.

  2. Define what each label can do. Configure the protection settings you want associated with each label. For example, you might want lower sensitivity content (such as a "General" label) to have just a header or footer applied, while higher sensitivity content (such as a "Confidential" label) should have a watermark and encryption.

  3. Publish the labels. After your sensitivity labels are configured, publish them by using a label policy. Decide which users and groups should have the labels and what policy settings to use. A single label is reusable—you define it once, and then you can include it in several label policies assigned to different users. So for example, you could pilot your sensitivity labels by assigning a label policy to just a few users. Then when you're ready to roll out the labels across your organization, you can create a new label policy for your labels and this time, specify all users.

Tip

You might be eligible for the automatic creation of default labels and a default label policy that takes care of steps 1-3 for you. For more information, see Default labels and policies for Microsoft Purview Information Protection.

The basic flow for deploying and applying sensitivity labels:

Diagram showing workflow for sensitivity labels.

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Subscription and licensing requirements for sensitivity labels

A number of different subscriptions support sensitivity labels and the licensing requirements for users depend on the features you use.

To see the options for licensing your users to benefit from Microsoft Purview features, see the Microsoft 365 licensing guidance for security & compliance. For sensitivity labels, see the Microsoft Purview Information Protection: Sensitivity labeling section and related PDF download for feature-level licensing requirements.

Permissions required to create and manage sensitivity labels

Members of your compliance team who will create sensitivity labels need permissions to the Microsoft Purview compliance portal.

By default, global administrators for your tenant have access to this admin center and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this limited admin access, you can use the following role groups:

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

For an explanation of each one, and the roles that they contain, select a role group in the Microsoft Purview compliance portal > Permissions & roles > Compliance center > Roles, and then review the description in the flyout pane. Or, see Role groups in the Defender and compliance portals.

Alternatively to using the default roles, you can create a new role group and add the Sensitivity Label Administrator role to this group. For a read-only role, use Sensitivity Label Reader.

Another option is to add users to the Compliance Data Administrator, Compliance Administrator, or Security Administrator role group.

For instructions to add users to the default role group, roles, or create your own role groups, see Permissions in the Microsoft Purview compliance portal.

These permissions are required only to create and configure sensitivity labels and their label policies. They are not required to apply the labels in apps or services. If additional permissions are needed for specific configurations that relate to sensitivity labels, those permissions will be listed in their respective documentation instructions.

Deployment strategy for sensitivity labels

A successful strategy to deploy sensitivity labels for an organization is to create a working virtual team that identifies and manages the business and technical requirements, proof of concept testing, internal checkpoints and approvals, and final deployment for the production environment.

Using the table in the next section, we recommend identifying your top one or two scenarios that map to your most impactful business requirements. After these scenarios are deployed, return to the list to identify the next one or two priorities for deployment.

Common scenarios for sensitivity labels

All scenarios require you to Create and configure sensitivity labels and their policies.

I want to ... Documentation
Manage sensitivity labels for Office apps so that content is labeled as it's created—includes support for manual labeling on all platforms Manage sensitivity labels in Office apps
Extend labeling to File Explorer and PowerShell, with additional features for Office apps on Windows (if needed) Azure Information Protection unified labeling client for Windows
Encrypt documents and emails with sensitivity labels and restrict who can access that content and how it can be used Restrict access to content by using sensitivity labels to apply encryption
Protect Teams meetings, from meeting invites and responses, to protecting the meeting itself and related chat Use sensitivity labels to protect calendar items, Teams meetings and chat
Enable sensitivity labels for Office on the web, with support for coauthoring, eDiscovery, data loss prevention, search—even when documents are encrypted Enable sensitivity labels for Office files in SharePoint and OneDrive
Files in SharePoint to be automatically labeled with a default sensitivity label Configure a default sensitivity label for a SharePoint document library
Use co-authoring and AutoSave in Office desktop apps when documents are encrypted Enable co-authoring for files encrypted with sensitivity labels
Automatically apply sensitivity labels to documents and emails Apply a sensitivity label to content automatically
Use sensitivity labels to protect content in Teams and SharePoint Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Use sensitivity labels to configure the default sharing link type for sites and individual documents in SharePoint and OneDrive Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive
Apply a sensitivity label to a document understanding model, so that identified documents in a SharePoint library are automatically classified and protected Apply a sensitivity label to a model in Microsoft SharePoint Syntex
Prevent or warn users about sharing files or emails with a specific sensitivity label Use sensitivity labels as conditions in DLP policies
Apply a sensitivity label to a file when I receive an alert that content containing personal data is being shared and needs protection Investigate and remediate alerts in Privacy Risk Management
Apply a retention label to retain or delete files or emails that have a specific sensitivity label Automatically apply a retention label to retain or delete content
Discover, label, and protect files stored in data stores that are on premises Deploying the information protection scanner to automatically classify and protect files
Discover, label, and protect files stored in data stores that are in the cloud Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Label SQL database columns by using the same sensitivity labels as those used for files and emails so that the organization has a unified labeling solution that can continue to protect this structured data when it's exported Data Discovery & Classification for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics

SQL Data Discovery and Classification for SQL Server on-premises
Apply and view labels in Power BI, and protect data when it's saved outside the service Sensitivity labels in Power BI
Monitor and understand how sensitivity labels are being used in my organization Learn about data classification
Extend sensitivity labels to third-party apps and services Microsoft Information Protection SDK
Extend sensitivity labels across content in my Microsoft Purview Data Map assets, such as Azure Blob Storage, Azure Files, Azure Data Lake Storage, and multi-cloud data sources Labeling in Microsoft Purview Data Map

End-user documentation for sensitivity labels

The most effective end-user documentation will be customized guidance and instructions you provide for the label names and configurations you choose. You can use the label policy setting Provide users with a link to a custom help page to specify an internal link for this documentation. Users can then easily access it from the Sensitivity button:

  • For built-in labeling: Learn More menu option.
  • For the Azure Information Protection unified labeling client: Help and Feedback menu option > Tell Me More link in the Microsoft Azure Information Protection dialog box.

To help you provide your customized documentation, see the following page and downloads that you can use to help train your users: End User Training for Sensitivity Labels.

You can also use the following resources for basic instructions:

If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see Which PDF readers are supported for protected PDFs?