Eligible customers can activate default labels and policies for Microsoft Purview Information Protection:
Sensitivity labels and a sensitivity label policy
Client-side auto-labeling
Service-side auto-labeling
Data loss prevention (DLP) policies for Teams and devices
These default configurations help you get up and running quickly with Microsoft Purview Information Protection for Microsoft 365. You can use them as-is, make just a few changes, or fully customize them to better suit your business requirements.
New customers: If you've had Microsoft Purview for less than 30 days, your tenant can activate all the listed default configurations. You can always disable, remove, or edit them.
Existing customers: If you've had Microsoft Purview for more than 30 days, you can activate the default configurations if you haven't yet configured an equivalent:
Default configuration
Equivalent
Sensitivity labels and a sensitivity label policy
Published sensitivity labels
Client-side auto-labeling
One or more sensitivity labels configured to automatically apply (or recommend to users) in Office apps
Service-side auto-labeling
At least one auto-labeling policy that's turned on
DLP for Teams
At least one DLP policy for Teams
DLP for devices
At least one DLP policy for devices
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Activate the default labels and policies
To get these preconfigured labels and policies, use Data Security Posture Management for AI and from Recommendations, select Information Protection Policy for Sensitivity Labels.
Or, you might be able to activate them from the Microsoft Purview compliance portal:
Note
The Microsoft Purview compliance portal is being retired and the equivalent capability isn't yet available in the new Microsoft Purview portal.
If you're eligible for the Microsoft Purview Information Protection default labels and policies, you'll see the following information, where you can activate the default labels and policies. For example:
If you don't see this information displayed with the activation option, you're not currently eligible for the automatic creation of sensitivity labels and policies from this location. You can try checking back later to see if this status has changed. You can also use the settings information that follows to manually create the same labels and policies.
Next, enable sensitivity labels for SharePoint and OneDrive. This step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.
Use the following banner at the top of the Information Protection > Overview page, and select Turn on now. If you don't see this banner, sensitivity labels for SharePoint and OneDrive have already been enabled for your tenant.
When you don't have sensitivity labels that are published, we'll create the following labels for you:
Label name
Label description for users
Settings
Personal
Non-business data, for personal use only.
Scope: Files & other data assets, Emails, Meetings*
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Public
Business data that is specifically prepared and approved for public consumption.
Scope: Files & other data assets, Emails, Meetings*
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
General
Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.
Scope: Files & other data assets, Emails
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
General \ Anyone (unrestricted)
Organization data that isn’t intended for public consumption but can be shared with external partners if appropriate. Examples include customer conversations that don’t include sensitive info or released marketing materials.
Scope: Files & other data assets, Emails, Meetings*
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
General \ All Employees (unrestricted)
Organization data that isn’t intended for public consumption. If you need to share this content with external partners, confirm with other data owners that it's OK to share and then change the label to General \ Anyone (unrestricted) . Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.
Scope: Files & other data assets, Emails, Meetings*
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Confidential
Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data.
Scope: Files & other data assets, Emails
Content marking: No
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Confidential \ Anyone (unrestricted)
Confidential data that doesn’t need to be encrypted. Use this option with care and appropriate business justification.
Scope: Files & other data assets, Emails, Meetings*
Encryption: All users and groups in the org: Co-Author
Content marking: Footer: Classified as Confidential
Auto-labeling: Recommend that users apply the label
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Confidential \ Trusted People
Confidential data that can be shared with trusted people inside and outside your organization. These people can also reshare the data as needed.
Scope: Files & other data assets, Emails, Meetings*
Encryption: Let users assign permissions: - Encrypt-Only for Outlook - Prompt users in Word, PowerPoint, and Excel
Content marking: Footer: Classified as Confidential
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Highly Confidential
Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.
Scope: Files & other data assets, Emails
Content marking: Watermark: HIGHLY CONFIDENTIAL
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Highly Confidential \ All Employees
Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.
Scope: Files & other data assets, Emails, Meetings*
Encryption: All users and groups in the org: Co-Author
Content marking: Footer: Classified as Highly Confidential
Auto-labeling: No
Group settings: No
Site settings: No
Auto-labeling for database columns: None
Highly Confidential \ Specific People
Highly confidential data that requires protection and can be viewed only by people you specify and with the permission level you choose.
Scope: Files & other data assets, Emails, Meetings*
Encryption: Let users assign permissions: - Do Not Forward for Outlook - Prompt users in Word, PowerPoint, and Excel
Content marking: Footer: Classified as Highly Confidential
The sensitivity label policy includes a default Teams meeting label.
If the tenant has licenses to manually apply the label to Teams meetings, some of the sensitivity labels also have settings configured to protect these meetings.
Note
The label names and descriptions are automatically available for the following locales: US English, Chinese Simplified and Traditional, French, German, Italian, Japanese, Korean, Portuguese Brazilian, Russian, and Spanish.
If you need additional languages, you can specify your translations by using PowerShell.
For more information about these configuration settings and what sensitivity labels can do, see What sensitivity labels can do.
The default sensitivity label policy makes the labels available for users to start labeling their documents and emails with sensitivity labels. It has the following configuration:
Publish the default labels to all users in your tenant
Default label of General \ All Employees (unrestricted) for unlabeled documents, email, and meetings
Users must provide a justification to remove a label or lower its classification
For more information about these policy settings, and other policy settings that are available, see What label policies can do.
When you use these labels in Office apps on Windows, macOS, iOS, and Android, users see new labels within four hours, and within one hour for Word, Excel, and PowerPoint on the web when you refresh the browser. However, you might need to allow up to 24 hours for changes to replicate to all apps and services.
Client-side auto-labeling
The default client-side auto-labeling configuration automatically recommends users apply a sensitivity label when we detect credit card numbers in documents or emails they’re working with. As a recommendation rather than automatically applied, this configuration serves as a good first step for highlighting concerning content and introduces users to the practice of labeling their documents and emails.
Client-side auto-labeling only works for documents and emails in use by the Office apps Word, Excel, PowerPoint, and Outlook.
The default client-side auto-labeling has the following configuration:
If there are 1-9 instances of credit card numbers found in a document or email, recommend the user applies the sensitivity label Confidential \ Anyone (unrestricted)
If there are 10 or more instances of credit card numbers found in a document or email, recommend the user applies the sensitivity label Confidential \ All Employees
Note
If we detected you have your own sensitivity labels published, we'll prompt you to select one of your own labels for auto-labeling and configure it for you.
Service-side auto-labeling helps label sensitive documents at rest, and emails in transit. The default service-side auto-labeling policy creates policies that run in simulation mode for documents stored in all SharePoint or OneDrive sites, and all emails that are sent via Exchange Online.
In simulation mode, items aren't actually labeled until the policy is turned on. You can manually turn on the policy. Alternatively, if you don't change the default setting, the policy will be automatically turned on for you if there aren't any changes to the policy within a set number of days from when the simulation completes.
In most cases, the number of days before an unedited policy is automatically turned on is 7. However, specific to new customers from June 23, 2022, the initial number of days is 25, and then 7 after the policy is edited.
Simulation mode allows you to preview what items would get labeled when the policy is turned on, so you can have confidence in the labeling feature before you deploy the policy to your tenant for actual labeling.
The default service-side auto-labeling policies have the following configuration:
For all customers:
If there are 1-9 instances of credit card numbers found in a document or email, apply the sensitivity label Confidential \ Anyone (unrestricted)
If there are 10 or more instances of credit card numbers found in a document or email, apply the sensitivity label Confidential \ All Employees
Note
If we detected you have your own sensitivity labels published, we'll prompt you to select one of your own labels for your auto-labeling policy.
For new customers from June 23, 2022, where the Microsoft 365 tenant is in the US region:
If there are 1-9 instances of US personal data and full names found in a document or email, apply the sensitivity label Confidential \ Anyone (unrestricted)
If there are 10 or more instances of US personal data and full names found in a document or email, apply the sensitivity label Confidential \ All Employees
New customers from June 23, 2022 have two auto-labeling policies for each setting. One policy is for the Exchange location, and the other for the SharePoint and OneDrive locations. Although the policies are created at the same time, simulation isn't immediately turned on for SharePoint and OneDrive:
Exchange location: The auto-labeling policy is created and immediately starts simulation.
SharePoint and OneDrive locations: The auto-labeling policy is created but waits 25 days before it automatically starts simulation. This delay ensures that there is time for files to be created and saved to these locations.
When the simulation is complete, review the results. If you are happy with them, turn on the policies.
The default DLP policy for Teams detects the presence of credit card numbers in all Teams chats and channel messages. When this sensitive information is detected, admins will get a low severity alert notification.
This policy is unobtrusive to users with no policy tip visible and no messages blocked, but admins will have records of the sensitive information shared in these messages. If required, you can edit the settings to change this default configuration.
The default DLP policy for devices detects the presence of credit card numbers on Windows 10 devices that have been onboarded into Microsoft Purview. It then audits (but does not block) the following actions:
Upload to cloud service domains or access by unallowed browsers
Copy to clipboard, USB, or network share
Access by unallowed apps
Print
Copy or move using an unallowed Bluetooth app
Remote desktop services
If content contains 10 or more instances of credit cards and one or more of the listed activities is detected, a medium severity alert notification is sent to admins.
This policy is unobtrusive to users with no policy tip visible and no actions blocked, but admins will have records of all suspicious activity. If required, you can edit these settings to change this default configuration.
To learn more about sensitivity labels, data loss prevention, and all the capabilities available with Microsoft Purview Information Protection, see the following resources:
Microsoft Purview sensitivity labels enable you to classify and protect sensitive data throughout your organization, including in the cloud and on devices. This module covers how to classify and protect sensitive information to ensure its security and compliance.