Determine a sensitivity label's scope
When you create a sensitivity label, the system prompts you to configure the label's scope. A label's scope determines two things:
- The label settings you can configure for that label.
- Where the label is visible to users.
This scope configuration lets you have sensitivity labels that are just for documents and emails. However, you can't select them for containers. Similarly, you can have sensitivity labels that are just for containers. However, you can't select them for documents and emails.
The following image displays the available options when defining a label's scope.
You can further refine the Items scope to files and emails, and to meetings that include calendar events, Teams meetings options, and Team chat. For example, you can use this refinement when you want to make a sensitivity label available for emails only.
By default, the system always selects the Items scope for a new label. The other scopes are selected by default when you enable the features for your tenant:
- Groups & sites. To enable this feature, you must apply sensitivity labels to Teams, SharePoint sites, and Microsoft 365 groups. To do so, you must complete the steps in this article: Enable sensitivity labels for containers and synchronize labels.
- Schematized data assets. To enable this feature, you must apply the label to schematized data assets. To do so, you must complete the steps in this article: Automatically label your content in Microsoft Purview Data Map.
You can change the defaults by not selecting all scopes. If you didn't select all scopes, the system displays the first page of the configuration settings for scopes that you didn't select. However, you can't configure the settings. For example, if you didn't select the scope for files and emails, you can't select the options on the next page.
For these pages that have unavailable options, select Next to continue. Or, select Back to change the label's scope.
Label priority (order matters)
To create and view sensitivity labels in the Microsoft Purview compliance portal, you must select Information protection on the navigation pane, and then under this group, select Labels. The order in which the labels appear on the Labels page is important because it reflects their priority. You want your most restrictive sensitivity label, such as Highly Confidential, to appear at the bottom of the list. Conversely, you want your least restrictive sensitivity label, such as Public, to appear at the top.
You can only apply one sensitivity label to an item, such as a document, email, or container. An option exists that requires your users to provide a justification for changing a label to a lower classification. If you set this option, you can identify the lower classifications by the order of the labels in this list. However, this option doesn't apply to sublabels.
The system uses automatic labeling when ordering sublabels. When you configure the system to automatically apply labels or as a recommendation, multiple matches can result for more than one label. When this situation occurs, the system selects the last sensitive label, and then if applicable, the last sublabel. When you configure sublabels themselves (rather than autolabeling policies) for automatic or recommended labeling, the behavior is a little different when sublabels share the same parent label. For example, the system prefers a sublabel configured for automatic labeling over a sublabel configured for recommended labeling.
Additional reading. For more information, see How multiple conditions are evaluated when they apply to more than one label. The system uses the ordering of sublabels with label inheritance from email attachments.
Sublabels (grouping labels)
With sublabels, you can group one or more labels below a parent label that a user sees in an Office app. For example, under Confidential, your organization may use several different labels for specific types of that classification. In this example, the parent label Confidential is simply a text label with no protection settings, and because it has sublabels, the system can't apply it to content. Instead, users must choose Confidential to view the sublabels, and then they can choose a sublabel to apply to content.
Sublabels are simply a way to present labels to users in logical groups. Sublabels don't inherit any settings from their parent label. When you publish a sublabel for a user, that user can then apply that sublabel to content. However, they can't apply just the parent label.
Caution
The system can't apply a parent label to content if you:
- Choose a parent label as the default label.
- Configure the system to automatically apply (or recommend) the parent label.
The following image shows how sublabels display for users.
Editing or deleting a sensitivity label
If you delete a sensitivity label from your admin center, the system doesn't automatically remove the label from content. The system continues to enforce any protection settings associated with that label on content in which it applied that label.
If you edit a sensitivity label, the version of the label that the system applied to content is what it enforces on that content.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”