Apply sensitivity labels automatically

  • 6 minutes

When you create a sensitivity label, you can automatically assign that label to files and emails when it matches conditions that you specify. The ability to apply sensitivity labels to content automatically is important because:

  • You don't need to train your users when to use each of your classifications.
  • You don't need to rely on users to classify all content correctly.
  • Users no longer need to know about your policies. They can instead focus on their work.

There are two different methods for automatically applying a sensitivity label to content in Microsoft 365:

  • Client-side labeling when users edit documents or compose (also reply or forward) emails. Use a label that you configured for autolabeling for files and emails (includes Word, Excel, PowerPoint, and Outlook).

    This method supports recommending a label to users and automatically applying a label. But in both cases, the user decides whether to accept or reject the label, to help ensure the correct labeling of content. This client-side labeling has minimal delay for documents because you can apply the label even before you save the document. However, not all client apps support autolabeling. Built-in labeling supports this capability with some versions of Office, and also the Microsoft Entra ID Protection unified labeling client.

    For configuration instructions, see How to configure autolabeling for Office apps.

  • Service-side labeling when you already saved content (in SharePoint or OneDrive) or emailed content (processed by Exchange Online). Use an autolabeling policy.

    You may also hear this method referred to as autolabeling for data at rest (documents in SharePoint and OneDrive) and data in transit (email that Exchange sends or receives). Exchange doesn't include emails at rest (mailboxes).

    Because services apply this labeling rather than by applications, you don't need to worry about what apps users have and what version. As a result, the system makes this capability immediately available throughout an organization. It also makes it suitable for labeling at scale. Autolabeling policies don't support recommended labeling because the user doesn't interact with the labeling process. Instead, the administrator runs the policies in simulation to help ensure the correct labeling of content before actually applying the label.

    For configuration instructions, see How to configure autolabeling policies for SharePoint, OneDrive, and Exchange.

    The following conditions are specific to autolabeling for SharePoint and OneDrive:

    • Supported Office files include Word (.docx), PowerPoint (.pptx), and Excel (.xlsx) files.
      • The system can autolabel these files at rest before or after you create the autolabeling policies. The system can't autolabel files that are part of an open session (the file is open).
      • The system doesn't currently support attachments to list items, and it can't autolabel them.
    • Maximum of 25,000 automatically labeled files in your tenant per day.
    • Maximum of 100 autolabeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
    • As a result of autolabeling policies, the system doesn't change existing values for modified, modified by, and the last modified date. This condition applies for both simulation mode and when you apply labels.
    • When the label applies encryption, both the Rights Management issuer and Rights Management owner are the account that last modified the file.

    The following conditions are specific to autolabeling for Exchange:

    • Unlike manual labeling or autolabeling with Office apps, the system scans PDF attachments and Office attachments for the conditions you specify in your autolabeling policy. When there's a match, the system labels the email but not the attachment.
      • For PDF files, if the label applies encryption, these files, if unencrypted, are now encrypted by using Message encryption when you enabled your tenant enabled for PDF attachments. The files inherit the applied encryption settings from the email.
      • Supported Office files include Word, PowerPoint, and Excel files. If the label applies encryption and these files are unencrypted, they're now encrypted by using Message encryption. The files inherit the encryption settings from the email.
    • If you have Exchange mail flow rules or Microsoft Purview Data Loss Prevention (DLP) policies that apply IRM encryption: When the system identifies content by these rules or policies and an autolabeling policy, it applies the label. If that label applies encryption, the system ignores the IRM settings from the Exchange mail flow rules or DLP policies. However, if that label doesn't apply encryption, the system applies the IRM settings from the mail flow rules or DLP policies in addition to the label.
    • When an email has IRM encryption but no label, Exchange uses autolabeling to add a label with any encryption settings when there's a match.
    • The system labels incoming email when a match occurs with your autolabeling conditions. If you configured the label for encryption, the system always applies that encryption when the sender is from your organization. By default, the system doesn't apply that encryption when the sender is outside your organization. However, you can have the system apply it applied by configuring Additional settings for email and specifying a Rights Management owner.
    • When the label applies encryption, both the Rights Management issuer and Rights Management owner are the person who sends the email when the sender is from your own organization. When the sender is outside your organization, you can specify a Rights Management owner for incoming email that your policy labeled and encrypted.
    • If you configured the label to apply dynamic markings, the system displays the names of people outside your organization for incoming email.

The implementation of automatic and recommended labeling in Office apps depends on whether you're using the labeling that Microsoft built into Office, or the Microsoft Entra ID Protection unified labeling client. However, in both cases:

  • You can't use automatic labeling for documents and emails that you previously manually labeled, or previously automatically labeled with a higher sensitivity. Remember, you can only apply a single sensitivity label to a document or email (in addition to a single retention label).
  • You can't use recommended labeling for documents or emails that you previously labeled with a higher sensitivity. For these documents or emails, the user can't see the prompt with the recommendation and policy tip.

Specific to built-in labeling:

  • Not all Office apps support automatic (and recommended) labeling. For more information, see Support for sensitivity label capabilities in apps.
  • For recommended labels in the desktop versions of Word, the system flags the sensitive content that triggered the recommendation. Doing so enables users to review and remove the sensitive content instead of applying the recommended sensitivity label.

Specific to the Microsoft Entra ID Protection unified labeling client:

  • Automatic and recommended labeling applies to Word, Excel, and PowerPoint when you save a document, and to Outlook when you send an email.
  • For Outlook to support recommended labeling, you must first configure an advanced policy setting.
  • The system can detect sensitive information in the body text in documents and emails, and to headers and footers. However, it can't detect sensitive information in the subject line or email attachments.

Additional reading. For more information about how the system applies these labels, see Automatically apply or recommend sensitivity labels to your files and emails in Office.

Convert your label settings into an autolabeling policy

At the end of the label creation or editing process, the system displays an autolabeling option when the label includes sensitive information types for the configured conditions. The option allows for the automatic creation of an autolabeling policy based on the same autolabeling settings.

However, if the label contains trainable classifiers as a label condition:

  • When the label conditions only contain trainable classifiers, you don't see the option to automatically create an autolabeling policy.
  • When the label conditions contain trainable classifiers and sensitivity info types, the system creates an autolabeling policy for just the sensitive info types.

The system automatically creates an autolabeling policy by autopopulating the values that you would have to select manually if you created the policy from scratch. In this scenario, you can still view and edit the values before you save the policy.

By default, an autolabeled policy includes all locations for SharePoint, OneDrive, and Exchange. When you save the policy, it runs in simulation mode. In simulation mode, the system doesn't check if you enabled sensitivity labels for Office files in SharePoint and OneDrive. It doesn't make this check, even though this condition is one of the prerequisites for autolabeling to apply to content in SharePoint and OneDrive.

Run a policy in Simulation mode

Simulation mode is unique to autolabeling policies and woven into the workflow. You can't automatically label documents and emails until your policy runs at least one simulation.

Simulation mode supports up to 1,000,000 matched files. If the system matches more than this number of files from an autolabeling policy, you can't turn on the policy to apply the labels. In this case, you must reconfigure the autolabeling policy so that the system matches fewer files, and then rerun the simulation. This maximum of 1,000,000 matched files applies to simulation mode only. It doesn't apply to an autolabeling policy that you already turned on to apply sensitivity labels.

The workflow for running an autolabeling policy in simulation mode includes the following steps:

  1. Create and configure an autolabeling policy.
  2. Run the policy in simulation mode, which can take 12 hours to complete. The completed simulation triggers an email notification that the system sends to the user configured to receive activity alerts.
  3. Review the results, and if necessary, refine your policy. For example, you may need to edit the policy rules to reduce false positives, or remove some sites so that the number of matched files doesn't exceed 1,000,000. Rerun simulation mode and wait for it to complete again.
  4. Repeat step 3 as needed.
  5. Deploy in production.

The simulated deployment runs like the WhatIf parameter for PowerShell. You see results reported as if the autolabeling policy applied your selected label, using the rules that you defined. You can then refine your rules for accuracy if needed, and rerun the simulation. However, because autolabeling for Exchange applies to sent and received emails rather than emails stored in mailboxes, don't expect consistent results for email in a simulation unless you can send and receive the exact same email messages.

Simulation mode also lets you gradually increase the scope of your autolabeling policy before deployment. For example, you may start with a single location, such as a SharePoint site, with a single document library. Then, with iterative changes, increase the scope to multiple sites, and then to another location, such as OneDrive.

Finally, simulation mode enables you to provide an approximation of the time needed to run your autolabeling policy. This information can help you plan and schedule when to run it without simulation mode.