Remove and delete sensitivity labels
In a production environment, it's unlikely that an organization must remove sensitivity labels from a label policy or delete sensitivity labels. It's more likely that an organization may need to remove or delete labels during the initial testing phase, before releasing the labels into production. Microsoft 365 Administrators must understand what happens when they perform either of these actions.
Removing a sensitivity label from a label policy
Removing a label from a label policy is less risky than deleting it. Why? Because you can always add it back later if needed. You can't delete a label if it's still in a label policy.
An organization removes a label from a label policy so that the label is no longer published to the originally specified users. As a result, the next time you refresh the label policy, users no longer see that label to select in their Office apps.
However, if you already applied that label, the system doesn't remove it from the content or container. For example, users who are using built-in labeling in desktop apps for Word, Excel, and PowerPoint, still see the applied label name on the status bar. An applied container label continues to protect the Teams or SharePoint site.
Deleting a sensitivity label
In comparison, deleting a sensitivity label can have multiple implications:
The label applied encryption. In this case, the system archives the underlying protection template so that you can still open previously protected content. Because of this archived protection template, you can't create a new label with the same name. Yes, organizations can use PowerShell to delete a protection template. However, they should refrain from doing so unless they know with certainty that they don't need to open content that was encrypted with the archived template.
You store documents in SharePoint or OneDrive and you enable sensitivity labels for Office files. When you open the document in Office for the web:
- You can't see the label applied in the app.
- The label name no longer displays in the Sensitivity column in SharePoint.
If the deleted label applied encryption and the services can process the encrypted contents, the system removes the encryption.
Egress actions from these services result in the same outcome. For example, download, copy to, move to, and open with an Office desktop or mobile app. Although the label information remains in the file's metadata, the apps can no longer map the label ID to a display name. As such, users assume no one assigned a label to the file.
You store documents outside SharePoint and OneDrive or you haven't enabled sensitivity labels for Office files or emails. When you open the content, the label information in the metadata remains. However, since it's without the label ID to name mapping, users don't see the applied label name displayed (for example, on the status bar for desktop apps). If the deleted label applied encryption, the encryption remains and users still see the name and description of the now archived protection template.
The label applies to containers, such as sites in SharePoint and Teams. You remove the label, and the system no longer enforces any settings configured with that label. This action typically takes between 48 to 72 hours for SharePoint sites. It can be quicker for Microsoft Teams and Microsoft 365 Groups.
As with all label changes, removing a sensitivity label from a label policy or deleting a sensitivity label takes time to replicate to all users and services.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”