Implement auto-labeling policies

8 minutes

As the global consulting firm continues strengthening its data protection strategy, the next step is implementing auto-labeling policies. Automating sensitivity labeling helps manage sensitive information across SharePoint Online, OneDrive, and Exchange Online. It ensures consistent data protection across the firm's digital platforms while reducing the need for manual labeling.

What is auto-labeling and why is it important?

Auto-labeling policies automatically apply sensitivity labels to emails, documents, and other content across Microsoft 365. This process helps organizations protect sensitive data consistently without relying on users to manually classify every piece of content.

There are two ways to automatically apply sensitivity labels in Microsoft 365:

Client-side labeling: Office apps recommend or automatically apply labels while users are working in Word, Excel, PowerPoint, or Outlook.
Service-side labeling: Labels are applied automatically to stored content in SharePoint, OneDrive, and Exchange, even if users don't interact with the content.

Let’s take a closer look at how both methods work and how to configure them in your environment.

Auto-labeling in Office apps using client-side labeling

Client-side auto-labeling allows Office apps to apply or recommend sensitivity labels based on the content users create or edit. This approach helps guide users to label content correctly while still allowing flexibility when appropriate.

Requirements for client-side auto-labeling

Before configuring client-side auto-labeling, make sure:

Office apps meet specific version requirements.
Sensitivity labels are scoped to apply to Files & other data assets, Emails, and Meetings.

After you define the label scope and protection settings, configure the conditions that trigger automatic labeling based on sensitive information types or trainable classifiers.

When a sensitivity label is automatically applied, users see a notification in their Office app:

You can also configure the label to suggest application, giving users the option to accept or dismiss it based on the content. In desktop versions of Word, users can even view the content that triggered the suggestion, helping them make informed decisions about labeling.

When configuring auto-labeling for Office apps:

If you use exact data match (EDM) classifiers, include at least one non-EDM sensitive information type to keep auto-labeling active.
Keep Microsoft 365 App version requirements in mind when using trainable classifiers.

Auto-labeling for stored content using service-side labeling

Service-side auto-labeling applies sensitivity labels directly to content in SharePoint, OneDrive, and Exchange Online without user interaction.
This method is critical for protecting data at rest across your digital environment.

Requirements for service-side auto-labeling

Before creating a service-side policy, make sure:

Audit logging is enabled.
Admins reviewing simulation results have the Data Classification Content Viewer role assigned.
Sensitivity labels are enabled for SharePoint and OneDrive libraries.
Files must not be open or checked out during labeling.
Labels that enforce encryption have correct configuration settings.

Test service-side auto-labeling with simulation mode

Before you deploy a service-side auto-labeling policy, it's important to run it in simulation mode.
Simulation mode allows you to test the policy against your content without making permanent changes.

The basic workflow:

Create and configure the auto-labeling policy.
Run the policy in simulation mode. Simulations typically complete within 12 hours.
Review the simulation results to see which content matches the labeling rules.
Fine-tune your policy settings if necessary.
When satisfied with the results, proceed with full policy deployment.

Simulation mode can analyze up to 1 million items per run.

Create an auto-labeling policy in Microsoft Purview

After reviewing your simulation results, you're ready to create and deploy your policy.

Go to the Microsoft Purview portal.
Navigate to Solutions > Information protection > Policies > Auto-labeling policies.
Select + Create auto-labeling policy.
On the Choose info you want this label applied to page, select a template (such as Financial or Privacy) or create a custom policy.
Name your policy and optionally add a description.
On the Choose a label to auto-apply page, select + Choose a label, then pick the sensitivity label to apply when content meets the defined conditions.
Assign the policy to administrative units if needed, or select Full directory to apply it organization-wide.
Choose the locations (Exchange, SharePoint, and OneDrive) where the labels should be applied.
Define the rules that determine how labels are assigned using sensitive information types, classifiers, sharing conditions, and more.
Select the label you want to automatically apply.
Configure extra email settings if needed (for example, replacing labels or encrypting inbound email).
Decide whether to run the policy in simulation mode first or leave it turned off until you're ready.
Review your settings and create the policy.

Knowledge check

Select the best response to the question.