Default labels and policies to protect your data

Microsoft 365 licensing guidance for security & compliance.

Eligible customers can activate default labels and policies for Microsoft Purview Information Protection:

  • Sensitivity labels and a sensitivity label policy
  • Client-side auto-labeling
  • Service-side auto-labeling
  • Data loss prevention (DLP) policies for Teams and devices

These default configurations help you get up and running quickly with Microsoft Purview Information Protection for Microsoft 365. You can use them as-is, make just a few changes, or fully customize them to better suit your business requirements.

Eligible customers include those using Microsoft Purview AI Hub, customers who have a free trial for Microsoft Purview, and some customers who already have a Microsoft 365 E5 plan:

  • New customers: If you've had Microsoft Purview for less than 30 days, your tenant can activate all the listed default configurations. You can always disable, remove, or edit them.

  • Existing customers: If you've had Microsoft Purview for more than 30 days, you can activate the default configurations if you haven't yet configured an equivalent:

    Default configuration Equivalent
    Sensitivity labels and a sensitivity label policy Published sensitivity labels
    Client-side auto-labeling One or more sensitivity labels configured to automatically apply (or recommend to users) in Office apps
    Service-side auto-labeling At least one auto-labeling policy that's turned on
    DLP for Teams At least one DLP policy for Teams
    DLP for devices At least one DLP policy for devices

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Activate the default labels and policies

To get these preconfigured labels and policies, use the AI hub and select Policies, and then Get started from Fortify your data security for AI.

Or, activate them from the Microsoft Purview compliance portal:

  1. Sign in to the Microsoft Purview compliance portal, and navigate to the Overview page for Information Protection.

    Permissions required for your account:

  2. If you're eligible for the Microsoft Purview Information Protection default labels and policies, you'll see the following information, where you can activate the default labels and policies. For example:

    Microsoft Purview Information Protection activation for preconfigured labels and policies.

    If you don't see this information displayed with the activation option, you're not currently eligible for the automatic creation of sensitivity labels and policies from this location. You can try checking back later to see if this status has changed. You can also use the settings information that follows to manually create the same labels and policies.

  3. Next, enable sensitivity labels for SharePoint and OneDrive. This step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.

    Use the following banner at the top of the Information Protection > Overview page, and select Turn on now. If you don't see this banner, sensitivity labels for SharePoint and OneDrive have already been enabled for your tenant.

    Enable sensitivity labels for SharePoint and OneDrive banner.

    For more information about this capability, see Enable sensitivity labels for files in SharePoint and OneDrive.

Default sensitivity labels

When you don't have sensitivity labels that are published, we'll create the following labels for you:

Label name Label description for users Settings
Personal Non-business data, for personal use only. Scope: Files & other data assets, Emails, Meetings*

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Public Business data that is specifically prepared and approved for public consumption. Scope: Files & other data assets, Emails, Meetings*

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
General Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. Scope: Files & other data assets, Emails

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
General
\ Anyone (unrestricted)
Organization data that isn’t intended for public consumption but can be shared with external partners if appropriate. Examples include customer conversations that don’t include sensitive info or released marketing materials. Scope: Files & other data assets, Emails, Meetings*

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
General
\ All Employees (unrestricted)
Organization data that isn’t intended for public consumption. If you need to share this content with external partners, confirm with other data owners that it's OK to share and then change the label to General \ Anyone (unrestricted) . Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. Scope: Files & other data assets, Emails, Meetings*

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Confidential Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. Scope: Files & other data assets, Emails

Content marking: No

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Confidential
\ Anyone (unrestricted)
Confidential data that doesn’t need to be encrypted. Use this option with care and appropriate business justification. This label is selected for client-side auto-labeling and service-side auto-labeling.

Scope: Files & other data assets, Emails, Meetings*

Content marking: Footer: Classified as Confidential

Auto-labeling: Recommend that users apply the label

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Confidential
\ All Employees
Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content. This label is selected for client-side auto-labeling and service-side auto-labeling.

Scope: Files & other data assets, Emails, Meetings*

Encryption: All users and groups in the org: Co-Author

Content marking: Footer: Classified as Confidential

Auto-labeling: Recommend that users apply the label

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Confidential
\ Trusted People
Confidential data that can be shared with trusted people inside and outside your organization. These people can also reshare the data as needed. Scope: Files & other data assets, Emails, Meetings*

Encryption: Let users assign permissions:
- Encrypt-Only for Outlook
- Prompt users in Word, PowerPoint, and Excel

Content marking: Footer: Classified as Confidential

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Highly Confidential Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. Scope: Files & other data assets, Emails

Content marking: Watermark: HIGHLY CONFIDENTIAL

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Highly Confidential
\ All Employees
Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content. Scope: Files & other data assets, Emails, Meetings*

Encryption: All users and groups in the org: Co-Author

Content marking: Footer: Classified as Highly Confidential

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None
Highly Confidential
\ Specific People
Highly confidential data that requires protection and can be viewed only by people you specify and with the permission level you choose. Scope: Files & other data assets, Emails, Meetings*

Encryption: Let users assign permissions:
- Do Not Forward for Outlook
- Prompt users in Word, PowerPoint, and Excel

Content marking: Footer: Classified as Highly Confidential

Auto-labeling: No

Group settings: No

Site settings: No

Auto-labeling for database columns: None

* Rolling out, the Meetings scope is included for customers starting October 2024 if the tenant has licenses to manually apply a label for scheduled meetings. Additionally:

  • The sensitivity label policy includes a default Teams meeting label.
  • If the tenant has licenses to manually apply the label to Teams meetings, some of the sensitivity labels also have settings configured to protect these meetings.

Note

The label names and descriptions are automatically available for the following locales: US English, Chinese Simplified and Traditional, French, German, Italian, Japanese, Korean, Portuguese Brazilian, Russian, and Spanish.

If you need additional languages, you can specify your translations by using PowerShell.

For more information about these configuration settings and what sensitivity labels can do, see What sensitivity labels can do.

If you need to edit these default sensitivity labels, see Create and configure sensitivity labels.

Default sensitivity label policy

The default sensitivity label policy makes the labels available for users to start labeling their documents and emails with sensitivity labels. It has the following configuration:

  • Publish the default labels to all users in your tenant
  • Default label of General \ All Employees (unrestricted) for unlabeled documents, email, and meetings
  • Users must provide a justification to remove a label or lower its classification

For more information about these policy settings, and other policy settings that are available, see What label policies can do.

If you need to edit these default policy settings, see Publish sensitivity labels by creating a label policy.

When you use these labels in Office apps on Windows, macOS, iOS, and Android, users see new labels within four hours, and within one hour for Word, Excel, and PowerPoint on the web when you refresh the browser. However, you might need to allow up to 24 hours for changes to replicate to all apps and services.

Client-side auto-labeling

The default client-side auto-labeling configuration automatically recommends users apply a sensitivity label when we detect credit card numbers in documents or emails they’re working with. As a recommendation rather than automatically applied, this configuration serves as a good first step for highlighting concerning content and introduces users to the practice of labeling their documents and emails.

Client-side auto-labeling only works for documents and emails in use by the Office apps Word, Excel, PowerPoint, and Outlook.

The default client-side auto-labeling has the following configuration:

  • If there are 1-9 instances of credit card numbers found in a document or email, recommend the user applies the sensitivity label Confidential \ Anyone (unrestricted)

  • If there are 10 or more instances of credit card numbers found in a document or email, recommend the user applies the sensitivity label Confidential \ All Employees

Note

If we detected you have your own sensitivity labels published, we'll prompt you to select one of your own labels for auto-labeling and configure it for you.

If you want to edit the client-side auto-labeling configuration, see How to configure auto-labeling for Office apps.

Service-side auto-labeling

Service-side auto-labeling helps label sensitive documents at rest, and emails in transit. The default service-side auto-labeling policy creates policies that run in simulation mode for documents stored in all SharePoint or OneDrive sites, and all emails that are sent via Exchange Online.

In simulation mode, items aren't actually labeled until the policy is turned on. You can manually turn on the policy. Alternatively, if you don't change the default setting, the policy will be automatically turned on for you if there aren't any changes to the policy within a set number of days from when the simulation completes.

In most cases, the number of days before an unedited policy is automatically turned on is 7. However, specific to new customers from June 23, 2022, the initial number of days is 25, and then 7 after the policy is edited.

Simulation mode allows you to preview what items would get labeled when the policy is turned on, so you can have confidence in the labeling feature before you deploy the policy to your tenant for actual labeling.

The default service-side auto-labeling policies have the following configuration:

For all customers:

  • If there are 1-9 instances of credit card numbers found in a document or email, apply the sensitivity label Confidential \ Anyone (unrestricted)

  • If there are 10 or more instances of credit card numbers found in a document or email, apply the sensitivity label Confidential \ All Employees

Note

If we detected you have your own sensitivity labels published, we'll prompt you to select one of your own labels for your auto-labeling policy.

For new customers from June 23, 2022, where the Microsoft 365 tenant is in the US region:

  • If there are 1-9 instances of US personal data and full names found in a document or email, apply the sensitivity label Confidential \ Anyone (unrestricted)

  • If there are 10 or more instances of US personal data and full names found in a document or email, apply the sensitivity label Confidential \ All Employees

New customers from June 23, 2022 have two auto-labeling policies for each setting. One policy is for the Exchange location, and the other for the SharePoint and OneDrive locations. Although the policies are created at the same time, simulation isn't immediately turned on for SharePoint and OneDrive:

  • Exchange location: The auto-labeling policy is created and immediately starts simulation.
  • SharePoint and OneDrive locations: The auto-labeling policy is created but waits 25 days before it automatically starts simulation. This delay ensures that there is time for files to be created and saved to these locations.

When the simulation is complete, review the results. If you are happy with them, turn on the policies.

For more information about simulation mode, see Learn about simulation mode.

If you want to edit the service-side auto-labeling policy, see How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange.

DLP for Teams

The default DLP policy for Teams detects the presence of credit card numbers in all Teams chats and channel messages. When this sensitive information is detected, admins will get a low severity alert notification.

This policy is unobtrusive to users with no policy tip visible and no messages blocked, but admins will have records of the sensitive information shared in these messages. If required, you can edit the settings to change this default configuration.

To see the results of this policy, use DLP Activity Explorer.

If you want to edit the DLP policy, see Create and Deploy data loss prevention policies.

DLP for devices

The default DLP policy for devices detects the presence of credit card numbers on Windows 10 devices that have been onboarded into Microsoft Purview. It then audits (but does not block) the following actions:

  • Upload to cloud service domains or access by unallowed browsers

  • Copy to clipboard, USB, or network share

  • Access by unallowed apps

  • Print

  • Copy or move using an unallowed Bluetooth app

  • Remote desktop services

If content contains 10 or more instances of credit cards and one or more of the listed activities is detected, a medium severity alert notification is sent to admins.

This policy is unobtrusive to users with no policy tip visible and no actions blocked, but admins will have records of all suspicious activity. If required, you can edit these settings to change this default configuration.

To see the results of this policy, use DLP Activity Explorer.

If you want to edit the DLP policy, see Create and Deploy data loss prevention policies.

Additional resources

To learn more about sensitivity labels, data loss prevention, and all the capabilities available with Microsoft Purview Information Protection, see the following resources: