Configure a default sensitivity label for a SharePoint document library
When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority.
For example, you configure the Confidential label as the default sensitivity label for a document library. A user who has General as their policy default label saves a new file in that library. SharePoint will label this file as Confidential because of that label's higher priority. For a quick summary of the possible outcomes, see Will an existing label be overridden on this page.
A default label offers a baseline level of protection and a form of automatic labeling without content inspection. To help you distinguish between this feature's default label with the default label in label policies:
- Default sensitivity label for a document library: Location-based labeling, applicable only for SharePoint. Overrides a lower-priority label unless manually applied.
- Default sensitivity label from a policy: Always applicable for all locations. Never overrides an existing label.
When you use Office for the web to create or edit a file, the default sensitivity label for a document library can be applied without delays. However, labeling is not immediate if you upload a file or create it using Microsoft 365 Apps on Windows, macOS, iOS or Android, and then save to SharePoint:
- File upload: it can take a few minutes for the label to be applied.
- Microsoft 365 Apps: the label is applied after the app is closed.
To read the preview announcement for this feature, see the blog post.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Will an existing label be overridden?
Summary of outcomes:
Existing label | Override with library default label |
---|---|
Manually applied, any priority | No |
Automatically applied, lower priority | Yes |
Automatically applied, higher priority | No |
Default label from policy, lower priority | Yes |
Default label from policy, higher priority | No |
Requirements
You've created and published sensitivity labels that include the label scope of Files & other data assets and these labels are published to the users who will select a default sensitivity label for a SharePoint document library.
You've enabled sensitivity labels for Office files in SharePoint and OneDrive. To check this status, you can run
(Get-SPOTenant).EnableAIPIntegration
from the SharePoint Online Management Shell to confirm the value is set to True.To support sensitivity labels for PDFs, you've added support for PDFs in SharePoint. To check this status, you can run
(Get-SPOTenant).EnableSensitivityLabelforPDF
from the SharePoint Online Management Shell to confirm the value is set to True.SharePoint Information Rights Management (IRM) is not enabled for the library. This older technology isn't compatible with using a default sensitivity label for a SharePoint document library. If a library is enabled for IRM, you won't be able to select a default sensitivity label.
Site admin permissions are needed to apply and change the sensitivity label in SharePoint.
Files must contain content to be labeled. Empty files are labeled when they are updated with content.
If you need to review a list of file types that are supported by sensitivity labels in SharePoint, see Supported file types.
Limitations
Doesn't apply to existing files at rest in SharePoint.
Unless you've enabled co-authoring for files encrypted with sensitivity labels, you'll see a delay in applying the default sensitivity label for a document library when users select the File > Save as option.
As with sensitivity labels for Office for the web, some label configurations that apply encryption aren't suitable for SharePoint, and so don't support a default sensitivity label for a SharePoint document library:
- Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions is selected. This setting is sometimes referred to as "user-defined permissions".
- User access to content expires is set to a value other than Never.
- Double Key Encryption is selected.
How to configure a default sensitivity label for a SharePoint document library
This configuration is done by a SharePoint site admin: Add a sensitivity label to SharePoint document library.
Monitoring application of library default sensitivity labels
Use the SharePoint Sensitivity column to see the names of sensitivity labels applied to files. When the label has been applied by this features, the tooltip for the label name displays This file has been automatically labeled. However, this tooltip isn't exclusive to the default sensitivity label for a document library. It also displays when sensitivity labels are applied by using auto-labeling policies or as a result of a user's default label from sensitivity label policies.
To specifically identify when the label was applied because of the library's default sensitivity label, use the audit log search tool and the Applied sensitivity label file auditing event from the Sensitivity label activities group. Then:
Select an entry to view the details in a flyout pane.
From the details pane, scroll to the SensitivityLabelEventData section, and identify the value for ActionScourceDetails.
A value of 6 is used for when the label was applied because of the default sensitivity label for the document library.
To audit the configuration setting for this feature, use the Updated list auditing event from the SharePoint list activities group. In the details flyout pane for the document library, scroll to the SensitivityLabelEventData section where OldSensitivityLabeld and SensitivityLabelId can reflect three changes of states:
- Sensitivity label applied
- Sensitivity label changed from one label to another
- Sensitivity label removed
To map sensitivity label GUIDs to label names, use the Get-Label cmdlet:
Then run the following command, where you specify the GUID:
Get-Label -Identity "<GUID>" | Name
How to turn off this feature
If you need to, you can turn off this feature that supports a default sensitivity label for SharePoint document libraries. This is a tenant-level setting that requires you to use the Set-SPOTenant cmdlet with the DisableDocumentLibraryDefaultLabeling parameter set to True by using the current SharePoint Online Management Shell:
Set-SpoTenant -DisableDocumentLibraryDefaultLabeling $true
After you run this command, you won't see the option to configure Default sensitivity labels for a document library. You won't be able to select a default sensitivity label for new or existing libraries.
For document libraries that were previously configured for a default sensitivity label:
- The label selection for the document library remains but is deactivated so new files won't have the selected sensitivity label applied.
- Sensitivity labels that were applied as a default label aren't removed.
As with all tenant-level configuration changes for SharePoint, it takes about 15 minutes for the change to take effect.
Next steps
Default labeling ensures a minimum level of protection but doesn't take into account the file contents that might require a higher level of protection. Consider supplementing this labeling method with automatic labeling that uses content inspection, and encourage manual labeling for users to replace the default label when needed.