Get started with sensitivity labels - Microsoft Purview (compliance) (2023)

  • Article


For information about what sensitivity labels are and how they can help you protect your organization's data, see Learn about sensitivity labels.

When you're ready to start protecting your organization's data by using sensitivity labels:

  1. Create the labels. Create and name your sensitivity labels according to your organization's classification taxonomy for different sensitivity levels of content. Use common names or terms that make sense to your users. If you don't already have an established taxonomy, consider starting with label names such as Personal, Public, General, Confidential, and Highly Confidential. You can then use sublabels to group similar labels by category. When you create a label, use the tooltip text to help users select the appropriate label.

    For more extensive guidance for defining a classification taxonomy, download the white paper, "Data Classification & Sensitivity Label Taxonomy" from the Service Trust Portal.

  2. Define what each label can do. Configure the protection settings you want associated with each label. For example, you might want lower sensitivity content (such as a "General" label) to have just a header or footer applied, while higher sensitivity content (such as a "Confidential" label) should have a watermark and encryption.

  3. Publish the labels. After your sensitivity labels are configured, publish them by using a label policy. Decide which users and groups should have the labels and what policy settings to use. A single label is reusable—you define it once, and then you can include it in several label policies assigned to different users. So for example, you could pilot your sensitivity labels by assigning a label policy to just a few users. Then when you're ready to roll out the labels across your organization, you can create a new label policy for your labels and this time, specify all users.

    (Video) How to Implement & Manage Sensitivity Labels and Label Policies | Microsoft Purview | Microsoft365


You might be eligible for the automatic creation of default labels and a default label policy that takes care of steps 1-3 for you. For more information, see Default labels and policies for Microsoft Purview Information Protection.

The basic flow for deploying and applying sensitivity labels:

Get started with sensitivity labels - Microsoft Purview (compliance) (1)


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Subscription and licensing requirements for sensitivity labels

A number of different subscriptions support sensitivity labels and the licensing requirements for users depend on the features you use.

(Video) Get Started with Microsoft Information Protection

To see the options for licensing your users to benefit from Microsoft Purview features, see the . For sensitivity labels, see the Microsoft Purview Information Protection: Sensitivity labeling section and related PDF download for feature-level licensing requirements.

Permissions required to create and manage sensitivity labels

Members of your compliance team who will create sensitivity labels need permissions to the Microsoft Purview compliance portal.

By default, global administrators for your tenant have access to this admin center and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this limited admin access, you can use the following role groups:

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

For an explanation of each one, and the roles that they contain, select a role group in the Microsoft Purview compliance portal > Permissions & roles > Compliance center > Roles, and then review the description in the flyout pane. Or, see Role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.

Alternatively to using the default roles, you can create a new role group and add the Sensitivity Label Administrator role to this group. For a read-only role, use Sensitivity Label Reader.

Another option is to add users to the Compliance Data Administrator, Compliance Administrator, or Security Administrator role group.

For instructions to add users to the default role group, roles, or create your own role groups, see Permissions in the Microsoft Purview compliance portal.

These permissions are required only to create and configure sensitivity labels and their label policies. They are not required to apply the labels in apps or services. If additional permissions are needed for specific configurations that relate to sensitivity labels, those permissions will be listed in their respective documentation instructions.

Support for administrative units

Now rolling out in preview, sensitivity labels support administrative units that have been configured in Azure Active Directory:

(Video) How to Create Sensitivity Labels and Watermarks for Email and Document Security in Microsoft Purview

  • You can assign administrative units to members of role groups that are used with Microsoft Purview Information Protection. Edit these role groups and select individual members, and then the Assign admin units option to select administrative units from Azure Active Directory. These administrators are now restricted to managing just the users in those administrative units.

  • You can define the initial scope of sensitivity label policies and auto-labeling policies for Exchange when you create or edit these policies. When you select administrative units, only the users in those administrative units will be eligible for the policy.


Don't select administrative units for an auto-labeling policy that you want to apply to documents in SharePoint or OneDrive. Because administrative units support only users and groups, if you configure an auto-labeling policy to use administrative units, you won't be able to select the options for SharePoint and OneDrive.

For more information about how Microsoft Purview supports administrative units, see Administrative units.

Deployment strategy for sensitivity labels

A successful strategy to deploy sensitivity labels for an organization is to create a working virtual team that identifies and manages the business and technical requirements, proof of concept testing, internal checkpoints and approvals, and final deployment for the production environment.

Using the table in the next section, we recommend identifying your top one or two scenarios that map to your most impactful business requirements. After these scenarios are deployed, return to the list to identify the next one or two priorities for deployment.


If you're using the AIP add-in for labeling in Office apps, we recommend you move to built-in labeling. For more information, see Migrate the Azure Information Protection (AIP) add-in to built-in labeling for Office apps.

(Video) Microsoft Purview Sensitivity Labels

Common scenarios for sensitivity labels

All scenarios require you to Create and configure sensitivity labels and their policies.

I want to ...Documentation
Manage sensitivity labels for Office apps so that content is labeled as it's created—includes support for manual labeling on all platformsManage sensitivity labels in Office apps
Extend labeling to File Explorer and PowerShell, with additional features for Office apps on Windows (if needed)Azure Information Protection unified labeling client for Windows
Encrypt documents and emails with sensitivity labels and restrict who can access that content and how it can be usedRestrict access to content by using sensitivity labels to apply encryption
Protect Teams meetings, from meeting invites and responses, to protecting the meeting itself and related chatUse sensitivity labels to protect calendar items, Teams meetings and chat
Enable sensitivity labels for Office on the web, with support for coauthoring, eDiscovery, data loss prevention, search—even when documents are encryptedEnable sensitivity labels for Office files in SharePoint and OneDrive
Files in SharePoint to be automatically labeled with a default sensitivity labelConfigure a default sensitivity label for a SharePoint document library
Use co-authoring and AutoSave in Office desktop apps when documents are encryptedEnable co-authoring for files encrypted with sensitivity labels
Automatically apply sensitivity labels to documents and emailsApply a sensitivity label to content automatically
Use sensitivity labels to protect content in Teams and SharePointUse sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Use sensitivity labels to configure the default sharing link type for sites and individual documents in SharePoint and OneDriveUse sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive
Apply a sensitivity label to a document understanding model, so that identified documents in a SharePoint library are automatically classified and protectedApply a sensitivity label to a model in Microsoft Syntex
Prevent or warn users about sharing files or emails with a specific sensitivity labelUse sensitivity labels as conditions in DLP policies
Apply a sensitivity label to a file when I receive an alert that content containing personal data is being shared and needs protectionInvestigate and remediate alerts in Privacy Risk Management
Apply a retention label to retain or delete files or emails that have a specific sensitivity labelAutomatically apply a retention label to retain or delete content
Discover, label, and protect files stored in data stores that are on premisesDeploying the information protection scanner to automatically classify and protect files
Discover, label, and protect files stored in data stores that are in the cloudDiscover, classify, label, and protect regulated and sensitive data stored in the cloud
Label SQL database columns by using the same sensitivity labels as those used for files and emails so that the organization has a unified labeling solution that can continue to protect this structured data when it's exported

SQL Data Discovery and Classification for SQL Server on-premises

Apply and view labels in Power BI, and protect data when it's saved outside the serviceSensitivity labels in Power BI
Monitor and understand how sensitivity labels are being used in my organizationLearn about data classification
Extend sensitivity labels to third-party apps and servicesMicrosoft Information Protection SDK
Extend sensitivity labels across content in my Microsoft Purview Data Map assets, such as Azure Blob Storage, Azure Files, Azure Data Lake Storage, and multi-cloud data sourcesLabeling in Microsoft Purview Data Map

End-user documentation for sensitivity labels

The most effective end-user documentation will be customized guidance and instructions you provide for the label names and configurations you choose. You can use the label policy setting Provide users with a link to a custom help page to specify an internal link for this documentation. Users can then easily access it from the Sensitivity button:

  • For built-in labeling: Learn More menu option.
  • For the Azure Information Protection unified labeling client: Help and Feedback menu option > Tell Me More link in the Microsoft Azure Information Protection dialog box.

To help you provide your customized documentation, see the following page and downloads that you can use to help train your users: End User Training for Sensitivity Labels.

You can also use the following resources for basic instructions:

If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see Which PDF readers are supported for protected PDFs?


How do I add a sensitivity label in purview? ›

Microsoft Purview allows you to apply sensitivity labels to assets, enabling you to classify and protect your data. Label travels with the data: The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview Data Map, SharePoint, Teams, Power BI, and SQL.

How do I use Microsoft sensitivity labels? ›

How to enable sensitivity labels for SharePoint and OneDrive (opt-in)
  1. Sign in to the Microsoft Purview compliance portal as a global administrator, and navigate to Solutions > Information protection > Labels.
  2. If you see a message to turn on the ability to process content in Office online files, select Turn on now:
May 12, 2023

What license do I need for sensitivity labels? ›

Licensing Sensitivity Labels

Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5 or the Microsoft 365 E5 compliance licenses.

How do you add sensitive info types? ›

Create a custom sensitive information type
  1. In the Compliance Center, go to Data classification > Classifiers > Sensitive info types and choose Create sensitive info type.
  2. Fill in values for Name and Description and choose Next.
  3. Choose Create pattern. ...
  4. Choose the default confidence level for the pattern.
Feb 28, 2023

What is the difference between Microsoft sensitivity labels and retention labels? ›

Unlike retention labels, which are published to locations such as all Exchange mailboxes, sensitivity labels are published to users or groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.

What is the difference between AIP and sensitivity labels? ›

Azure Information Protection is a more advanced subscription with more capabilities than what exists using the Office 365 Security & Compliance center's “Sensitivity labels”—again, at least for now. The main difference to note is that AIP is better suited to hybrid environments.

What administrator or administrators can create sensitivity labels? ›

Compliance Data Administrator, Compliance Administrator, and Security Administrator already have the required permissions to create the labels.

What are the requirements for safety labels? ›

All labels are required to have pictograms, a signal word, hazard and precautionary statements, the product identifier, and supplier identification. A sample revised HCS label, identifying the required label elements, is shown on the right. Supplemental information can also be provided on the label as needed.

What are the minimum requirements for labeling products? ›

Name and address of the manufacturer, packer, or distributor; Product description, including contents, materials, and the amount of the product included.

What are the steps of a sensitivity test? ›

The test is done by taking a sample from the infected site. The most common types of tests are listed below. A health care professional will take a blood sample from a vein in your arm, using a small needle. After the needle is inserted, a small amount of blood will be collected into a test tube or vial.

Does Microsoft Office include the sensitivity button? ›

On the Home tab, scroll down, then select Sensitivity. Important: Sensitivity is not available if your Office account isn't a work account with a Office 365 Enterprise E3 or Office 365 Enterprise E5 license assigned, or if your administrator hasn't configured any sensitivity labels and enabled the feature for you.

Which scope should you recommend for the sensitivity label policies? ›

Suggested Answer:

Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint.

How do I create a label in Microsoft teams? ›

On the task board, select a task to open details. On the card, select Add label, and then select from one of the 25 labels in the list. To rename a label, select the pencil icon next to it in the list, and then enter a new name for it.

How do I add sensitivity labels in Outlook? ›

Instructions. Step 1 - On the Home tab, select New Email. Step 2 - On the message window menu, click the down arrow to expand the Sensitivity menu. Step 3 - Choose the label that applies to your message from the Sensitivity drop-down list.

Which users can create communication compliance policies? ›

Communication Compliance Admins

Users assigned to this role group can create, read, update, and delete communication compliance policies, global settings, and role group assignments.

What are the 4 types of sensitive information? ›

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person's sex life or sexual orientation.

What are sensitive information types in purview? ›

Sensitive information types (SIT) are pattern-based classifiers. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items, see Sensitive information type entity definitions for a complete list of all SITs.

How to assign permissions to specific users and groups sensitivity label? ›

On the Assign permissions pane, select Add specific email addresses or domains. In the text box, enter the email address of the first user (or group) to add, and then select Add. Select Choose permissions. On the Choose permissions pane, select the permissions for this user (or group), and then select Save.

What are the 4 types of labels? ›

There are four major types of labels that companies and small businesses are using for their products and operations: brand labels, informative labels, descriptive labels, and grade labels.

Which three types of communication are supported by communication compliance? ›

User-reported messages policy: This system policy supports user reported messages from channel, group, and private chat messages. Enabled by default in the Teams admin center.

What are the colors of Microsoft sensitivity labels? ›

Microsoft makes ten label colors available for sensitivity labels in the Purview Compliance portal (Figure 1). The colors are charcoal, silver, beige, berry, lavender, light blue, light green, marigold, orange, and burgundy.

What is the most secure AIP label? ›

Confidential is the most suitable MS Azure Information Protection (AIP) label while sharing a presentation with client names and future project details with your Manager.

What are AIP labels? ›

Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels. For example, your administrator might configure a label with rules that detect sensitive data, such as credit card information.

How do I convert Excel to labels? ›

Templates: from Excel to Word in a Mail Merge
  1. Select Document Type. Select “Labels”!
  2. Select Starting Document. If you have a compatible template code select “Change document layout”, then click “Label options”. ...
  3. Select Recipients. ...
  4. Arrange Your Labels. ...
  5. Preview Your Labels. ...
  6. Print Your Labels.

How do you create and apply labels? ›

You can create labels that store your emails. Add as many labels as you want to an email.
Create a label
  1. On your computer, go to Gmail.
  2. On the left, scroll down, then click More.
  3. Click Create new label.
  4. Name your label.
  5. Click Create.

Who can change sensitivity labels? ›

If a Sensitivity label is no longer required, the owner of the document can remove the label. Permissions can also be changed instead of removed if necessary.

Can a sensitivity label control user access? ›

Sensitivity labels allow Teams admins to protect and regulate access to sensitive organizational content created during collaboration within teams. After you configure sensitivity labels with their associated policies in the Microsoft Purview compliance portal, these labels can be applied to teams in your organization.

What are some of the label requirements? ›

The label on a prepackaged product must include three key components:
  • the “product identity declaration” (this is the product's common or generic name, or its function)
  • the net quantity of the package contents.
  • the dealer name and place of business.
Jun 24, 2022

Does OSHA require labels? ›

While the DOT diamond label is required for all hazardous chemicals on the outside shipping containers, chemicals in smaller containers inside the larger shipped container do not require the DOT diamond but do require the OSHA pictograms.

What are the 3 mandatory statements that must be seen on label? ›

Mandatory Labeling Elements

nutrition facts; ingredient statement (including allergen declaration); and. name and address of responsible firm.

What 3 items on a label should we limit? ›

Saturated fat, sodium, and added sugars are nutrients listed on the label that may be associated with adverse health effects – and Americans generally consume too much of them, according to the recommended limits for these nutrients.

What is an example of a sensitivity test? ›

A sensitive test is used for excluding a disease, as it rarely misclassifies those WITH a disease as being healthy. An example of a highly sensitive test is D-dimer (measured using a blood test). In patients with a low pre-test probability, a negative D-dimer test can accurately exclude a thrombus (blood clot).

What is an acceptable sensitivity test? ›

For a test to be useful, sensitivity+specificity should be at least 1.5 (halfway between 1, which is useless, and 2, which is perfect). Prevalence critically affects predictive values. The lower the pretest probability of a condition, the lower the predictive values.

Which tools in Excel are best for undertaking a sensitivity analysis? ›

The best way to do sensitivity in excel is to use Data Tables. Data tables provide a shortcut for calculating multiple versions in one operation and a way to view and compare the results of all variations on your worksheet.

How do you create a sensitivity label? ›

Create and configure sensitivity labels
  1. From the Microsoft Purview compliance portal, select Solutions > Information protection > Labels.
  2. On the Labels page, select + Create a label to start the new sensitivity label configuration:
May 12, 2023

What license is required for sensitivity labels? ›

Licensing Sensitivity Labels

Users require Office 365 E3 or above to apply a label manually, while automatic policy-driven application of labels requires Office 365 E5 or the Microsoft 365 E5 compliance licenses.

What are the best practices for sensitivity labels in Office 365? ›

Microsoft recommends label names that are self-descriptive and that highlight their relative sensitivity clearly. For instance, Confidential and Restricted may leave users guessing which is appropriate, while Confidential and Highly Confidential are more clear on which is more sensitive.

What are three capabilities of sensitivity labels? ›

You can use sensitivity labels to:
  • Provide protection settings that include encryption and content markings. ...
  • Protect content in Office apps across different platforms and devices. ...
  • Protect content in third-party apps and services by using Microsoft Defender for Cloud Apps.
May 12, 2023

How do I create a sensitivity label in Azure? ›

Assign a label to a new group in Azure portal

On the New Group page, select Office 365, and then fill out the required information for the new group and select a sensitivity label from the list. Save your changes and select Create.

What is sensitivity classification in purview? ›

Use Microsoft Purview Data Estate Insights for sensitivity labels. Classifications are similar to subject tags, and are used to mark and identify data of a specific type that's found within your data estate during scanning. Sensitivity labels enable you to state how sensitive certain data is in your organization.

How do I create labels in Azure purview? ›

Open the Microsoft Purview compliance portal. Under Solutions, select Information protection, Labels, then select Create a label. Name the label.

What are the four classes of data sensitivity? ›

Typically, there are four classifications for data: public, internal-only, confidential, and restricted.

What are the 3 classification of sensitive information? ›

The U.S. classification of information system has three classification levels -- Top Secret, Secret, and Confidential -- which are defined in EO 12356.

What are the three main categories of sensitive information? ›

There are three main types of sensitive information:
  • Personal Information. Also called PII (personally identifiable information), personal information is any data that can be linked to a specific individual and used to facilitate identity theft. ...
  • Business Information. ...
  • Classified Information.

Which two goals can be meet by using sensitivity labels? ›

You can configure a sensitivity label to: Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or group have permissions to perform which actions and for how long.

Can sensitivity labels control user access? ›

Use sensitivity labels to help control access to your content in Office 365 applications, and in containers like Microsoft Teams, Microsoft 365 Groups, and SharePoint sites. They protect content without hindering user collaboration.

How to allow workspace admins to override automatically applied sensitivity labels? ›

This makes it possible for workspace admins to override automatically applied sensitivity labels without regard to label change enforcement rules. To enable this setting, go to: Admin portal > Tenant settings > Information protection.
Relaxations to accommodate automatic labeling scenarios
  • OWNER.
  • EDIT.
Aug 28, 2022

How do I set access rights and Security Permissions for Users? ›

Setting Permissions
  1. Access the Properties dialog box.
  2. Select the Security tab. ...
  3. Click Edit.
  4. In the Group or user name section, select the user(s) you wish to set permissions for.
  5. In the Permissions section, use the checkboxes to select the appropriate permission level.
  6. Click Apply.
  7. Click Okay.
Mar 31, 2023

How do I assign custom Permissions to a user? ›

  1. From Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
  2. Select a permission set, or create one.
  3. On the permission set overview page, click Custom Permissions.
  4. Click Edit.
  5. To enable custom permissions, select them from the Available Custom Permissions list and then click Add. ...
  6. Click Save.


1. Understanding Sensitivity Labels: Set Up and Management Across Power BI, Azure Purview, and O365
(Data Services Community)
2. Microsoft Purview Information Protection - Getting started Demo
(CloudnSec with Andre Camillo)
3. Microsoft Information Protection - Step by Step
(Andy Malone MVP)
4. What are Sensitivity Labels in Microsoft 365? All you need to know!! #microsoft365 #MIP #AIP
(Peter Rising MVP)
5. Design a Custom Sensitive Info Type (SIT) in Microsoft Purview
(Doug Does Tech)
6. Introduction to Sensitivity Labels in Microsoft 365
Top Articles
Latest Posts
Article information

Author: Errol Quitzon

Last Updated: 15/03/2023

Views: 6268

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Errol Quitzon

Birthday: 1993-04-02

Address: 70604 Haley Lane, Port Weldonside, TN 99233-0942

Phone: +9665282866296

Job: Product Retail Agent

Hobby: Computer programming, Horseback riding, Hooping, Dance, Ice skating, Backpacking, Rafting

Introduction: My name is Errol Quitzon, I am a fair, cute, fancy, clean, attractive, sparkling, kind person who loves writing and wants to share my knowledge and understanding with you.