April 19, 2022
min read

The What, Why, and How of Sensitivity Labels

Data security in your organization is inherently important. As workforces evolve to include more and more remote resources, and as data is simultaneously more and more uniformly stored in the cloud, an increased emphasis on data security continues to emerge across a variety of industries. Securing your organization’s sensitive data is essential to both maintaining your competitive positioning and your organization’s hard-won reputation.

And while this task may seem daunting at first, you’ll find that Microsoft 365 offers a powerful and intuitive solution to this problem in the form of Sensitivity Labels.

What are Microsoft 365 Sensitivity Labels?

Sensitivity Labels are custom sets of access rules that you can define and apply to documents, Microsoft Teams, and SharePoint sites. They allow your team to precisely control exactly who can access what in a straightforward and intuitive way.

How do Sensitivity Labels work?

Once created and applied to a given resource, sensitivity labels are fundamentally plain text metadata representations of the custom rules you’ve created. Because they are plain text, they can be read and enforced by software that lives outside of your Microsoft 365 tenant. This means that team members can safely download files to their local machines without compromising your security goals.

Additionally, sensitivity labels are persistent. That is, once they have been applied to a resource, the policy defined at the time of application remains constant for that particular resource – even if the sensitivity label that has been applied is later updated in some way, the original security policy definition that was applied to a given resource remains unchanged.

What level of security do Sensitivity Labels offer?

Sensitivity labels are fully customizable. They can enforce as much or as little security as a given resource warrants within your organization. The highest level of protection they can offer is double key encryption, which amounts to a security level that is all but impossible to compromise. At the other end of the spectrum, you can create sensitivity labels that allow public or guest access to specific resources.

How can Sensitivity Labels reduce your IT team’s workload?

Your central IT team has limited time and resources to manage a wide variety of objectives. Sensitivity Labels can help to distribute some of this workload to others in your organization by allowing these non-IT team members to manage data security within their own departments and with only a limited scope of authority. For example, maybe you have a marketing team that consistently works with contractors of various types, which presents something of a challenge in that there is a constantly evolving workforce that needs access to specific resources, but also needs to be kept at arm’s length from your organization’s most sensitive information.

Your IT team can grant a member of the marketing team limited administrative privileges, such that they can manage your security policies within this limited scope of managing contractor access to department resources.

How can Sensitivity Labels enhance and streamline workflows in other departments?

Maintaining strict data security policies across your entire organization requires that every team member adheres to your defined security processes. This can include such tasks as ensuring that specific classes of documents are appropriately identified through the application of watermarks and that access to these documents is only made available to the right people.

As with any complex and inherently important objective within your organization, securing your resources has the potential to become a significant strain on your organization both in terms of the time it takes and the likelihood that human error will creep in.

Sensitivity labels are Microsoft 365’s solution to this problem, in that they simplify data security across your entire organization. Default sensitivity labels that will be applied at document creation can go a long way in reducing the time it takes a given employee to do his or her work effectively, while also allowing your team to maintain strict security policies. Moreover, sensitivity labels – once defined – can be applied very simply from within any of the Microsoft 365 suite of products, as there is a simple “Sensitivity” dropdown menu available in the top menu, or Ribbon, of Word, Excel, and the other products your team uses daily.

However, Microsoft’s documentation around sensitivity labels repeatedly and explicitly calls for training your team in their use and application in order to avoid large-scale mislabeling of resources via default policies.

Finally, sensitivity labels allow your organization to effectively enforce “trust but verify” policies by allowing you to require that they are applied to newly created documents before they can be saved, and by requiring that a specific justification is given should someone attempt to update an existing sensitivity label.

How do you create Sensitivity Labels?

While pre-defined sensitivity labels can be applied from within Microsoft 365 applications, defining the labels themselves is done through the Microsoft 365 compliance center under the Solutions > Information protection tabs available in the sidebar menu.

From there, you’ll need to select the Labels tab, and then click “Create a Label” to get started.

You’ll then be asked to define the scope for your new label – i.e., will it apply to emails and documents, or will it apply to SharePoint sites and Microsoft Teams?

If you choose “Files & emails” you can define security levels for specific documents. Conversely, if you select “Groups & sites” your sensitivity label will apply only to these resources. It is worth noting that these groups are mutually exclusive, so rules created for documents cannot be applied to groups and sites, and vice versa.

From there, you’ll just need to follow the configuration prompts and save your label in order for it to be accessible to your team in your Microsoft 365 tenant.

Because you will more than likely be creating multiple labels, you will want to repeat the above steps for each label you create. Then it is important that you organize the labels from least to most restrictive in the Information protection view, as shown below, because the least restrictive label possible will be applied by default, and this ordering is how the system understands which label to apply.


Sensitivity Labels provide a simple, straightforward solution to ensuring organization-wide adherence to your document and resource-focused security policies. They can be created by your central IT team, or they can be offloaded in a controlled way to others within your organization in order to reduce your IT team’s workload.

They are essentially pre-defined rules that live as plain text metadata on your organization’s resources, which means that whether your team is interacting with these resources within your Microsoft 365 tenant or elsewhere, Microsoft applications can interpret and apply the same rules.

Ready to Conquer Microsoft 365?

Request a Demo