April 19, 2022
min read
Roy Martinez
With over 16 years in Microsoft and IT infrastructure, Roy uses his SharePoint, Power Automate, and Microsoft Teams expertise to help organizations develop strategies for adoption, collaboration, automation, and governance.

Securing your organization’s sensitive data is essential to both maintaining your competitive positioning and your organization’s hard-won reputation. And while this task may seem daunting at first, you’ll find that Office 365 sensitivity labels offer a powerful and intuitive solution.

What are Microsoft 365 Sensitivity Labels?

Sensitivity Labels are custom sets of access rules that you can define and apply to documents, Microsoft Teams, and SharePoint sites. They allow your team to precisely control exactly who can access what in a straightforward and intuitive way.

How do Sensitivity Labels work?

Once created and applied to a given resource, sensitivity labels are fundamentally plain text metadata representations of the custom rules you’ve created. Because they are plain text, they can be read and enforced by software that lives outside of your Microsoft 365 tenant. Meaning security isn't compromised if team members download files to their local machines.

Additionally, sensitivity labels are persistent. That is, once they have been applied to a resource, the policy defined at the time of application remains constant for that particular resource – even if the sensitivity label that has been applied is later updated in some way, the original security policy definition that was applied to a given resource remains unchanged.

What level of security do Sensitivity Labels offer?

Sensitivity labels are fully customizable and allow as much or as little security as an organization decides.

The highest level of protection they can offer is double key encryption, which amounts to a security level that is all but impossible to compromise. At the other end of the spectrum, you can create sensitivity labels that allow public or guest access to specific resources.

How can Sensitivity Labels reduce your IT team’s workload?

Sensitivity labels can reduce IT team's workload by allowing non-IT team members to manage data security within their own departments.

For example, your marketing team consistently works with contractors of various types. Presenting something of a challenge with a constantly evolving workforce that needs access to specific resources, but also needs to be kept at arm’s length from your organization’s most sensitive information.

Your IT team can grant a member of the marketing team limited administrative privileges, such that they can manage your security policies within this limited scope of managing contractor access to department resources.

How can Sensitivity Labels enhance and streamline workflows in other departments?

Maintaining strict data security policies across your entire organization requires that every team member adheres to your defined security processes. This can include such tasks as ensuring that specific classes of documents are appropriately identified through the application of watermarks and that access to these documents is only made available to the right people.

As with any complex and inherently important objective within your organization, securing your resources has the potential to become a significant strain on your organization both in terms of the time it takes and the likelihood that human error will creep in.

Sensitivity labels are Microsoft 365’s solution to this problem, in that they simplify data security across your entire organization. Default sensitivity labels that will be applied at document creation can go a long way in reducing the time it takes a given employee to do his or her work effectively, while also allowing your team to maintain strict security policies.

Moreover, sensitivity labels – once defined – can be applied very simply from within any of the Microsoft 365 suite of products, as there is a simple “Sensitivity” dropdown menu available in the top menu, or Ribbon, of Word, Excel, and the other products your team uses daily.

However, Microsoft’s documentation around sensitivity labels repeatedly and explicitly calls for training your team in their use and application in order to avoid large-scale mislabeling of resources via default policies.

Finally, sensitivity labels allow your organization to effectively enforce “trust but verify” policies by allowing you to require that they are applied to newly created documents before they can be saved, and by requiring that a specific justification is given should someone attempt to update an existing sensitivity label.

How do you create Sensitivity Labels?

While pre-defined sensitivity labels can be applied from within Microsoft 365 applications, defining the labels themselves is done through the Microsoft 365 compliance center under the Solutions > Information protection tabs available in the sidebar menu.

From there, you’ll need to select the Labels tab, and then click “Create a Label” to get started.

You’ll then be asked to define the scope for your new label – i.e., will it apply to emails and documents, or will it apply to SharePoint sites and Microsoft Teams?

If you choose “Files & emails” you can define security levels for specific documents. Conversely, if you select “Groups & sites” your sensitivity label will apply only to these resources. It is worth noting that these groups are mutually exclusive, so rules created for documents cannot be applied to groups and sites, and vice versa.

From there, you’ll just need to follow the configuration prompts and save your label in order for it to be accessible to your team in your Microsoft 365 tenant.

If you are creating multiple labels, you will want to repeat the above steps for each label you create. It is important that you organize the labels from least to most restrictive in the Information protection view, as shown below, because the least restrictive label possible will be applied by default, and this ordering is how the system understands which label to apply.

Screenshot of Microsoft 365 compliance information protection


Sensitivity Labels provide a simple, straightforward solution to ensuring organization-wide adherence to your document and resource-focused security policies. They can be created by your central IT team, or they can be offloaded in a controlled way to others within your organization in order to reduce your IT team’s workload.

They are essentially pre-defined rules that live as plain text metadata on your organization’s resources, which means that whether your team is interacting with these resources within your Microsoft 365 tenant or elsewhere, Microsoft applications can interpret and apply the same rules.

Get a personalized demo today

Created by M365 experts, for M365 experts.