SharePoint Sensitivity Labels: Complete Configuration Guide for Microsoft Purview

What Are Sensitivity Labels in SharePoint?

Microsoft Purview sensitivity labels are tags applied to SharePoint documents, libraries, sites, and Microsoft 365 groups that classify content and optionally apply protection (encryption, access restrictions, visual markings). They are the modern replacement for Azure Information Protection (AIP) classification and the foundation of Microsoft's information protection architecture.

For SharePoint specifically, sensitivity labels work in two distinct ways:

• Item-level labels: Applied to individual documents in SharePoint libraries. Can encrypt the file, add visual markings (headers, footers, watermarks), and restrict who can open it.

• Container labels: Applied to the SharePoint site itself or the associated Microsoft 365 Group/Team. Controls site access, external sharing permissions, and whether unmanaged devices can access the site — but does NOT encrypt document content.

Understanding this distinction is critical — many organizations configure only item labels and discover their SharePoint sites aren't protected at the container level.

Label Taxonomy Design

Before configuring labels, design the taxonomy. Common enterprise label hierarchies:

Simple 4-Label Taxonomy (recommended for most organizations)

```

Public

├── Accessible to everyone, including external parties

└── No encryption, no restrictions

Internal

├── For internal employees only

└── No encryption (users can still share internally)

Confidential

├── Sensitive business data — limited internal circulation

└── Encryption: internal employees only, or specific groups

└── Visual marking: CONFIDENTIAL header/footer

Restricted

├── Most sensitive data (financials, legal, executive communications)

└── Encryption: named individuals or specific security groups only

└── Visual marking: RESTRICTED watermark + header

```

Extended Taxonomy with Sublabels (for regulated industries)

```

Public

Internal

├── Internal/General

└── Internal/HR Use Only

Confidential

├── Confidential/All Employees

├── Confidential/Finance

└── Confidential/Legal

Restricted

├── Restricted/Executives Only

└── Restricted/Legal Privilege

[Regulatory]

├── HIPAA/ePHI (healthcare)

├── PCI/Cardholder Data (financial)

└── FedRAMP/CUI (government)

```

Design principles:

• Maximum 5 top-level labels (user cognitive load)
• Sublabels: use sparingly, only when encryption scope genuinely differs
• Avoid creating labels users will consistently get wrong — simplicity drives adoption
• Every label needs a clear, user-understandable definition (not just technical specs)

Creating Sensitivity Labels in Microsoft Purview

Step 1: Create Labels

Access: Microsoft Purview compliance portal → Information Protection → Labels → Create a label

```powershell

# Create sensitivity labels via PowerShell

Connect-IPPSSession

# Create "Confidential" label

New-Label `

-Name "Confidential" `

-DisplayName "Confidential" `

-Tooltip "Sensitive business data. For internal use only. Do not share externally without approval." `

-Priority 2 # Higher number = more sensitive

# Configure label settings

Set-Label -Identity "Confidential" `

-EncryptionEnabled $true `

-EncryptionProtectionType Template `

-EncryptionRightsDefinitions "[email protected]:VIEW,EDIT,PRINT,EXTRACT,REPLY,REPLYALL,FORWARD,OBJMODEL" `

-ContentMarkingUpHeaderEnabled $true `

-ContentMarkingUpHeaderText "CONFIDENTIAL - Internal Use Only" `

-ContentMarkingUpHeaderFontColor "#FF0000" `

-ContentMarkingUpHeaderFontSize 12

```

Step 2: Configure Container Labels (Site-Level Protection)

Enable container labels for SharePoint sites and Microsoft 365 Groups:

```powershell

# Enable sensitivity label support for SharePoint sites and M365 Groups

Connect-MsolService

$currentSettings = Get-MsolCompanySettings

Set-AzureADDirectorySetting -Id $currentSettings.ObjectId `

-DirectorySetting @{ "EnableMIPLabels" = "True" }

# Apply via SharePoint PowerShell as well

Connect-SPOService -Url "https://contoso-admin.sharepoint.com"

Set-SPOTenant -EnableAIPIntegration $true

```

Container label settings available per label:

• External sharing: Allow or block external users from accessing the site
• Unmanaged device access: Allow full access, limited web-only access, or block access entirely
• Privacy: Public (anyone can find and join) or Private (members only)
• Azure AD Conditional Access: Enforce tenant-wide CA policy for this site

```powershell

# Set container label protection settings

Set-Label -Identity "Confidential" `

-SiteAndGroupExternalSharingCapability "Disabled" `

-SiteAndGroupPrivacy "Private" `

-SiteAndGroupAllowAccessFromUnmanagedDevices "BlockAccess"

```

Step 3: Publish Labels via Label Policies

Labels must be published to users before they appear in Office apps and SharePoint:

```powershell

# Create label policy publishing to all users

New-LabelPolicy `

-Name "Contoso Sensitivity Labels - All Users" `

-Labels "Public","Internal","Confidential","Restricted" `

-ExchangeLocation All `

-SharePointLocation All `

-OneDriveLocation All `

-DefaultLabel "Internal" `

-MandatoryToLabel $true # Users must apply a label before saving

```

Key policy settings:

• DefaultLabel: Auto-applies when content created (recommend "Internal" as default)
• MandatoryToLabel: Requires users to apply a label — enables compliance but adds friction
• JustificationMessage: Required when downgrading a label (e.g., Confidential → Internal)

Auto-Labeling for SharePoint Content

Manual labeling fails at scale. Configure auto-labeling to classify existing and new content automatically.

Method 1: Client-Side Auto-Labeling (Recommended Labels in Office Apps)

In the label policy, configure recommended labels based on content type:

```powershell

# Configure auto-labeling recommendation for documents containing SSN

Set-Label -Identity "Confidential" `

-AutoApplyConditions @{

ContentContainsSensitiveInformation = @(

@{Name = "U.S. Social Security Number (SSN)"; minCount = "1"}

)

} `

-AutoApplyRecommendationsEnabled $true # Recommend (not force)

```

Method 2: Service-Side Auto-Labeling Policy (for Existing Content)

Auto-labeling policies scan SharePoint content at rest and apply labels automatically:

```powershell

# Create auto-labeling policy for financial data in Finance SharePoint site

New-AutoSensitivityLabelPolicy `

-Name "Auto-Label Financial Data" `

-ApplySensitivityLabel "Confidential" `

-SharePointLocation "https://contoso.sharepoint.com/sites/Finance"

New-AutoSensitivityLabelRule `

-Policy "Auto-Label Financial Data" `

-Name "Detect Credit Card + SSN" `

-ContentContainsSensitiveInformation @(

@{Name = "Credit Card Number"; minCount = "1"},

@{Name = "U.S. Social Security Number (SSN)"; minCount = "1"}

) `

-ReportSeverityLevel High

```

Important: Service-side auto-labeling runs as a simulation first. Review simulation results before enabling enforcement mode.

Method 3: Trainable Classifiers

For organization-specific content that built-in SITs don't cover, train custom classifiers:

• Legal contracts (train on 50+ contract examples, 50+ non-contract examples)
• Financial reports (train on quarterly/annual report examples)
• Project proposals (train on your organization's proposal documents)

Training requires: 50 positive samples, 50 negative samples, at minimum. Accuracy improves with 200+ training items.

Integrating Labels with SharePoint DLP

Sensitivity labels and DLP work together — labels trigger DLP actions:

```powershell

# DLP policy: block external sharing of Confidential or Restricted documents

New-DlpCompliancePolicy `

-Name "Block External Sharing - Confidential and Restricted" `

-SharePointLocation All

New-DlpComplianceRule `

-Policy "Block External Sharing - Confidential and Restricted" `

-Name "No External Sharing for Confidential+" `

-ContentContainsSensitivityLabel @("Confidential", "Restricted") `

-BlockAccess $true `

-BlockAccessScope PerUser `

-NotifyUser Owner `

-NotifyEmailMessage "This document is classified as Confidential or Restricted and cannot be shared externally."

```

Applying Container Labels to Existing SharePoint Sites

For sites created before container labels were deployed, bulk-apply labels:

```powershell

# Apply Confidential container label to all Finance and Legal sites

Connect-PnPOnline -Url "https://contoso-admin.sharepoint.com" -Interactive

$sensitiveSites = Get-PnPTenantSite | Where-Object {

$_.Url -like "*finance*" -or $_.Url -like "*legal*"

}

foreach ($site in $sensitiveSites) {

Set-PnPSite -Identity $site.Url `

-SensitivityLabel "Confidential" `

-SharingCapability "ExistingExternalUserSharingOnly"

Write-Output "Applied Confidential label to: $($site.Url)"

}

```

End-User Experience and Adoption

The Labeling Experience in SharePoint

When users upload a document to a SharePoint library with mandatory labeling:

• User uploads file → SharePoint prompts to apply a label
• User selects appropriate label from dropdown
• If encryption is configured, file is encrypted on upload
• Label is visible as a column in the library view

Common User Adoption Challenges

| Challenge | Solution |

|-----------|---------|

| "I don't know which label to use" | Clear 1-page label guide in intranet; 5-minute training video; default label set to "Internal" |

| "Mandatory labeling slows me down" | Enable default label; only require label for specific library types initially |

| "I can't open a labeled file on my personal device" | Conditional Access policy on label requires managed device; communicate policy to users |

| "My external vendor can't open the encrypted file" | B2B sharing configuration; label policy for partner sharing; or exclude vendor from label requirement |

Label Usage Reporting

Track label adoption in the Purview portal:

```powershell

# Get label usage report for past 30 days

Connect-IPPSSession

$report = Get-LabelPolicyReport `

-StartDate (Get-Date).AddDays(-30) `

-EndDate (Get-Date)

$report | Group-Object SensitivityLabel | Select-Object Name, Count | Sort-Object Count -Descending

```

Review monthly: % of SharePoint documents with a label applied (target: 80%+ within 6 months).

Label Governance

Review and Update Cycle

• Quarterly: Review label taxonomy — are all labels actively used? Any gaps?
• Semi-annual: Review auto-labeling accuracy — false positives, missed classifications
• Annual: Full policy review with Legal and Compliance — label definitions still accurate?

Preventing Label Taxonomy Sprawl

Common failure: too many labels created by different teams (e.g., HR creates "HR-Confidential", Finance creates "Finance-Sensitive"). Establish a label governance board that approves all new labels. All labels live in a single, centrally managed taxonomy.

Conclusion

Microsoft Purview sensitivity labels are the most powerful information protection tool available in the Microsoft 365 ecosystem. Properly configured, they provide automatic content classification, encryption, visual markings, site-level protection, and DLP enforcement — all from a single, centrally managed taxonomy.

EPC Group designs and deploys sensitivity label taxonomies for enterprise organizations across healthcare, financial services, legal, and government sectors. Contact us for an information protection assessment.