Browse all topics
All guidesGlossary

Microsoft Purview sensitivity labels — a deep dive

How sensitivity labels classify and protect content in Microsoft 365, and how to design a label taxonomy that works.

Sensitivity labels in Microsoft Purview are the mechanism for classifying and protecting content across Microsoft 365. They're the centrepiece of information protection — and increasingly an important prerequisite for safely rolling out Microsoft 365 Copilot.

What a label does

When applied to a file, email, meeting, or container, a sensitivity label can:

  • Apply encryption with usage rights (only specific users / groups can decrypt, with optional view/edit/print/forward restrictions).
  • Add visual markings — header, footer, watermark.
  • Restrict the default sharing link type.
  • Restrict external sharing at the container level.
  • Restrict unmanaged device access.
  • Trigger DLP policies keyed off the label.
  • Be mandatory at file creation, with users prompted to label.
  • Travel with the content — labels and encryption persist outside the tenant.

A simple taxonomy

The label taxonomy is the most important design decision. A starting point that works for many organisations:

  • Public — no restrictions. Marketing material, published content.
  • General / Internal — default for most internal content. No encryption, no markings.
  • Confidential — sub-labels for different audiences:
    • Confidential / All Employees — encryption, accessible to all employees.
    • Confidential / Team — accessible to a specific team.
  • Highly Confidential — sub-labels with strict controls:
    • Highly Confidential / Restricted — limited named recipients.
    • Highly Confidential / Do Not Forward — recipient-only.

Five top-level labels is enough. More creates confusion; fewer doesn't allow meaningful differentiation.

File-level vs container-level

Labels can apply to:

  • Files and emails — encryption, markings, DLP triggers.
  • Containers — Microsoft 365 Groups, Teams, SharePoint sites: privacy, external sharing, device access.

The two are complementary. A site labelled Confidential can hold both Confidential and Internal files; the site-level controls apply to the container, the file-level controls to individual content.

Beyond user-applied labels, Purview supports:

  • Automatic labelling — server-side application of labels to files matching content criteria (credit cards, government IDs, custom patterns).
  • Recommended labelling — Office apps prompt users to apply a specific label when content matches.

Copilot readiness

Copilot uses labels as one of the signals for deciding what to include in grounding. A confidential file with encryption that the user doesn't have rights to won't surface in Copilot answers. Tenants rolling out Copilot should publish a baseline label taxonomy first, even if adoption starts narrow.

Licensing

Sensitivity labels for files and emails are included in Microsoft 365 E3 and above. Automatic labelling, recommended labelling, and container-level controls require E5 or Purview add-ons.

Start with a small taxonomy, label the most-sensitive content first, and expand from there.