Most people meet sensitivity labels the wrong way.
They see encryption and Purview and compliance in the same sentence and decide it’s an enterprise problem. Something for banks. Something that needs E5, a consultant, and six months.
So they leave the whole thing switched off.
Then a client emails a payroll spreadsheet to the wrong “David” in the address book, and it becomes very much their problem.
Here’s what I want you to understand. A sensitivity label isn’t a lock. It’s a name tag you put on information so Microsoft 365 knows how to treat it — and most of the value shows up before you’ve encrypted a single file.
What are sensitivity labels, really?
A sensitivity label is a tag that travels with the content. Apply Confidential to a Word doc and that label rides along into SharePoint, OneDrive, Teams, and the email it’s attached to — even off your tenant, if you allow it.
What the label does is up to you. It can simply mark the document with a header, footer, or watermark. It can show a visual classification users notice. Or it can go further and encrypt the file so only the right people open it.
That range is the bit people miss. You don’t have to start with encryption. You can start with classification — and classification on its own changes how people handle a file.
Step-by-Step: build your first label
Everything lives in the Microsoft Purview portal at purview.microsoft.com, under Information Protection. Microsoft seeds new tenants with a default set, but build and publish your own so the names actually mean something to your client.
Turn on labels for files
Before a label will stick to documents in SharePoint and OneDrive, go to Settings > Information Protection and turn on co-authoring for files with sensitivity labels. Skip this and your labels won’t apply to files at rest. It catches everyone once.
Create the label
Under Information Protection > Sensitivity labels, select Create a label. Give it a name your users will understand, not a compliance codeword. Set the scope to Files and emails.
Decide what it does
Now choose protection. Content marking — a header, footer, or watermark — is the gentle option. Access control with encryption is the heavy one. For your first label, pick marking. You can add teeth later.
Publish it
A label nobody can see does nothing. Create a label policy, add your label, and publish it to a group of users. Now it shows up under the Sensitivity button in Word, Excel, PowerPoint, and Outlook.
That’s a working label. Manual, user-applied, and included with the sensitivity-label entitlement most of your Business Premium clients already hold.
Step-by-Step: let the tenant do the labelling
Manual labels rely on people remembering. People don’t. So the next step is auto-labelling — and this is where the licensing line sits, so be straight with clients.
Pick your method
There are two. Client-side auto-labelling prompts or applies a label while someone edits a document in Office. Service-side auto-labelling policies scan content already sitting in SharePoint and OneDrive, plus mail moving through Exchange, with no user involved at all.
Run it in simulation first
This is the setting that saves you. An auto-labelling policy runs in simulation mode — it shows you exactly what would get labelled across the tenant without touching a thing. My recommendation? Always simulate, read the matches, fix your conditions, then turn it on.
Mind the licence
Auto-labelling — both flavours — needs the E5-tier Information Protection entitlement, not the base Business Premium one. Manual labels are included. Automatic ones aren’t. Don’t promise a client auto-labelling on a licence that doesn’t carry it.
“So do I need encryption on everything?” No. Most of my labels never encrypt anything. They classify. Encryption is reserved for the one or two labels that genuinely need it.
Here’s a starter taxonomy worth copying:
Personal
Public
General
Confidential
Highly ConfidentialNotice what’s missing? Encryption — on four of the five. The top label might lock files down. The rest just name the sensitivity so people, and the tenant, treat them accordingly. Classification first, control second.
Why this actually changes behaviour
A labelled file behaves differently. DLP policies can key off the label. Auto-labelling can find the credit-card numbers your user forgot were buried in an old quote. And both SharePoint and Copilot respect the access a label enforces — which matters more every month.
But the quiet win is human. When someone clicks Confidential and a watermark appears, they slow down. They think before they forward. The label is doing the teaching.
Set it up once. It keeps working while everyone’s asleep.
Sensitivity labels aren’t there to make compliance harder. They’re there to make a careless mistake hard to make by accident.
If you’re rolling out Microsoft 365 and your clients’ data still has no name on it — that’s the gap. Put a name on it.
CIAOPS 