Most clients I work with have sensitivity labels deployed. They’ll show me the dropdown in Word — Confidential, Internal, General, Public — and say, “We set that up during the M365 rollout.”
Fair enough. But when I ask how much of the content in SharePoint and OneDrive is actually labelled, the answer is almost always a pause. And then: “Not sure, to be honest.”
Which means almost nothing.
Users don’t apply labels manually. Not because they’re careless — but because asking someone to classify a document before they can save it is friction, and people route around friction every single time. If your labelling strategy depends on the human hitting that dropdown, it’s not a strategy. It’s wishful thinking.
That’s not a training problem. That’s a deployment gap.
What is auto-labelling, really?
There are two very different things living under this name, and mixing them up is exactly where most tenants stall.
The first is client-side auto-labelling. This is built into the sensitivity label itself — when a user opens a document or composes an email, the Office app scans the content and either suggests a label or quietly applies one. It’s useful. But it only fires when someone has a file open.
The second — and the one I want you to focus on — is service-side auto-labelling. This is a separate auto-labelling policy you create in Microsoft Purview. It runs in the background, continuously scanning SharePoint, OneDrive, and Exchange. No user involvement. Files sitting in SharePoint from two years ago? Scanned. Emails passing through Exchange right now? Scanned.
The labels go on whether the user ever touched the file or not.
Labels that apply themselves. That’s the actual goal.
Step-by-Step: Creating a service-side auto-labelling policy
One prerequisite: sensitivity labels must exist and be published before you create auto-labelling policies. If they’re not set up yet, start there.
Then, in the Microsoft Purview portal:
Open Information Protection > Policies > Auto-labelling policies
Sign in to purview.microsoft.com. Navigate to Solutions → Information Protection → Policies → Auto-labelling policies, then select + Create auto-labelling policy.
Choose a template or go Custom
Microsoft provides templates for common data types — financial data, personal data by region (there’s an Australian one), health records. Start with a template to see the shape of a policy, or go Custom if you want full control over which sensitive information types trigger the label.
Name the policy and pick the label
Give it a name that tells a story: “Confidential – Tax File Numbers – SharePoint” is more useful than “Auto-label policy 1.” Then select which sensitivity label gets applied on a match.
Select your locations
Pick SharePoint, OneDrive, Exchange, or all three. Scope to specific sites or users, or leave it at All. Start narrow — one site or department — until you’ve seen the simulation results.
Write the rule
This is the substance of the policy. Here’s a simple example:
If content contains:
Sensitive info type: Tax file number (Australia)
Confidence level: High
Instance count: 1 or more
→ Apply label: ConfidentialNotice what’s missing? A user making a decision.
Run simulation first — always
Before the policy applies a single label, run it in simulation mode. Purview crawls the selected locations and shows you a matched-files list without changing anything. Review it. Look for false positives. Check the count. When you’re satisfied, activate the policy.
Why this actually changes behaviour
Once service-side auto-labelling is running, you stop being dependent on user habits to build label coverage.
Here’s the real win: every downstream control that references sensitivity labels now has something to reference. DLP policies that trigger on Confidential content have labelled files to fire on. Conditional Access policies that restrict access by label context have something to evaluate. And Copilot respects sensitivity labels when deciding what to surface in responses — which means your Copilot governance story only works if the labels are actually on the files.
Before: “We set up sensitivity labels in the rollout.”
After: “We have auto-labelling policies running across SharePoint and Exchange, and the Purview dashboard shows 87% of our content is classified.”
One of those answers a cyber insurance question. The other is a checkbox nobody can verify.
The Purview data classification dashboard shows label coverage across your whole tenant. After a few days with auto-labelling running, watch that coverage number move. That’s the metric that matters when an auditor or an insurer asks how sensitive data is classified and protected.
My recommendation? Start with one workload, one sensitive info type, one site. Run simulation. Check the results. Turn it on. Then expand.
The platform knows how to classify. You just have to let it.
Sensitivity labels without auto-labelling are just a menu no one orders from. Turn on the scanner, let Purview do the work your users never will, and then show your clients the dashboard.
CIAOPS 