Sensitivity Labels in Microsoft 365: The Practical Guide

What are Built-in Labels and why does it matter?

Microsoft distinguishes between built-in labels and non-built-in labels — the difference determines which features continue to work with labeled documents.

A label is "built-in" when Microsoft 365 (SharePoint Online, OneDrive, Office for the Web) can natively understand and work with it. This means co-authoring, SharePoint search, preview, AutoSave, and setting the label directly in Office for the Web all function as expected.

A label becomes a non-built-in label when any of the following conditions apply:

• The file type is not supported (e.g., CAD files, XML, images, older Office formats such as .doc)
• The label configuration contains certain restrictions such as "Offline Access: Never" or "Content Expiration"
• Double Key Encryption is enabled

For files without native support for built-in labeling, key Microsoft 365 features such as SharePoint indexing, co-authoring, preview, or OCR for labeled images may not be available, depending on the file type and label configuration. In such cases, labels and protection must often be applied using the Microsoft Purview Information Protection Client or corresponding client- or SDK-based tools. When using generic protection, files are given the .pfile extension; when using natively supported protection, file-type-specific protected extensions can be used, such as .pjpg for JPEG files.

PDF files are a special case: they are supported as built-in labels but must be separately enabled at the tenant level via PowerShell.

Practical implication: If your organization needs to label many non-Office files (technical drawings, images, legacy formats), you lose convenient SharePoint integration for those file types. Plan this into your file type strategy early.

How do publishing policies and default labels work?

A configured Sensitivity Label is initially invisible to end users. The publishing policy makes the label available to defined user groups and controls behavior around it.

In a publishing policy you define:

• Which labels are published (you choose from all existing labels)
• Which users or groups see the label
• Whether a default label is automatically applied to new documents, emails, or SharePoint sites
• Whether a justification is required when a user downgrades or removes a label
• Whether labeling is mandatory — users must set a label before saving a document or sending an email

Default labels apply automatically to new documents in a library, new emails, or new containers. They do not retroactively relabel existing documents. A default label on a SharePoint library only affects new files created after activation — existing files keep their current label or remain unlabeled.

Note: A single label can be published in multiple publishing policies with different default settings. A label that is the default for the Finance group can be available as a non-default label for other users.

How do I implement Sensitivity Labels correctly?

A successful implementation follows a clear sequence of phases. Trying to do too much at once leads to inconsistently labeled documents, frustrated end users, and permission conflicts.

Phase 1: Label Definition with a Small Group

The first step is defining the labels themselves—and here, the rule is: involve as few people as possible. We recommend one representative each from IT, data protection, and the CISO department, as well as one or two representatives from the business units. With 15 stakeholders, you won’t arrive at a workable label structure.

Phase 2: Classification without encryption

Start exclusively with the classification level. No encryption, no permissions—just visible labels with optional headers, footers, and watermarks. This drastically reduces technical complexity while still delivering a significant portion of the benefits: End users immediately see how confidential a document is and adjust their sharing behavior accordingly.

Phase 3: Define the removal and escalation process

Before labels go live, clarify the following: Who is authorized to remove or downgrade labels? What is the process if an encrypted document needs to be made accessible because the owner has left the company? Without this process, operational bottlenecks will arise later on.

Phase 4: Pilot rollout with a test group

First, roll out labels to a small test group—10 to 30 people in various roles. Publishing policies allow for very granular control over which users labels are rolled out to. Gather feedback on label names, default behavior, and usability before rolling out more broadly.

Phase 5: Global Rollout and Phased Expansion

After a successful pilot: global rollout of the classification labels. Only then should you expand to include encryption, data loss prevention policies, eDiscovery integration, and—if at all—Auto-Labeling.

What are the key best practices for Sensitivity Labels?

Few labels, clear hierarchy

More than five or six labels overwhelm end users. When faced with 20 labels, a user is likely to choose the wrong one—or none at all. A typical, effective structure includes: Public, Internal, Confidential, Highly Confidential, and a special label such as “No AI” or “Restricted.”

No settings on label containers

Label containers visually group labels in the user interface. Do not apply settings to these containers—because the container looks like a label to users, and it is unclear whether it should be applied or serves only as a grouping element. All settings belong on the individual labels within the container.

Start with classification, not encryption

Encryption is the more technically and organizationally demanding step. It requires clear authorization models, key management, license verification, and escalation processes. Classification alone can be implemented in a matter of days and already produces measurable results.

Save Auto-Labeling for the end of the project phase

Auto-Labeling sounds appealing, but it carries significant risks. False positives can lead to documents being misclassified and, in the worst case, incorrectly encrypted—resulting in a significant amount of manual cleanup work. Do not implement auto-labeling until manual labels have been established and your team has experience with classifiers.

Carefully consider downgrade rules and label priority

Every label has a priority. Priority determines not only the order in the interface but also when a downgrade is considered as such and requires justification. Clarify in advance: Are users allowed to downgrade from Confidential to Internal? What process runs in the background?

Use Regulatory Records with caution

Microsoft offers “Regulatory Records” in Records Management. These are implemented using retention labels or compliance tags and can be used alongside sensitivity labels. This option is hidden by default and must first be enabled via PowerShell.

Once such a retention label is applied to a document or email, no one can remove it—not even a global administrator. Therefore, use regulatory records only if you specifically require this irreversibility, such as for content critical for audits, compliance, or regulatory purposes. The term “regulatory” refers to a technical Microsoft feature.

How do I set default Sensitivity Labels on SharePoint libraries automatically?

Microsoft provides no built-in mechanism to set a default Sensitivity Label on associated document libraries based on rules per Team type or SharePoint site type. Administrators must configure the setting manually per library after each Team or site creation — or accept that newly created containers start without a default label.

This is exactly the gap that Valprovia Governance closes. When provisioning a new Team or SharePoint site, the defined default Sensitivity Label is automatically applied to the associated document library. The rule applies per Team type or site type: a "Project Team Internal" receives a different default label than a "Project Team with External Participation" — without any manual follow-up, consistent across the entire tenant.

In addition, the container label (for Teams settings such as guest access or privacy) is applied directly at creation. The administrator defines the rules per Team type once, and every new provisioning starts with correct classification at both levels — container and data.

What limitations and licenses should you know?

License requirements

Manual labeling including encryption is included in nearly all Microsoft 365 licenses (from Business Premium onwards). The following features require Microsoft 365 E5 or the Compliance add-on:

• Auto-Labeling (server-side and client-side)
• Content Explorer and Activity Explorer
• Audit reporting for label activities
• Data Loss Prevention with label conditions

Double Key Encryption: maximum protection with feature trade-offs

Double Key Encryption (DKE) encrypts documents with two keys — one from Microsoft and one held exclusively by the customer. Microsoft cannot decrypt DKE-protected documents, not even on request from authorities. The trade-off: all cloud services that would need to decrypt the content stop working — no SharePoint search, no co-authoring, no AI-powered summaries. DKE also requires Microsoft 365 E5 and on-premises hardware for key management.

Performance and compatibility

Labeled and encrypted documents load measurably slower in the Office client. OneDrive sync conflicts caused by AutoSave are less frequent than in earlier versions, but still occur. Microsoft Loop does not sync tasks when the parent meeting or document carries an internal encryption label.

Mobile clients

Mobile apps (iOS, Android) support Sensitivity Labels but require up-to-date Office app versions. With older versions, a label may prevent the document from opening on the mobile device. Include the minimum Office version in your rollout planning.

Frequently asked questions about Sensitivity Labels

What is the difference between classification and encryption in Sensitivity Labels?

Classification visibly marks documents with a confidentiality level—for example, via headers, footers, or watermarks—but does not affect access. Encryption provides technical protection for the document and defines separate permissions. Label-based encryption adds an extra layer of protection to SharePoint permissions: SharePoint may grant access, but the document remains unreadable if the required label permission is missing.

Do I need a Microsoft 365 E5 license for Sensitivity Labels?

No. Manual labeling including encryption is available from Microsoft 365 Business Premium onwards. Microsoft 365 E5 or the Compliance add-on is only required for Auto-Labeling, Content Explorer, Activity Reporting, and DLP integration with label conditions.

What happens if I remove a container label from a Team?

The settings applied by the label (guest access, privacy status, unmanaged device rules) remain in place. Microsoft does not roll them back automatically. To return to the original state, you must reset the settings manually or via script. When switching to a different label, the settings of the new label are synchronized.

Should I use Auto-Labeling immediately?

No. Auto-Labeling is the last feature you should introduce. False positives can lead to documents being misclassified or even incorrectly encrypted — with significant manual remediation effort. First bring manual labels and encryption into production, build experience with classifiers, and enable Auto-Labeling only after you have established false-positive management and bulk update processes.

How many Sensitivity Labels should a company define at most?

In practice, five to six labels have proven effective. More labels overwhelm end users, who then choose the wrong label or none at all. A typical structure: Public, Internal, Confidential, Highly Confidential, and optionally a special label like "No AI" or "Restricted". The exact number depends on company size and data types — but fewer is almost always better.

Can a regulatory Sensitivity Label be removed?

No — and that is precisely the point. A regulatory label cannot be removed after being applied, not even by a global administrator. It can only be deleted by removing the label definition entirely from the tenant. Use regulatory labels exclusively for audit-critical content where you deliberately want irreversibility.