What Is Sensitivity label? Security Definition
On This Page
Quick Definition
A sensitivity label is like a sticker you put on a document or email that says how sensitive it is. It tells the system to apply specific security rules, such as encryption or watermarks, based on that label. This helps organizations protect sensitive information from being shared with the wrong people. You can think of it as a way to automatically enforce company data policies.
Commonly Confused With
Retention labels determine how long content is kept and when it should be deleted or disposed of, while sensitivity labels classify and protect content through encryption and access restrictions. They serve different purposes: protect vs. govern.
Apply a retention label to a contract to keep it for 7 years. Apply a sensitivity label to the same contract to encrypt it so only legal can read it.
DLP policies monitor and block sharing of sensitive information in real-time (e.g., block an email with credit card numbers). Sensitivity labels are metadata that travel with the content and enforce protection even after sharing. DLP is a detective/blocking control; sensitivity labels are a protective classification.
DLP blocks an email with a credit card number. A sensitivity label encrypts a document containing a credit card number before it is sent.
AIP unified labeling client is a software that installs on Windows to apply sensitivity labels to files locally. Sensitivity labels themselves are the administration-defined labels that work across the cloud and on-premises via different clients. The client is just a tool; the label is the policy.
You configure a sensitivity label in the cloud. The AIP client on a user's computer allows them to apply that label to files in File Explorer.
Conditional Access policies control access to apps and services based on user, device, location, and risk. They can use sensitivity labels as a condition (e.g., block access to apps if a sensitive label is detected), but they do not apply the label themselves.
Conditional Access can block a user from accessing OneDrive if their device is unencrypted, but the sensitivity label protects the file itself regardless of device.
Must Know for Exams
For the MS-102 exam (Microsoft 365 Administrator), sensitivity labels are a core part of managing information protection. You are expected to know how to create and publish label policies, configure encryption, define default labels, and enable auto-labeling. Exam questions often ask you to determine the correct label policy settings for a given scenario, such as "You need to ensure that all documents containing credit card data are automatically encrypted. Which solution should you use?" The answer involves setting up a sensitivity label with auto-labeling for sensitive information types. You also need to understand the difference between labels applied to containers (Teams, SharePoint) versus labels applied to individual files. MS-102 questions may ask you to troubleshoot why a label is not appearing for a user, which involves checking the label policy scope, the user's license, and the Azure Rights Management status.
For the MS-900 exam (Microsoft 365 Fundamentals), sensitivity labels appear in the core data protection concepts. You are expected to understand what a sensitivity label is at a high level, how it differs from retention labels, and basic scenarios where they are used. Questions may ask you to choose the correct tool for a protection need. For example, "Which feature in Microsoft 365 allows you to classify data as confidential and apply encryption?" The answer is sensitivity labels. You also need to understand the relationship between sensitivity labels and Microsoft Information Protection (MIP). While MS-900 does not require deep configuration knowledge, you must grasp the business value and the primary use cases.
For the SC-900 exam (Microsoft Security, Compliance, and Identity Fundamentals), sensitivity labels are heavily tested in the information protection and governance section. The exam objectives explicitly include describing the capabilities of Microsoft Information Protection and sensitivity labels. Expect scenario-based questions where you need to classify a data situation and recommend a label. You might also be asked about the difference between sensitivity labels and retention labels, which is a classic tricky question. SC-900 questions often present a table with symptoms and ask you to identify which label type is needed. Also, be prepared for questions about manual vs. automatic labeling and the conditions that trigger auto-labeling. Understanding that sensitivity labels travel with data (persistent protection) is a key exam point.
Across all three exams, a common thread is that sensitivity labels are used to protect data, while retention labels are used to govern data. Mixing these up can cost you points. Another high-yield topic is the label hierarchy: if two labels are applied to the same document, which one wins? The answer is the one with the highest priority (lowest numeric value in the order). You should also know that labels can be configured to allow users to change the label or require justification for downgrading. Exam questions frequently ask about the correct procedure for changing an existing label policy.
Simple Meaning
Imagine you work in an office where every document has to be handled according to how private it is. Some documents are public, like a company newsletter. Others are internal, like a meeting agenda. Then there are documents that are highly confidential, like salary records or client contracts. Now, instead of relying on everyone to remember which documents are which, you put a colored sticker on each one. A green sticker means public, a yellow sticker means internal, and a red sticker means top secret. The security guards at the door check those stickers. If you try to take a red-stickered document out of the building, the guard stops you. If you try to email a red-stickered document to someone outside the company, the IT system automatically blocks it or asks for a manager's approval.
In the digital world, a sensitivity label does exactly this. It is a piece of metadata, or data about data, that is attached to files, emails, and other content. When you create or edit a document in Microsoft 365, for example, you can apply a label like "Confidential" or "General." The system then enforces rules. Maybe it encrypts the file so only certain people can open it. Maybe it adds a watermark that says "Confidential" on every page. Maybe it prevents the file from being printed or forwarded. The label travels with the content, even if it is saved to a different device or shared through a third-party app. This is often called persistent protection because the security follows the data wherever it goes.
The key point is that the label does not just describe the content; it also triggers actions. It is a combination of a classification and a policy. The classification tells the system how sensitive the content is, and the policy tells the system what to do about it. For example, a label called "Highly Confidential" might automatically apply encryption and restrict access to the finance team only. A label called "Public" might remove any restrictions. This is why sensitivity labels are a core part of modern data protection strategies, especially in Microsoft 365, Azure Information Protection, and other enterprise security platforms. They help organizations prevent data leaks, meet compliance requirements, and ensure that people only see the information they are supposed to see.
Full Technical Definition
Sensitivity labels are a data classification and protection feature primarily associated with Microsoft Information Protection (MIP) and Azure Information Protection (AIP). Technically, a sensitivity label is a piece of metadata that is embedded within a file's header or attached via a rights management service. The label itself is defined within a Microsoft 365 compliance center or Azure portal, where an administrator creates a label policy that specifies the label name, its priority order, and the protection actions it enforces.
The underlying mechanism relies on Azure Rights Management (Azure RMS), which is a cloud-based protection service that uses encryption, identity, and authorization policies. When a label is applied to a document, the RMS service encrypts the file using an AES-256 bit key. The encryption key is not stored with the file; instead, the file contains a pointer to a policy template that resides in the Azure RMS tenant. When a user tries to open the file, the RMS client checks the user's identity against the policy. If the user is authorized, the client retrieves the decryption key from Azure RMS. If not, the file remains encrypted and unreadable.
Sensitivity labels can be applied automatically through auto-labeling policies, manually by users, or recommended based on patterns detected by the Microsoft 365 compliance center (e.g., detection of credit card numbers, passport numbers, or specific keywords). The labels support multiple conditions, including label priority (which label overrides another), default labeling for new documents, and mandatory labeling (forcing users to apply a label before saving or sending content).
The scope of a sensitivity label can vary. It can apply to files (Word, Excel, PowerPoint, PDF), emails (Outlook), containers (Microsoft Teams, SharePoint sites, Microsoft 365 groups), and even structured data sources like SQL databases (via Azure Purview or SQL Information Protection). When applied to a container, the label controls external sharing, membership approvals, and access tokens.
Key technical components include:
- Label policy: defines which users and groups see the label, what default label is applied, and whether users can change the label. - Encryption settings: specify who can access the content (e.g., all users in the organization, specific users, none), expiration date for access, and offline access permissions. - Content marking: adds headers, footers, or watermarks to the document or email. - Conditional access integration: labels can be used as a condition in Conditional Access policies, e.g., block access to devices that are non-compliant when a document is labeled "Confidential."
For exam purposes related to MS-102, MS-900, and SC-900, you should understand the difference between sensitivity labels and retention labels. Sensitivity labels focus on protection and classification, while retention labels focus on governance (how long to keep data and when to delete it). Also, note that sensitivity labels can be published to all users or specific groups, and they can be configured to support scoped labeling, meaning different labels appear based on the user's role or location.
Implementation best practices include creating a minimum of three labels: Public, Internal, and Confidential. Many organizations add additional labels like Highly Confidential or Regulatory. Each label should have clear and distinct protection actions to avoid confusion. It is also critical to test label policies in a pilot group before broad deployment, because once encrypted, a file can become permanently inaccessible if the policy is misconfigured or if the Azure RMS service is decommissioned.
In the Microsoft 365 ecosystem, sensitivity labels are managed in the Microsoft Purview compliance portal under Information Protection. The portal provides a unified view of label activity, including usage reports and data classification insights. The labels support up to 5000 different label policies per tenant, and each policy can include up to 1000 labels (practical limits are lower).
Real-Life Example
Think about a large hospital. Every patient file contains sensitive medical history, personal identification numbers, and treatment records. If a nurse prints out a patient's file and leaves it on a table, anyone walking by could see that private information. To prevent this, the hospital uses a color-coded system. Each file folder has a colored stripe. Red means restricted to the attending doctor only. Yellow means available to nurses on the floor. Green means accessible to administrative staff. When a doctor picks up a red file, they know it cannot be shared with anyone without the patient's explicit consent.
Now, let's translate that to the digital world inside a hospital's electronic health records system. The administrator defines a sensitivity label called "Patient Confidential" with rules: only the patient's primary care team can open the file, anyone else gets a denial message, and the file cannot be forwarded or printed. When the doctor creates a new record, the system automatically applies that label based on the content type. If the doctor tries to email the record to a specialist outside the hospital, the system blocks the email or sends it encrypted with a one-time passcode. This is exactly how sensitivity labels work in Microsoft 365. The label is the colored stripe, and the enforcement rules are the hospital's security policies.
Another everyday analogy is a sealed envelope system. You write a letter and then seal it in a colored envelope. A white envelope is for general mail. A red envelope means legal confidential. A blue envelope means time-sensitive. The postal service is instructed to open only white envelopes for inspection. Red and blue envelopes are to be delivered unopened and require a signature. Sensitivity labels do the same thing digitally. White envelope equals a label with no encryption; the file is open to anyone. Red envelope equals a label that encrypts the file and requires the recipient to authenticate. The label determines what security measures are applied automatically, without the user having to think about it.
Why This Term Matters
In today's IT environment, data breaches are one of the most expensive and reputation-damaging events an organization can experience. Sensitivity labels are a frontline defense because they enforce data protection at the point of creation and throughout the data lifecycle. Without labels, security relies on users remembering to encrypt files, apply permissions, and follow manual procedures. Human error is the leading cause of data leaks. A user might accidentally send a spreadsheet with customer social security numbers to the wrong distribution list. With sensitivity labels, that spreadsheet would have been automatically encrypted and restricted, so even if sent to the wrong person, the recipient would not be able to open it.
From an IT professional's perspective, sensitivity labels provide a scalable way to govern data. You do not need to manually choose who can access each file. You define labels once, and they apply everywhere: in SharePoint, Teams, OneDrive, Exchange Online, and even on local files synced through the AIP client. This unification simplifies compliance audits. When an auditor asks what data you have and how it is protected, you can run a report showing all files labeled as "Confidential" and prove they are encrypted.
sensitivity labels support regulatory compliance with laws like GDPR, HIPAA, and CCPA. For instance, a GDPR requirement is that personal data must be protected by appropriate technical measures. A sensitivity label that encrypts all files containing European Union citizen data satisfies that requirement. It also helps with data retention requests because you can easily identify which labeled files need to be purged.
From a business perspective, sensitivity labels enable collaboration without compromising security. You can share a confidential document with a partner organization by applying a label that grants temporary access and prevents forwarding. This eliminates the need for separate secure file transfer solutions. IT professionals must understand how to design, deploy, and monitor label policies because misconfigurations can either over-restrict users (halting productivity) or under-protect data (leaving it vulnerable). The MS-102 and SC-900 exams specifically test your ability to configure and manage sensitivity labels, assess data classification activities, and troubleshoot label-related issues.
How It Appears in Exam Questions
In exam questions, sensitivity labels appear in several distinct patterns. The first and most common is the scenario-based question. You are given a business requirement, such as "A company wants to ensure that all financial documents are encrypted when sent via email. All other documents should remain unprotected. What should you do?" The correct answer is to create a sensitivity label called 'Financial Confidential' that applies encryption and auto-classification based on a sensitive information type that detects financial data. Then publish the label to the finance team or to everyone. These questions test your ability to map a real-world requirement to the correct configuration steps.
Another pattern is the comparison question, where the exam throws two similar terms at you. For example, "What is the difference between a sensitivity label and a retention label?" The options might list features like encryption, deletion, classification, or watermarking. You need to know that sensitivity labels provide encryption and protection, while retention labels set how long data is kept and whether it can be deleted. A typical trap is that both labels can be applied to the same item, but they serve different purposes.
Then there are troubleshooting questions. An example: "Users in the sales department report that they do not see the 'Confidential' sensitivity label in their Word applications, but the IT department confirmed it was published to all users. What is the most likely cause?" Possible answers include: the user does not have an Azure Information Protection license, the label policy has not propagated (wait up to 24 hours), the label is scoped to specific groups only, or the user has an older Office version. The correct answer often points to licensing or policy scope.
Another pattern is the multiple-step configuration question. The exam may present a series of steps and ask you to put them in the correct order for creating a sensitivity label with auto-labeling. Steps typically include: create the label in the Microsoft Purview compliance portal, define the label settings (encryption, content marking), define auto-labeling conditions (e.g., sensitive info types), create a label policy, assign the policy to groups, and finally, enable auto-labeling for SharePoint or OneDrive. Order matters because you cannot create a policy without a label.
Finally, there are 'choose the best feature' questions. For instance, "Which Microsoft 365 feature meets the requirement of classifying files based on content and forcing encryption?" The answer is a sensitivity label, not a Data Loss Prevention (DLP) policy, even though DLP also protects data. DLP prevents sharing of sensitive data but does not usually encrypt files. Sensitivity labels do both classification and encryption.
Practise Sensitivity label Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you work as an IT support specialist for a medium-sized law firm. The firm handles highly confidential client legal documents. The compliance officer has instructed that all documents containing a client's case number (which follows a pattern like CASE-XXXX-2024) must be automatically classified as 'Legal Confidential' and encrypted so that only the assigned legal team can open them. Any email containing such a document must be encrypted and display a footer stating 'Privileged and Confidential'.
Your task is to implement this using Microsoft 365. You go to the Microsoft Purview compliance portal and create a new sensitivity label called 'Legal Confidential'. You set the encryption settings to restrict access to a group called 'Legal Team - Full Access'. You add a custom header to all documents that says 'PRIVILEGED AND CONFIDENTIAL' and a footer that reads 'DO NOT FORWARD WITHOUT AUTHORIZATION'. Then, in the auto-labeling section, you create a condition that looks for the custom sensitive information type for CASE-XXXX-2024. You publish the label policy to 'All Legal Staff' with a default label of 'Legal Confidential' for new documents. You also enable auto-labeling for SharePoint Online so that existing documents with the case number are automatically labeled.
Now, a paralegal creates a Word document with a case number in the body. As soon as they save it to SharePoint, the auto-labeling scanner detects the pattern and applies the 'Legal Confidential' label. The document gets encrypted. Only the legal team can open it. Anyone else sees an error. If the paralegal tries to email the document to someone outside the legal team, the label's email policy kicks in and encrypts the email with an expiration period. The recipient receives a notification that they must authenticate using a one-time passcode to view the attachment. This demonstrates how sensitivity labels automatically enforce security based on content, without requiring end users to make complex security decisions.
Common Mistakes
Confusing sensitivity labels with retention labels
Sensitivity labels protect data (encryption, access restrictions) while retention labels only manage how long data is kept and when it is deleted. Using a retention label to apply encryption will not work.
Remember: sensitivity labels = protection and classification; retention labels = governance and lifecycle.
Thinking sensitivity labels only apply to files, not to emails
Sensitivity labels can be applied to emails in Outlook directly or through auto-labeling policies. They can encrypt the email, add a footer, and restrict recipients.
In exams, always consider that labels apply to both documents and emails. Check the 'Apply to email' settings in the label configuration.
Assuming all users can see all published labels
Label policies are scoped to specific users or groups. If a label is published to the finance team, the sales team will not see it. Also, labels have priority order; if two labels conflict, the higher priority one applies.
Check the label policy settings to ensure the correct user group is assigned. Use a test user to verify label visibility.
Forgetting that encryption is optional and label priority matters
A label does not have to include encryption. You can create a label that only adds a watermark and header without encryption. When multiple labels are applied, the highest priority label's settings take precedence, not a combination.
Define labels with clear protection actions. Use label priority order to control conflicts. Test with a document carrying multiple labels.
Thinking labels are only manual
Sensitivity labels support manual, automatic (based on sensitive info types or trainable classifiers), and recommended (suggest label but let user override) application. Many learners forget about the automatic and recommended modes.
Study the three application modes: manual (user selects), automatic (system applies without user input), and recommended (system suggests, user confirms or overrides).
Exam Trap — Don't Get Fooled
{"trap":"The exam asks: 'You need to prevent users from deleting files that contain financial data for 7 years. Which solution should you use?' The options include both sensitivity labels and retention labels."
,"why_learners_choose_it":"Learners see 'sensitivity label' and assume it handles all data management. They might think encryption implies data cannot be deleted, but encryption does not prevent deletion.","how_to_avoid_it":"Remember that retention labels, not sensitivity labels, control data lifecycle: retention periods and deletion actions.
Sensitivity labels control access and protection. If the requirement is about keeping files for 7 years, the answer is a retention label."
Step-by-Step Breakdown
Define label hierarchy and requirements
Before creating any label, plan the classification scheme. Decide how many labels you need, their names (e.g., Public, Internal, Confidential), their priority order, and what protection actions each should enforce. This step ensures consistency and helps avoid conflicts.
Create the sensitivity label in Microsoft Purview
Navigate to Information Protection > Sensitivity labels in the compliance portal. Click 'Create a label'. Enter a name, description, and badge color. Assign a priority number (lower number = higher priority). This step defines the label's basic identity.
Configure protection settings for the label
In the label creation wizard, define what the label does when applied. Options include: encrypt the content, add watermarks/headers/footers, control access (specific users or groups), set expiration dates, and configure client-side settings like mandatory labeling or justification for downgrade. This is the core of the label's functionality.
Configure auto-labeling (optional but common)
To apply the label automatically, define conditions such as sensitive information types (e.g., EU debit card number), trainable classifiers, or specific words/phrases. Then set the action to 'Apply the label automatically' or 'Recommend the label'. Auto-labeling can target documents in SharePoint, OneDrive, Exchange Online, and data at rest.
Create and publish a label policy
After the label exists, go to the Label policies tab and create a new policy. Select which label(s) to include, then choose target users/groups (scope). Set labeling defaults, such as a default label for new documents, and decide whether users can change the label or must justify downgrades. Publish the policy to make the label visible and functional.
Test and monitor label deployment
Use a test user or pilot group to verify that the label appears correctly in Word, Outlook, and other apps. Check that encryption works and that non-authorized users cannot open protected files. In parallel, monitor label usage via the Azure Information Protection usage report in Purview to identify any anomalies or adoption issues.
Maintain and update labels as needed
Over time, business requirements change. You can modify existing labels (e.g., add a new watermark) and republish the policy. Be aware that changes to encryption settings do not automatically update already encrypted files; those files retain the original encryption unless they are re-labeled by the user or via a process.
Practical Mini-Lesson
Sensitivity labels are more than just a checkbox in a compliance portal; they are a critical part of an organization's data security posture. As an IT professional, especially one preparing for MS-102 or SC-900, you need to understand not only how to configure them but also how they interact with other Microsoft 365 services.
Let's walk through a realistic deployment scenario. You work as a Microsoft 365 administrator for a healthcare company. The compliance officer wants to ensure that any document containing a patient's medical record number (MRN, format: MRN-XXXXXXXX) is automatically classified as 'Restricted' and encrypted so that only the clinical staff can open it. Any email containing such a document should be encrypted and have a disclaimer.
First, you create a custom sensitive information type in Purview that detects the MRN-XXXXXXXX pattern. Next, you create a sensitivity label called 'Restricted'. In the label settings, you enable encryption. You choose 'Assign permissions now' and select an Azure AD group called 'Clinical Staff - Encryption' as the allowed readers. You also add a header that says 'RESTRICTED - PATIENT DATA' and a footer with the same text. In the 'Auto-labeling' section, you choose the custom sensitive info type you created and set the action to 'Apply label automatically'. You then create a label policy that publishes this label to 'All Users' with a default label of 'Internal' (a lower classification) so that new unclassified documents start with some protection. You also enable auto-labeling for SharePoint and OneDrive by going to the 'Auto-labeling' tab and creating a rule that targets those locations.
A few days later, a user in HR (who is not in the Clinical Staff group) uploads a spreadsheet with patient MRNs to a SharePoint site. The auto-labeling scanner runs and detects the MRN pattern. It automatically applies the 'Restricted' label. The spreadsheet is encrypted. The HR user tries to open it and gets an 'Access Denied' message because they are not in the Clinical Staff group. They call the help desk, and you must explain that the file is protected and they need to contact the clinical team for access. This is a real-world scenario where a label prevents accidental exposure.
Common pitfalls in practice include: forgetting that auto-labeling for SharePoint and OneDrive can take up to 24 hours for full scanning; not realizing that label policies can take time to propagate to all users (up to 24 hours); and not testing with a non-privileged user before broad deployment. Also, be aware that if a user has the Azure Information Protection unified labeling client installed, labels can also be applied to files on-premises or on a local machine, which syncs classification but not full encryption if the file is out of policy scope.
From an exam perspective, understand that sensitivity labels are managed via PowerShell (the `Set-LabelPolicy` and `New-Label` cmdlets in the Security & Compliance Center PowerShell module). While you won't be asked to write extensive scripts, you might see a question that asks about the correct PowerShell command to publish a label. The answer is `New-LabelPolicy`.
Finally, always remember that sensitivity labels are a fundamental part of a Zero Trust data strategy. They classify data at the point of creation and enforce policies regardless of where the data travels. In exams and in real life, treating data as a security boundary rather than just the network is the key takeaway.
Memory Tip
Think of sensitivity labels as 'sticky security stickers' that travel with your data: they seal (encrypt) and warn (watermark) wherever the data goes.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
MS-102MS-102 →MS-900MS-900 →SC-900SC-900 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →MD-102MD-102 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Frequently Asked Questions
Can sensitivity labels be applied to files stored outside Microsoft 365?
Yes, if you use the Azure Information Protection unified labeling client, you can apply labels to files on-premises or in other cloud storage. However, the full encryption and policy enforcement depend on the client maintaining connectivity to the Azure RMS service.
What happens if a label's encryption key expires?
Once a label's encryption key expires (if an expiration date is set), users who have a copy of the file will not be able to decrypt it. To regain access, the organization would need to use the super user feature or reissue a new key, which is a complex process. Therefore, expiration should be used cautiously.
Can I apply multiple sensitivity labels to the same file?
Technically, a file can have multiple labels applied simultaneously, but only the highest priority label's protection settings are enforced. The system merges the labels based on priority order. It is best practice to avoid multiple labels on a single item.
How do sensitivity labels interact with Microsoft Teams and SharePoint?
When applied to a container (Teams site, SharePoint site, or Microsoft 365 group), the sensitivity label controls external sharing, guest access, and membership approval. It does not automatically label every file inside the container; file-level labeling is separate.
Do I need a specific license to use sensitivity labels?
Yes, sensitivity label capabilities depend on the license. Basic labeling (manual) is available with Office 365 E3 or Microsoft 365 Business Premium. Advanced features like auto-labeling and encryption require Office 365 E5 or Microsoft 365 E5 compliance add-on. Check the Microsoft 365 licensing documentation for details.
What is the difference between a sensitivity label and a retention label in terms of deletion?
A sensitivity label does not prevent deletion by itself. Only retention labels can enforce a retention period that prevents deletion. If you want both protection and retention, you can apply both types of labels to the same item.
How long does it take for a new label policy to be available to users?
It can take up to 24 hours for the policy to propagate to all users. For immediate testing, you can force a sync using the Azure Information Protection client or wait for the next background sync cycle.
Summary
A sensitivity label is a fundamental tool in Microsoft Information Protection that allows organizations to classify and protect data based on its sensitivity level. It works by embedding metadata into files and emails, which then triggers security actions such as encryption, access restrictions, and visible markings like watermarks. Unlike many other security controls, sensitivity labels provide persistent protection, meaning the security policies travel with the data even when it is shared, copied, or moved to a different device or cloud app.
Understanding sensitivity labels is crucial for IT professionals managing Microsoft 365 environments because they bridge the gap between security and productivity. They allow users to collaborate freely while the system enforces data protection policies automatically. For the MS-102, MS-900, and SC-900 exams, you must be able to distinguish sensitivity labels from other data governance tools like retention labels and DLP policies. You should also know how to create and publish label policies, configure auto-labeling, and troubleshoot common issues like label visibility or encryption failures.
The key exam takeaway is this: if a question asks about protecting data through encryption, access control, or classification, think sensitivity labels. If the question asks about keeping data for a specific time or deleting it, think retention labels. With scenarios, always consider the scope of the label (file vs. container), the application mode (manual, automatic, recommended), and the priority order. By mastering these concepts, you will not only pass your exams but also be equipped to implement real-world data protection strategies that prevent costly data breaches and ensure regulatory compliance.