Sensitivity Labels: Admin Configuration

Sensitivity labels are the cornerstone of Microsoft Information Protection (MIP). They are metadata tags that classify and optionally protect data based on business sensitivity. Unlike Azure Information Protection (AIP) labels which are deprecated for unified labeling, sensitivity labels are built into the Microsoft 365 compliance center and work across Office apps, SharePoint, OneDrive, Microsoft Teams, and Microsoft Defender for Cloud Apps. They exist to help organizations enforce data loss prevention (DLP), encryption, and access control policies consistently across their digital estate.

When a label is applied to a document or email, it embeds a metadata header (e.g., MSIP_Label_GUID) that persists even when the file moves outside the organization. This metadata is used by all MIP-aware applications to enforce the label's defined actions. The label can also trigger encryption via Azure Rights Management (Azure RMS), which uses a symmetric key to protect the content. The encryption is persistent: only authorized users (as defined in the label's encryption settings) can decrypt and read the content, regardless of where the file is stored.

- Label Settings: Each label can include: - Name and description: User-facing text (up to 256 characters). - Display color: Optional, for visual marking (12 predefined colors). - Protection settings: Encryption (via Azure RMS), content marking (header/footer/watermark), and auto-labeling (file-based or app-based). - Marking: Add a custom header, footer, or watermark with dynamic fields like {$If.Applied}. - Encryption: Configurable with user-defined permissions (e.g., specific users/groups) or admin-defined permissions (e.g., "View-Only"). Default is no encryption. - Auto-labeling: Rules that automatically apply a label based on sensitive info types (e.g., credit card numbers) or trainable classifiers. Default: not enabled. - Sub-labels: Labels can be nested under parent labels for organizational hierarchy. Up to 500 labels total per tenant.

To configure labels via PowerShell, use the Set-Label cmdlet from the Exchange Online Protection module. Example:

Set-Label -Identity "Confidential" -ApplyContentMarkingHeaderText "CONFIDENTIAL" -ApplyContentMarkingHeaderFontColor "Red"

To publish labels to users, create a label policy:

New-LabelPolicy -Name "All Users Policy" -Labels "Confidential", "Highly Confidential" -Settings @{ "EnableEncryption" = $true }

In the Microsoft Purview compliance portal, navigate to Solutions > Information Protection > Labels to create and manage labels. The policy wizard steps through selecting labels, assigning users/groups, and configuring policy settings like default label for documents and mandatory labeling.

Auto-labeling policies can be configured at the tenant level to automatically apply labels to files at rest (SharePoint, OneDrive) or emails in transit (Exchange). These policies use conditions such as sensitive info types (e.g., SSN, credit card) or trainable classifiers (e.g., "Offensive Language"). Auto-labeling runs on a schedule (default: every 15 minutes) and can simulate labeling first to avoid unintended consequences. Important: Auto-labeling does not apply encryption by default—you must configure the label to encrypt.

Use the Activity explorer in Purview to monitor label usage. For troubleshooting, check the Microsoft 365 audit log for events like LabelApplied, LabelRemoved, or FileAccessed. The Get-AuditLog cmdlet can retrieve these logs. Also, the Information Protection scanner (on-premises) can discover and label files on file shares, but this is deprecated in favor of Microsoft Purview Data Map.

# Create a label
New-Label -Name "Confidential" -DisplayName "Confidential" -Tooltip "This data is confidential." -ContentType "File, Email"

# Set encryption
Set-Label -Identity "Confidential" -EncryptionEnabled $true -EncryptDoNotForward $true

# Publish label to all users
New-LabelPolicy -Name "All Users" -Labels "Confidential" -ExchangeLocation "All" -ModernGroupLocation "All" -OneDriveLocation "All" -SharePointLocation "All"

Sensitivity labels can classify and protect content in Teams sites and SharePoint sites. When applied to a team or site, the label determines the site's privacy (public/private) and external sharing settings. For example, a "Highly Confidential" label might block external sharing entirely. This is configured in the label's site settings (under "Sites and groups" in the label creation wizard).

MS-102 Objective 3.3 expects you to:

Common wrong answers include confusing sensitivity labels with retention labels (retention labels are for data lifecycle, not protection) or assuming encryption is mandatory (it is optional). Another trap: thinking auto-labeling applies to all content automatically (it requires conditions). The exam also tests that sub-labels cannot have their own sub-labels.

Scenario 1: Financial Services Firm A financial firm uses sensitivity labels to enforce encryption on all documents containing client financial data. They create a label "Client Confidential" with encryption and auto-labeling that triggers on credit card numbers and SSNs. The label policy is published to all employees, with a default label of "Internal" and mandatory labeling. The auto-labeling policy runs daily on SharePoint and OneDrive. Misconfiguration: an admin set the auto-labeling to apply to "All" content without conditions, causing false positives and user complaints.

Scenario 2: Healthcare Organization A hospital uses labels to comply with HIPAA. They create a label "PHI" with encryption and visual markings (watermark: "Protected Health Information"). The label is published to clinical staff only. They also configure a DLP policy that blocks external sharing of PHI-labeled documents. Common issue: users forget to apply the label manually, so the hospital enables mandatory labeling for all clinical staff.

Scenario 3: Government Agency A government agency uses multiple classification levels: "Official," "Secret," and "Top Secret." Each label has different encryption permissions (e.g., "Top Secret" only accessible by a specific security group). They use sub-labels under each parent label for different departments. The auto-labeling policy uses trainable classifiers to detect classified content. Performance: with 10,000+ users, the label policy takes up to 24 hours to propagate fully.

Q: Can sensitivity labels encrypt emails? A: Yes, when applied to emails, the label can enforce encryption via Azure RMS, including 'Do Not Forward' or 'Encrypt-Only' options.

Q: What happens if a label is deleted? A: The label is removed from the admin interface, but any content that had the label retains the label metadata. The protection (encryption) remains intact, but you cannot manage the label anymore.

Q: How do I force users to label all documents? A: Enable mandatory labeling in the label policy. Users cannot save unlabeled documents or send unlabeled emails.

Q: Can I use sensitivity labels with on-premises data? A: Yes, via the Microsoft Information Protection scanner (deprecated) or by using Azure Information Protection unified labeling client (also deprecated). For modern approach, use Microsoft Purview Data Map.

Q: What is the difference between a label and a label policy? A: A label defines the classification and protection settings. A label policy publishes the label to specific users and configures policy-level settings (default label, mandatory labeling).

Q: Do sensitivity labels work in Microsoft Teams? A: Yes, labels can be applied to Teams sites and groups, controlling privacy and sharing settings. Labels can also be applied to individual messages and files within Teams.

Q: How often does auto-labeling scan? A: By default, auto-labeling policies scan new and modified content every 15 minutes. You can also trigger a manual scan.

Q: Can I create a label that automatically applies encryption? A: Yes, when creating a label, enable encryption and configure permissions. The encryption is applied when the label is applied manually or automatically.

Q: What is the maximum number of sub-labels? A: A parent label can have multiple sub-labels, but sub-labels cannot have their own sub-labels (max depth of 1).

Q: How do I test an auto-labeling policy before applying? A: Set the policy to simulation mode. It will report how many items would be labeled without actually applying the label.

1. Question: An administrator wants to ensure that all documents containing credit card numbers are automatically labeled as "Confidential." What should they configure? - A. A DLP policy - B. An auto-labeling policy with a sensitive info type condition - C. A retention label policy - D. A manual label policy with default label Answer: B. An auto-labeling policy can automatically apply a label based on sensitive info types like credit card numbers. DLP policies do not apply labels; they enforce actions.

2. Question: A sensitivity label is configured with encryption. What happens when a user with the label applied sends the document to an external recipient? - A. The external recipient can open the document without restrictions. - B. The external recipient can open the document only if they have the encryption key. - C. The external recipient receives a link to the document. - D. The email is blocked by DLP. Answer: B. The encryption persists; the external recipient must be authorized in the label's encryption settings to open the document.

3. Question: Which of the following can be a condition for auto-labeling? - A. File size greater than 10 MB - B. Sensitive info type - C. User department - D. File name pattern Answer: B. Auto-labeling conditions include sensitive info types and trainable classifiers. File size, user department, or file name are not valid conditions.

4. Question: An administrator deletes a sensitivity label that was applied to 500 documents. What happens to those documents? - A. The label is removed from all documents. - B. The documents become unreadable. - C. The documents retain the label metadata but cannot be managed. - D. The documents are moved to a quarantine. Answer: C. Deleting a label does not remove it from existing content; the metadata remains but the label cannot be edited or reapplied.

5. Question: What is the maximum number of sensitivity labels allowed in a tenant? - A. 100 - B. 250 - C. 500 - D. 1000 Answer: C. The maximum is 500 labels per tenant.

A global company needs to ensure that sensitive financial data is only accessible from within the EU. They create a sensitivity label 'EU-Only' with encryption that restricts access to users from a specific Azure AD group containing EU employees. They publish the label to all users and set a default label of 'Internal'. Auto-labeling is configured to apply 'EU-Only' to any document containing EU personal data (e.g., German Tax ID). The auto-labeling policy scans SharePoint and OneDrive every 15 minutes. A common problem: users in the US accidentally tag documents as 'EU-Only', preventing themselves from accessing them. The solution is to train users and use mandatory labeling with justification. Performance: with 50,000 users, label policy propagation takes up to 48 hours.

A law firm must protect client-attorney privileged information. They create multiple sensitivity labels per client (e.g., 'Client A - Confidential') with encryption that restricts access to the specific legal team. Each label has a unique encryption permission set. They use sub-labels under a parent label 'Privileged' for organization. Auto-labeling is not used due to the risk of misclassification; instead, mandatory labeling is enforced. A challenge: when a lawyer leaves the firm, removing them from the label's encryption group revokes access to all previously labeled documents. The firm uses Azure AD dynamic groups to automatically manage membership. Misconfiguration: an admin accidentally publishes the label to all users, causing unauthorized access. The fix is to scope the label policy to only the legal department.

A government agency uses labels for 'Unclassified', 'Confidential', 'Secret', and 'Top Secret'. Each label has different encryption and marking settings. 'Top Secret' requires a hardware security module (HSM) for encryption keys (via Azure Information Protection premium). They use auto-labeling with trainable classifiers to detect classified content. A critical issue: if an auto-labeling policy applies a higher classification than intended, it can lock out users. They run all auto-labeling in simulation mode for a week before enabling. They also integrate with Microsoft Defender for Cloud Apps to block download of 'Top Secret' files to personal devices. The agency has 100,000 users; label policy changes take up to 72 hours to fully propagate. They monitor using the Activity explorer and set up alerts for label downgrade attempts.