This chapter covers sensitivity labels and auto-labelling in Microsoft 365, a critical topic for the MS-102 exam (Objective 3.3: Implement and manage sensitivity labels). Approximately 15-20% of exam questions in the Security Threats domain touch on sensitivity labels, their configuration, auto-labelling policies, and integration with Microsoft Purview. You will learn how to create, publish, and automatically apply labels to protect sensitive data across Exchange, SharePoint, OneDrive, and Microsoft 365 Groups, including advanced auto-labelling mechanisms like exact data match and trainable classifiers.
Jump to a section
Imagine a large corporate mailroom that processes thousands of envelopes daily. Each envelope must be stamped with a security classification (e.g., 'Confidential', 'Internal Only', 'Public') before it can be dispatched. In the past, every employee had to manually affix the correct stamp to their own envelopes, leading to frequent mistakes—some sensitive documents were marked 'Public' by accident, while routine memos were over-classified. To fix this, the company installs an automated stamping machine at the mailroom entrance. The machine inspects each envelope's contents using pre-defined rules: if the envelope contains financial data, it stamps 'Highly Confidential'; if it contains a lunch menu, it stamps 'Internal Only'. The machine also re-stamps any envelope that an employee already stamped if the content doesn't match the current stamp. Crucially, the machine works in real-time as envelopes pass through, and it can be configured to apply stamps automatically or only suggest them. In the Microsoft 365 world, sensitivity labels are the stamps, and auto-labelling is the automated machine that inspects content (via exact data match, sensitive info types, or trainable classifiers) and applies the correct label—or recommends one—at rest (in SharePoint/OneDrive) or in transit (Exchange). The machine ensures consistent classification without relying on end-user judgment, drastically reducing data leakage risk.
What Are Sensitivity Labels and Why Do They Exist?
Sensitivity labels are digital stamps that classify and protect data in Microsoft 365. They are part of Microsoft Purview Information Protection (MIP). Unlike retention labels, sensitivity labels enforce protection actions such as encryption, visual markings (headers/footers/watermarks), and access restrictions (e.g., 'Do Not Forward' for email). They exist to help organizations meet compliance requirements (GDPR, HIPAA, etc.) by ensuring sensitive data is consistently protected regardless of where it resides or travels.
How Sensitivity Labels Work Internally
Sensitivity labels are defined in the Microsoft 365 Purview compliance portal. Each label has a set of protection settings: - Encryption: Uses Azure Rights Management (Azure RMS) to protect content. When a label applies encryption, the content is wrapped in a protected envelope. Only authorized users (defined in the label's encryption settings) can decrypt and access the content. - Content Marking: Adds headers, footers, or watermarks. These are visual cues applied when the label is applied; they are not dynamically updated if the label changes. - Auto-labelling: Two types: client-side (manual or recommended via Office apps) and server-side (auto-labelling policies for data at rest and in transit).
Labels are published via label policies that specify which users/groups can see and apply the label. Labels can be configured as 'default' for a container (e.g., a SharePoint site) or applied automatically via auto-labelling policies.
Auto-Labelling Mechanisms
Auto-labelling policies scan content for sensitive information types (SITs), trainable classifiers, or exact data match (EDM). The policy is configured with conditions such as: - Sensitive info types: Built-in or custom patterns (e.g., credit card number, SSN). - Trainable classifiers: Machine learning models that identify content by context (e.g., resumes, contracts). - Exact Data Match (EDM): Uses a fingerprint database of exact values (e.g., customer IDs).
When a match occurs, the policy can either automatically apply the label or recommend it (user must confirm). Auto-labelling for data at rest scans files in SharePoint and OneDrive. For data in transit, it scans emails in Exchange Online.
Key Defaults and Timers
Auto-labelling policy evaluation: For data at rest, policies run every 24 hours by default but can be triggered manually. For data in transit (Exchange), evaluation happens during transport (near real-time).
Label priority: Labels are ordered; if multiple labels match, the highest priority label is applied.
Encryption key lifecycle: Azure RMS keys are automatically rotated every 28 days for tenant keys (default). You can bring your own key (HYOK) but it's not recommended for cloud-first scenarios.
Label policy publishing: Takes up to 24 hours to propagate to all clients.
Configuration and Verification
To create a sensitivity label: 1. Navigate to Microsoft Purview compliance portal > Information Protection > Labels. 2. Create a label with protection settings (encryption, marking, etc.). 3. Publish via a label policy.
To configure auto-labelling: 1. Go to Information Protection > Auto-labelling. 2. Create a policy for data at rest or in transit. 3. Choose scope (SharePoint, OneDrive, Exchange), conditions (SITs, classifiers), and action (apply or recommend).
Verification commands (PowerShell):
# List sensitivity labels
Get-Label | Format-Table DisplayName, Priority
# Get label policy
Get-LabelPolicy | Format-Table Name, Labels, ExchangeLocation, SharePointLocation, OneDriveLocation
# Get auto-labelling policy
Get-AutoSensitivityLabelPolicy | Format-Table Name, Mode, WorkloadInteraction with Related Technologies
Microsoft Defender for Cloud Apps: Can apply sensitivity labels to files based on app discovery policies.
Microsoft 365 Groups: Sensitivity labels can classify groups (e.g., 'Confidential' group) and enforce privacy settings (public/private).
Office Apps: Labels appear in Word, Excel, PowerPoint, and Outlook. Auto-labelling via Office apps uses client-side scanning.
Azure Information Protection (AIP): Legacy; new labels should be created in Purview. AIP labels can be migrated.
Auto-Labelling for Data at Rest vs. In Transit
Data at Rest: Scans files in SharePoint and OneDrive. Uses a schedule (every 24h). Can apply labels to existing files.
Data in Transit: Scans emails in Exchange Online during transport. Labels are applied before delivery. Can also encrypt based on label.
Trainable Classifiers
These are pre-trained or custom classifiers that use machine learning to identify content. Examples: 'Resumes', 'Source Code', 'Financial Documents'. To use a trainable classifier in auto-labelling, you must first publish it and allow it to run. They require 50 positive samples to start training.
Exact Data Match (EDM)
EDM uses a schema and a sensitive info type with a fingerprint database. The database is uploaded via PowerShell or the compliance portal. EDM is case-sensitive and matches exact values. It is ideal for structured data like customer account numbers.
Label Scope and Priority
Labels can be scoped to 'Files & emails' or 'Groups & sites'. When scoped to groups, the label can enforce privacy (public/private) and external sharing settings. Priority determines which label wins when multiple conditions match. Lower number = higher priority.
Encryption Details
When a label applies encryption, it uses Azure RMS. The encryption template defines: - Users and rights: Who can view, edit, copy, print, etc. - Expiration: Content access expires after a set time. - Offline access: Defines how long content can be accessed without internet (default 7 days).
Common Misconfigurations
Not publishing labels to the right users: Labels must be published via a policy; otherwise users won't see them.
Auto-labelling policy scope: If you select only SharePoint but not OneDrive, files in OneDrive are not scanned.
Condition logic: Conditions are AND within a group, OR between groups. Misunderstanding leads to unexpected matches.
Trainable classifiers require training: They need at least 50 positive samples; otherwise they won't work.
Exam-Relevant Numbers
Default auto-labelling scan interval: 24 hours.
Minimum positive samples for trainable classifiers: 50.
Label policy propagation time: up to 24 hours.
Azure RMS key rotation default: every 28 days.
Offline access default: 7 days.
Maximum number of auto-labelling policies: 100 per tenant.
Step-by-Step Configuration Example
Create a sensitivity label named 'Confidential' with encryption (users: all internal, rights: view-only).
Publish the label to all users via a label policy.
Create an auto-labelling policy for data at rest: scope = SharePoint, condition = 'Credit Card Number' SIT, action = apply label 'Confidential'.
Wait for scan (or trigger manually).
Verify in SharePoint that files containing credit card numbers are labeled.
Create Sensitivity Label
In Microsoft Purview compliance portal, navigate to Information Protection > Labels. Click 'Create a label'. Provide a name (e.g., 'Confidential') and description. In 'Protection settings', choose encryption: define users and rights (e.g., 'All users in my organization' with 'View Only' rights). Optionally add content marking (header/footer/watermark). Define auto-labelling settings for Office apps (recommend or force). Set label priority (lower number = higher priority). Save and publish later via a label policy.
Publish Sensitivity Label
After creating the label, you must publish it so users can see and apply it. In the compliance portal, go to Information Protection > Label policies. Click 'Publish label'. Select the label(s) to publish. Choose which users or groups can see the label (e.g., all users). Configure policy settings: default label for documents, mandatory labelling (users must apply a label), etc. Set the policy priority. The policy propagates within 24 hours. Users in Office apps will see the label in the sensitivity bar.
Configure Auto-Labelling Policy
In Information Protection > Auto-labelling, click 'Create auto-labelling policy'. Choose scope: 'Data at rest' (SharePoint, OneDrive) or 'Data in transit' (Exchange). Name the policy. Select locations (e.g., specific SharePoint sites or all). Define conditions: choose sensitive info types (e.g., 'Credit Card Number'), trainable classifiers, or exact data match. Set condition logic (AND/OR). Choose action: 'Apply label' or 'Recommend label'. Specify which label to apply. Configure additional settings like 'Automatically label existing files' (for data at rest). Review and create.
Test and Monitor Auto-Labelling
After creating the policy, monitor its activity. For data at rest, the policy runs on a schedule (every 24h). You can trigger a manual scan in the policy's details. For data in transit, labels are applied in near real-time. Use Activity Explorer in Purview to see which items were labelled. Verify that files containing sensitive data are correctly labelled. If using 'Recommend' mode, users will see a prompt in Office apps to apply the label. Check for false positives/negatives and adjust conditions accordingly.
Manage and Update Labels
Labels can be edited after creation (e.g., change encryption settings). However, changes may not retroactively apply to already labelled items unless you use a PowerShell script or a policy to re-scan. To remove a label, you can either disable it or create a sub-label. Labels can be ordered by priority. If multiple labels match, the highest priority is applied. Monitor label usage via Reports in Purview. For compliance, you can also use Content Search to find items with specific labels.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to ensure that all documents containing client account numbers (PCI-DSS) are encrypted at rest and in transit. They configure an auto-labelling policy for data at rest (SharePoint and OneDrive) using the built-in 'Credit Card Number' sensitive info type and Exact Data Match (EDM) for their proprietary account number format. The label applies encryption that restricts access to only employees with a 'Compliance Officer' role. They also create a label for 'Public' that applies no protection. The auto-labelling policy runs daily, scanning millions of files. Initially, they see false positives from test files; they refine the EDM schema to exclude test prefixes. Performance is acceptable (scan completes within 24h for 500k files). The biggest challenge is ensuring that all historical files are labelled; they run a manual scan after initial deployment. They also configure Exchange auto-labelling to encrypt outgoing emails that contain account numbers.
Enterprise Scenario 2: Healthcare Records Protection
A hospital network uses sensitivity labels to classify patient records (PHI) under HIPAA. They create a label 'PHI-Protected' with encryption and a 'Confidential' watermark. They use a trainable classifier 'Medical Records' to auto-label documents in SharePoint. The classifier required 50 positive samples from existing labelled documents. After training, it correctly identifies 90% of patient records. They also use auto-labelling for data in transit to prevent PHI from being sent externally without encryption. They configure a label policy that enforces mandatory labelling for all users; any unlabelled document is blocked from being shared externally. The hospital faces challenges with false negatives from the classifier; they continuously feed more samples to improve accuracy. They also use Microsoft 365 Groups sensitivity labels to control team site privacy for different departments.
Scenario 3: Legal Firm Client Confidentiality
A law firm uses sensitivity labels to enforce attorney-client privilege. They create labels like 'Privileged', 'Confidential', and 'Public'. Auto-labelling is configured with a custom sensitive info type that matches case numbers (e.g., 'Case-\d{5}'). They also use trainable classifiers for 'Legal Documents'. They apply encryption that restricts access to specific attorneys and paralegals. They use auto-labelling for data at rest to scan all existing files in OneDrive and SharePoint. A common misconfiguration is that auto-labelling policies do not scan external sharing links; they rely on DLP policies to block sharing of labelled content. They also use label policies with different scopes: some labels are only visible to attorneys, others to all staff. They monitor using Activity Explorer and generate weekly reports on label usage.
What MS-102 Tests on This Topic (Objective 3.3)
The exam focuses on: - Creating and publishing sensitivity labels: Know the steps and settings (encryption, marking, auto-labelling for Office apps). - Auto-labelling policies: Differentiate between client-side (Office apps) and server-side (Purview). Know the scopes: data at rest (SharePoint, OneDrive) and data in transit (Exchange). - Conditions: Sensitive info types, trainable classifiers, exact data match. Know the minimum samples for classifiers (50). - Label priority and order: Lower number = higher priority. If multiple labels match, the highest priority is applied. - Encryption: Azure RMS, user rights, offline access default (7 days). - Integration with groups: Sensitivity labels can control group privacy and external sharing. - Common commands: Get-Label, Get-LabelPolicy, Get-AutoSensitivityLabelPolicy.
Most Common Wrong Answers
'Auto-labelling policies apply labels in real-time for data at rest.' Wrong: They run on a schedule (every 24h) or manually. Real-time only for data in transit (Exchange).
'Trainable classifiers work immediately after creation.' Wrong: They need at least 50 positive samples to start training. They also require a training period.
'Sensitivity labels can be applied to mailboxes.' Wrong: Sensitivity labels apply to files and emails, but not to mailboxes directly. Retention labels apply to mailboxes.
'Auto-labelling policies can use custom sensitive info types without publishing them.' Wrong: Custom SITs must be created and published before use.
'Label priority is based on creation order.' Wrong: Priority is set manually (lower number = higher priority).
Specific Numbers to Memorize
Minimum positive samples for trainable classifiers: 50.
Default auto-labelling scan interval: 24 hours.
Offline access default: 7 days.
Azure RMS key rotation: 28 days.
Maximum auto-labelling policies: 100.
Label policy propagation time: up to 24 hours.
Edge Cases
Multiple labels matching: The highest priority label is applied. If two labels have the same priority? Not possible; priority must be unique.
Label removal: You cannot delete a label that is in use. You must first disable it or remove it from policies.
Sub-labels: Used for parent-child hierarchy. Sub-labels inherit parent's protection settings but can have different markings.
Auto-labelling for Exchange: Only applies to emails in transit; it does not label existing emails in mailboxes.
How to Eliminate Wrong Answers
Understand the difference between client-side and server-side auto-labelling. Client-side is in Office apps; server-side is in Purview.
Know that auto-labelling for data at rest scans files, not folders. It labels files that match conditions.
Remember that sensitivity labels are not the same as retention labels. Retention labels manage data lifecycle; sensitivity labels protect data.
If a question mentions 'real-time' for data at rest, it's likely wrong unless it's about client-side labelling.
Sensitivity labels classify and protect data with encryption, markings, and access controls.
Auto-labelling policies can be client-side (Office apps) or server-side (Purview for data at rest and in transit).
Server-side auto-labelling for data at rest runs on a 24-hour schedule; for Exchange it is near real-time.
Trainable classifiers require a minimum of 50 positive samples to start training.
Label priority is determined by a user-set number (lower is higher priority).
Azure RMS encryption key rotates every 28 days by default.
Labels must be published via a label policy before users can see them.
Auto-labelling policies can use sensitive info types, trainable classifiers, or exact data match (EDM).
Sensitivity labels can also be applied to Microsoft 365 Groups to control privacy and sharing.
You cannot delete a label that is in use; you must disable it or remove it from policies first.
These come up on the exam all the time. Here's how to tell them apart.
Client-Side Auto-Labelling (Office Apps)
Runs in Office apps (Word, Excel, PowerPoint, Outlook) when user edits or sends content.
Can recommend or automatically apply labels based on sensitive info types.
Real-time: label is applied immediately during content creation or sending.
Only applies to content that is opened in Office apps; does not scan existing files at rest.
Requires Azure Information Protection unified labeling client (or built-in labeling) on client machines.
Server-Side Auto-Labelling (Purview)
Runs in Microsoft 365 cloud (Purview) for data at rest (SharePoint, OneDrive) and in transit (Exchange).
Can automatically apply labels based on sensitive info types, trainable classifiers, or EDM.
For data at rest: scheduled (every 24h) or manual; for data in transit: near real-time.
Scans all files in specified locations regardless of whether they are opened.
No client software required; policies are configured in Purview compliance portal.
Mistake
Sensitivity labels automatically encrypt all files they are applied to.
Correct
Encryption is optional and must be explicitly configured in the label's protection settings. A label can simply add a header/footer without encryption.
Mistake
Auto-labelling policies apply labels immediately to all existing files.
Correct
For data at rest, auto-labelling runs on a schedule (every 24 hours) or can be triggered manually. It is not instantaneous for existing files. For new files, client-side auto-labelling (in Office apps) can apply labels in real-time.
Mistake
Trainable classifiers work out of the box with no setup.
Correct
Trainable classifiers require at least 50 positive samples to begin training. They also need a training period (up to 24 hours) before they can be used in auto-labelling policies.
Mistake
You can delete a sensitivity label that is currently assigned to files.
Correct
You cannot delete a label that is in use. You must first remove it from all label policies and ensure no files have it applied (or use PowerShell to remove it). Alternatively, you can disable the label.
Mistake
Auto-labelling policies scan all locations automatically without configuration.
Correct
You must specify the locations (SharePoint, OneDrive, Exchange) in the policy. By default, no locations are selected. Also, for SharePoint and OneDrive, you can choose specific sites or all.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A sensitivity label classifies and protects data (encryption, markings, access restrictions) and is used for information protection. A retention label manages data lifecycle (retain or delete) and is used for records management. They are separate concepts and can be applied independently. Sensitivity labels do not enforce retention; retention labels do not enforce encryption.
For data at rest (SharePoint/OneDrive), the policy runs on a schedule every 24 hours by default. You can manually trigger a scan from the policy details page. For data in transit (Exchange), labels are applied in near real-time during email transport. Client-side auto-labelling in Office apps applies labels immediately when content is created or edited.
Yes. You must first create the custom sensitive info type in Microsoft Purview (Data Classification > Sensitive info types). After publishing it, you can use it as a condition in auto-labelling policies. The custom SIT must be based on a pattern or exact data match.
If multiple policies match, the label with the highest priority (lowest number) is applied. If the same label is applied by multiple policies, it's still applied once. If policies have different labels, the label priority determines which one wins. If no label is higher priority, the system applies the label from the policy with the highest priority (lowest number).
Yes, but encryption settings control access. If a label applies encryption that restricts access to 'Only internal users', external users cannot decrypt the content. You can configure encryption to allow specific external users or domains. For sharing labelled content externally, you may need to use Microsoft Purview Message Encryption or configure the label's encryption to include external recipients.
You can use a default label for the site (via site settings) that applies a label to all new documents. For existing documents, you need an auto-labelling policy that scans and labels them. Alternatively, you can use PowerShell to apply labels in bulk.
You can create up to 100 auto-labelling policies per tenant (as of current limits). Each policy can have multiple conditions and locations. If you need more, consider consolidating conditions into fewer policies.
You've just covered Sensitivity Labels and Auto-Labelling — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?