This chapter covers sensitivity labels and Azure Information Protection (AIP), which are core components of Microsoft 365's information protection strategy. For the MS-900 exam, this topic appears in approximately 10-15% of questions, primarily in the 'Describe Microsoft 365 security and compliance capabilities' domain (objective 3.4). Understanding how sensitivity labels classify and protect data at rest and in transit is essential for the exam and for real-world data governance.
Jump to a section
Imagine a government document processing center that handles thousands of documents daily, each with a classification level: Unclassified, Confidential, Secret, and Top Secret. When a document is created, an official stamps it with a colored ink that indicates its classification. This stamp is not just a visual mark; it contains a unique chemical signature that only authorized readers can detect. If someone without the proper clearance tries to photocopy the document, the copier detects the chemical signature and either blocks the copy or applies a watermark. Additionally, if the document is emailed outside the agency, the stamp triggers an automatic encryption and restricts forwarding. The stamp can also instruct the document to self-destruct after a certain time. In this analogy, the stamp is the sensitivity label, the chemical signature is the metadata embedded in the file, the copier is the Microsoft 365 compliance center enforcing policies, and the self-destruct timer is the expiration setting. Just as the stamp travels with the document regardless of where it goes, sensitivity labels persist with the data even when shared externally, and the enforcement mechanisms (like blocking copy or applying encryption) are the protection actions configured in the label policy.
What Are Sensitivity Labels?
Sensitivity labels are classification and protection mechanisms in Microsoft 365 that allow organizations to tag data (emails, documents, files) with a label that defines its sensitivity level (e.g., Confidential, Highly Confidential). Labels can enforce protection actions like encryption, access restrictions, and visual markings (headers, footers, watermarks). They are a key part of Microsoft Information Protection (MIP) and are integrated across Office apps, Microsoft 365 services, and third-party applications via the Microsoft Information Protection SDK.
Why Sensitivity Labels Exist
Organizations need to protect sensitive data from unauthorized access and accidental leaks. Sensitivity labels provide a unified classification schema that travels with the data, regardless of where it is stored or shared. This is critical for compliance with regulations like GDPR, HIPAA, and CCPA. Labels enable data owners to apply consistent protection policies without relying on IT for every decision.
How Sensitivity Labels Work Internally
When a user applies a sensitivity label to a document in Microsoft 365 (e.g., via Word, Excel, or the Azure Information Protection client), the following happens: 1. The label is embedded in the file's metadata as an XML element. For Office documents, this is stored in the custom XML part. For non-Office files, the label is stored using the MIP SDK's file handling. 2. If the label is configured with encryption, Azure Rights Management (Azure RMS) is invoked. The document is encrypted using AES-256 (for files) or SMIME (for emails). The encryption key is managed by Azure RMS and tied to the organization's tenant. 3. The label's policy defines who can decrypt the document. By default, only users with specific permissions (e.g., Owner, Co-Author) can access the content. The RMS service issues usage licenses to authorized users when they attempt to open the file. 4. If the label includes expiration settings, the RMS service revokes access after the expiration date, even if the user previously had a usage license. 5. Visual markings (headers, footers, watermarks) are applied by the Office client or AIP client when the document is saved or printed.
Key Components, Values, Defaults, and Timers
Label Priority: Labels have a priority order (1 to 1000) that determines which label takes effect when multiple labels apply. Higher priority labels override lower ones.
Encryption: Two options: 'Encrypt content only' (RMS encryption) and 'Assign permissions now' (custom permissions). Default encryption is AES-256.
User Permissions: Roles like Owner, Co-Author, Reviewer, and Viewer. Each role has specific rights (e.g., Viewer cannot edit or print).
Expiration: Can be set to 'Never', 'After a specific date', or 'After a duration' (e.g., 30 days). The timer starts when the label is applied.
Auto-classification: Labels can be applied automatically based on sensitive information types (e.g., credit card numbers) or trainable classifiers. This uses the Microsoft 365 compliance center's auto-labeling policies.
Default Label: A default label can be assigned to a SharePoint document library, ensuring all new documents get a baseline label.
Label Inheritance: When a user creates a new document from an existing one, the label may be inherited if configured.
Configuration and Verification Commands
Sensitivity labels are configured in the Microsoft 365 compliance center under 'Information protection' > 'Labels'. PowerShell can be used for bulk operations. Example commands:
Get label: Get-Label | Format-Table DisplayName, Priority, EncryptionEnabled
Create label: New-Label -DisplayName "Confidential" -Tooltip "Sensitive business data" -EncryptionEnabled $true -EncryptionProtectionType Template -EncryptionTemplateId "<template-id>"
Publish label: New-LabelPolicy -Name "Confidential Policy" -Labels "Confidential" -Settings @{ "Scope" = "All" }
Check label application: Get-RecordLabelHistory -DocumentId <id> (for records management)
Interaction with Related Technologies
Azure Information Protection (AIP): AIP is the client-side component that applies labels to files outside the Office ecosystem (e.g., PDFs, images). AIP uses the same Azure RMS backend. However, Microsoft is deprecating the AIP client in favor of built-in labeling in Office apps. For MS-900, know that AIP is a separate but related technology that integrates with sensitivity labels.
Data Loss Prevention (DLP): DLP policies can detect sensitivity labels and block actions (e.g., sharing via email). For example, a DLP policy can prevent sending an email with a 'Highly Confidential' label to an external recipient.
Microsoft Defender for Cloud Apps: Can apply sensitivity labels to files in cloud apps like Box or Dropbox via session policies.
Microsoft Purview Compliance Portal: Unified portal for managing labels, DLP, and records management.
Auto-Labeling and Recommended Labels
Auto-labeling policies can automatically apply a sensitivity label to files that contain specific sensitive data (e.g., Social Security numbers). There are two modes: - Simulation mode: Reports which files would be labeled without actually applying the label. - Enforcement mode: Actually applies the label. Recommended labels appear as a prompt to the user (e.g., 'We recommend this label for this file') but the user must confirm. This is configured in the label policy settings.
Label Scope and Sub-Labels
Labels can be scoped to specific items: Files & emails, Groups & sites (for Teams, SharePoint, and Microsoft 365 Groups), or schematized data assets (for Azure Purview). Sub-labels allow hierarchical classification (e.g., Confidential > Financial, Confidential > Legal). Sub-labels inherit the parent's protection settings but can override them.
Encryption Details
When encryption is enabled, Azure RMS uses a content key that is encrypted with the organization's tenant key. The tenant key is stored in Azure Key Vault. For each user who opens the file, the RMS service issues a usage license that contains the content key encrypted with the user's public key. This ensures only authorized users can decrypt. The encryption is persistent—even if the file is saved to a different location or renamed, the encryption remains.
Visual Markings
Headers, footers, and watermarks are applied dynamically by the client application. For example, a label might add a footer 'Confidential - Do Not Distribute' to every page. These markings are not embedded in the file's content but are rendered by the application. If a file is opened in a viewer that doesn't support MIP, the markings may not appear. However, the label metadata and encryption persist.
Expiration and Revocation
Labels can include an expiration date. After that date, the RMS service denies all new usage license requests. Existing licenses may still be valid for a short grace period (default 30 minutes). Revocation can also be done manually by a superuser or label admin. Revocation is immediate for new access attempts; cached licenses are honored until they expire (typically 30-60 minutes).
Cross-Platform Support
Sensitivity labels work on Windows, Mac, iOS, Android, and web browsers. The MIP SDK allows third-party apps to read and apply labels. For example, Adobe Acrobat can apply sensitivity labels to PDFs using the MIP SDK.
Exam-Relevant Details
The exam tests the difference between sensitivity labels and retention labels. Sensitivity labels focus on classification and protection (encryption), while retention labels focus on data retention and deletion.
Know that sensitivity labels can be automatically applied via auto-labeling policies in the compliance center.
Understand that labels can be applied manually by users (via Office apps or AIP client) or automatically via policies.
Remember that labels persist with the data even when shared externally, but enforcement depends on the recipient's ability to authenticate to Azure AD.
The default encryption algorithm is AES-256.
Labels can be used to protect files in SharePoint, OneDrive, and Exchange Online.
The exam may ask about 'sub-labels' as a way to create granular classifications.
Create Sensitivity Label
In the Microsoft 365 compliance center, navigate to 'Information protection' > 'Labels' and click 'Create a label'. Provide a name, description, and tooltip. The tooltip is displayed to users when they hover over the label in Office apps. Set the label priority (lower number = higher priority). Define the scope: 'Files & emails' for document and email protection, 'Groups & sites' for container protection (Teams, SharePoint), or 'Schematized data assets' for Azure Purview. For MS-900, focus on Files & emails. Click 'Next' to configure protection settings.
Configure Encryption
On the 'Protection settings' page, you can enable encryption. If enabled, choose 'Encrypt content only' (applies RMS encryption) or 'Assign permissions now' to define specific users and roles. For 'Assign permissions now', you can add users or groups and assign roles like Co-Author (edit, copy, save), Reviewer (view only), or Viewer (view but no edit). You can also set an expiration date. The RMS service will enforce these permissions. If you choose 'Let users assign permissions', users will be prompted to select recipients when applying the label.
Configure Visual Markings
In the same label creation wizard, you can add headers, footers, and watermarks. For example, you can add a header 'Confidential' in red font, a footer 'Do Not Distribute', and a watermark 'CONFIDENTIAL' across the page. These markings are dynamic and applied by the client application. You can also specify the position (top, bottom, center) and font size. Note that watermarks are only supported in Office apps and may not appear in PDFs or other formats.
Publish Label Policy
After creating the label, you must publish it via a label policy. In the compliance center, go to 'Information protection' > 'Label policies' > 'Publish label'. Select the label(s) to include. Choose which users and groups the policy applies to (e.g., all users, specific departments). Set the policy settings: whether the label is mandatory (users must apply a label to save or send), default label for new documents, and whether to show recommended labels. The policy can also specify whether to apply the label to files and emails automatically via auto-labeling.
Apply Label to Content
Users can apply labels manually in Office apps (Word, Excel, PowerPoint, Outlook) by clicking the 'Sensitivity' button in the ribbon. They select the appropriate label, which then applies encryption and visual markings. Alternatively, auto-labeling policies can apply labels automatically based on sensitive data detection. For example, a policy can detect credit card numbers and apply 'Highly Confidential' label. The auto-labeling can run in simulation mode first to see what would be labeled.
Monitor and Audit
After labels are applied, you can monitor usage via the compliance center's 'Activity explorer' and 'Content explorer'. Activity explorer shows which users applied labels, while Content explorer shows where labeled files are stored. You can also use audit logs to track label changes. For exam purposes, know that sensitivity labels are part of Microsoft Purview and can be audited via the unified audit log.
Enterprise Scenario 1: Financial Services Compliance
A multinational bank must comply with GDPR and internal data classification policies. They create sensitivity labels: 'Public', 'Internal', 'Confidential', and 'Highly Confidential'. The 'Highly Confidential' label encrypts documents and restricts access to the legal and compliance teams only. They publish the label policy to all employees but require users to manually apply labels. Auto-labeling is configured to detect IBAN numbers and apply 'Confidential' automatically. In production, they found that users often forget to label documents, so they made labeling mandatory for all documents saved to SharePoint. Performance is smooth, but they had to train users on the new ribbon button. Misconfiguration: Initially, they set the default label to 'Internal' for all documents, which caused confusion for HR documents that should be 'Confidential'. They resolved by scoping default labels per department.
Enterprise Scenario 2: Healthcare Data Protection
A hospital network uses sensitivity labels to protect patient records. They create a label 'Patient Data' with encryption and a watermark 'CONFIDENTIAL'. The label is applied automatically when a document contains a patient ID (sensitive info type). They also use sub-labels: 'Patient Data > Medical Records' and 'Patient Data > Billing Info'. The hospital uses Azure Information Protection client to label PDFs from legacy systems. A common issue: when sharing labeled files with external partners (e.g., insurance companies), the partners cannot open the encrypted files because they lack Azure AD accounts. They solved this by configuring the label to allow 'Specific external users' with guest accounts. The exam may test that external sharing requires authentication.
Enterprise Scenario 3: Legal Document Management
A law firm uses sensitivity labels to manage attorney-client privilege. They create a label 'Privileged' that encrypts and restricts access to specific attorneys. They also use expiration: after the case closes, the label expires, revoking access. They found that expiration must be set carefully; if set too short, attorneys lose access during active litigation. They use PowerShell scripts to bulk-apply labels to existing document repositories. Performance considerations: applying labels to millions of files in SharePoint Online can take days due to throttling. They schedule auto-labeling during off-peak hours. Misconfiguration: They accidentally published a label with no encryption, thinking it was only for classification, but the label policy had 'Mark content' enabled, which added a watermark to all documents. They learned to carefully review each setting.
What MS-900 Tests on This Topic (Objective 3.4)
The exam focuses on the fundamental concepts of sensitivity labels and their relationship to Azure Information Protection. You should be able to:
Describe the purpose of sensitivity labels (classification and protection).
Differentiate between sensitivity labels and retention labels.
Identify scenarios where sensitivity labels are used (e.g., encrypting emails, restricting access to documents).
Understand that labels can be applied manually or automatically.
Know that labels persist with data.
Recognize that Azure Information Protection is the underlying technology for encryption.
Common Wrong Answers and Why Candidates Choose Them
Confusing sensitivity labels with retention labels: Many candidates think sensitivity labels control how long data is kept. In reality, retention labels manage deletion and retention, while sensitivity labels manage classification and protection. The exam may present a scenario about data retention and ask which label to use; the wrong answer is sensitivity label.
Believing labels only work within Microsoft 365: Some think labels stop protecting data once it leaves the tenant. Actually, encryption persists, but access requires authentication. The exam may test that labels work even when shared externally.
Assuming all labels require encryption: Labels can be used purely for classification without encryption. The exam may ask about a scenario where only a visual marking is needed; the correct answer is a sensitivity label with markings but no encryption.
Mixing up Azure Information Protection and Microsoft Purview: AIP is the client-side component for labeling non-Office files, while Purview is the compliance portal. The exam may ask which tool to use for labeling PDFs; the answer is AIP (though it's being deprecated).
Specific Numbers, Values, and Terms
Encryption algorithm: AES-256.
Label priority range: 1 to 1000.
Default label policy scope: Users and groups.
Auto-labeling modes: Simulation and Enforcement.
Terms: 'Content explorer', 'Activity explorer', 'Azure Rights Management', 'RMS template'.
Edge Cases and Exceptions
If a user has multiple labels applied (e.g., via inheritance and manual), the label with highest priority (lowest number) takes effect.
Labels applied to containers (Teams, SharePoint) do not encrypt the files inside; they only control guest access.
When a file is encrypted with a label, the file extension may change to .ppdf for protected PDFs.
Delegated access: If a user delegates another user to open a file, the delegate must have appropriate permissions.
How to Eliminate Wrong Answers
If the question mentions 'data retention' or 'deletion', the answer is NOT a sensitivity label; it's a retention label.
If the question mentions 'encryption' or 'access restriction', the answer is a sensitivity label.
If the question mentions 'visual markings' without encryption, still a sensitivity label.
If the question mentions 'applying labels to files in a third-party app', think of AIP or MIP SDK.
Remember: Sensitivity labels are for classification AND protection; retention labels are for lifecycle management.
Sensitivity labels classify and protect data; retention labels manage data lifecycle.
Encryption uses AES-256 via Azure Rights Management.
Labels can be applied manually (user) or automatically (auto-labeling policies).
Labels persist with data everywhere, but enforcement requires Azure AD authentication.
Label priority: lower number = higher priority (range 1-1000).
Auto-labeling has two modes: simulation and enforcement.
Azure Information Protection (AIP) is a client for labeling non-Office files, but it's being deprecated.
Visual markings (headers, footers, watermarks) are configurable per label.
Labels can expire, revoking access after a set date or duration.
Sub-labels allow hierarchical classification (e.g., Confidential > Financial).
These come up on the exam all the time. Here's how to tell them apart.
Sensitivity Labels
Purpose: Classification and protection (encryption, access control).
Can apply encryption via Azure RMS (AES-256).
Visual markings (headers, footers, watermarks).
Persist with data even when shared externally.
Applied manually or via auto-labeling policies.
Retention Labels
Purpose: Data lifecycle management (retention, deletion).
No encryption capabilities.
No visual markings.
Do not alter file content; only metadata for retention.
Applied via retention policies or manually.
Mistake
Sensitivity labels and retention labels are the same thing.
Correct
Sensitivity labels classify and protect data (encryption, access control, visual markings). Retention labels manage data lifecycle (when to delete or retain). They serve different purposes and can be used together.
Mistake
Sensitivity labels only work for files stored in Microsoft 365.
Correct
Labels persist with the file even when exported or shared externally. However, enforcement (e.g., encryption) requires the recipient to authenticate with Azure AD. File metadata remains intact.
Mistake
All sensitivity labels must include encryption.
Correct
Labels can be configured without encryption. They can be used solely for classification and visual markings (headers, footers, watermarks). Encryption is optional.
Mistake
Azure Information Protection is the same as sensitivity labels.
Correct
AIP is a client that applies sensitivity labels to files, especially non-Office formats. Sensitivity labels are the classification scheme; AIP is one method to apply them. Microsoft is deprecating AIP in favor of built-in labeling in Office apps.
Mistake
Auto-labeling can apply labels to all existing content immediately.
Correct
Auto-labeling policies run on a schedule and may take time to process large volumes. They also have a simulation mode to preview before enforcement. Immediate application is not guaranteed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, sensitivity labels can be applied to emails in Outlook (desktop, web, and mobile). When a user applies a label, the email may be encrypted and restricted based on the label's settings. For example, a 'Confidential' label might encrypt the email and prevent forwarding. The label appears in the email header and is visible to recipients who have the Outlook client.
If the label includes encryption, the external user must authenticate with Azure AD to access the file. They can be granted guest access or the label can be configured to allow specific external domains. Without authentication, the file remains encrypted and unreadable. The label metadata stays with the file, but visual markings may not appear in external viewers.
Sensitivity labels are the classification and protection policies defined in the Microsoft 365 compliance center. Azure Information Protection (AIP) is the client application (now deprecated) that applies these labels to files, especially non-Office formats like PDFs and images. The exam may treat them as related but distinct: labels are the policy, AIP is the enforcer.
Yes, you can create a sensitivity label that only applies visual markings (header, footer, watermark) and does not encrypt the file. This is useful for classification-only scenarios where you want to indicate sensitivity without restricting access.
The default encryption algorithm is AES-256. This is used by Azure Rights Management when encrypting files. The exam may test this specific value.
Sensitivity labels can be applied to SharePoint documents manually by users via the Office web app or desktop app. Auto-labeling policies can also scan SharePoint libraries and apply labels automatically based on sensitive data detection. Additionally, default labels can be set for a document library.
A sub-label is a label that exists under a parent label, creating a hierarchy. For example, you might have a parent label 'Confidential' with sub-labels 'Financial' and 'Legal'. Sub-labels inherit the parent's protection settings but can override them. They are used to provide more granular classification.
You've just covered Sensitivity Labels and Azure Information Protection — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?