This chapter covers sensitivity labels and information protection in Microsoft 365, a core topic for the SC-900 exam. Sensitivity labels are the primary mechanism for classifying and protecting data at the item level, and they appear in roughly 15-20% of exam questions. Understanding how labels work, what they can enforce, and how they differ from Azure Information Protection (AIP) labels is critical. We will explore label creation, configuration, automatic application, and integration with Microsoft Purview Data Loss Prevention (DLP) and Microsoft Defender for Cloud Apps.
Jump to a section
Imagine a government document facility where every document must be classified before leaving the printing press. The facility has a set of rubber stamps: 'Top Secret', 'Secret', 'Confidential', and 'Internal Use Only'. Each stamp has specific rules: a 'Top Secret' stamp can only be applied by senior officers, and once stamped, the document must be stored in a red safe, can only be read by people with a 'Top Secret' badge, and cannot be photocopied or emailed outside the building. The stamp itself is not just ink—it contains a microchip that enforces these rules automatically. When a document is stamped, the chip embeds metadata that travels with the document. If someone tries to email the document to an external address, the chip blocks the send and alerts security. If a person without the correct badge tries to open the document, the chip prevents decryption. The stamps can also be changed: a senior officer can 'upgrade' a stamp from 'Confidential' to 'Secret' by applying a new stamp that overrides the old one. This system works across all documents—Word files, PDFs, emails, and even physical printouts (via watermarks). In Microsoft 365, sensitivity labels work exactly like these smart stamps: they classify and protect data at the item level, travel with the data across apps and devices, and enforce encryption, markings, and access policies automatically.
What Are Sensitivity Labels and Why Do They Exist?
Sensitivity labels are metadata tags that classify and optionally protect data based on its sensitivity level. They are part of Microsoft Purview Information Protection (formerly Microsoft 365 Information Protection). The purpose is to enable organizations to:
Classify data (e.g., Public, General, Confidential, Highly Confidential)
Apply protection actions automatically or manually (encryption, access restrictions, visual markings)
Track and audit access to sensitive data
Integrate with DLP policies to prevent data leaks
Extend protection to third-party apps via Microsoft Defender for Cloud Apps
On the SC-900 exam, you must know that sensitivity labels are the evolution of Azure Information Protection (AIP) labels. AIP labels (unified labeling) are now integrated into Microsoft 365 Compliance Center. The exam tests the difference between sensitivity labels and retention labels: sensitivity labels protect data (encryption, rights management), while retention labels manage data lifecycle (retention, deletion).
How Sensitivity Labels Work Internally
Sensitivity labels work by embedding metadata into files and emails. The metadata includes:
Label ID (GUID)
Label name (e.g., "Confidential")
Protection settings (encryption template, user rights)
Visual markings (header, footer, watermark)
Auto-labeling conditions (sensitive info types, trainable classifiers)
When a label is applied, the Microsoft 365 client (Office apps, Outlook, SharePoint Online) writes the metadata into the file's custom properties (for Office documents) or into the email header (for Exchange Online). The metadata is stored in a way that persists even if the file is renamed, copied, or moved (except for plain text files where metadata may be lost).
For protection, the label triggers Azure Rights Management (Azure RMS) to encrypt the file. Azure RMS uses a symmetric key encryption (AES-256) and a policy that defines which users or groups can decrypt, forward, copy, or print. The encryption is applied at the file level, not the container level (like an encrypted ZIP). This means the file remains encrypted even when stored in an unencrypted location (e.g., personal OneDrive).
Key Components, Values, Defaults, and Timers
Label Priority: Labels have an order (priority). The highest priority label is the most sensitive (e.g., Highly Confidential). The exam may ask: "Which label takes precedence?" Answer: The highest priority label (lowest number in the list).
Default Label: You can set a default label for documents and emails. If no label is applied manually, the default label is applied automatically. However, users can change it unless the label is marked as mandatory.
Mandatory Labeling: When enabled, users must apply a label to all documents and emails before saving or sending. The exam tests that mandatory labeling is configured in the labeling policy, not in the label itself.
Encryption Template: Each label that uses encryption references an Azure RMS template. The template defines:
Users/groups who have rights (e.g., "View Only", "Co-Author", "Owner")
Expiration of access (e.g., 30 days, never)
Offline access period (default is 7 days; after that, users must connect to Azure RMS to get a new license)
The offline access period is a key exam point: default is 7 days. It can be configured between 1 and 999 days, or set to never expire.
Visual Markings: Labels can add headers, footers, and watermarks. For example, a "Confidential" label might add a footer "CONFIDENTIAL" and a watermark "CONFIDENTIAL". These markings are added when the label is applied, and they are dynamic (can change if the label changes).
Auto-labeling: There are two methods: 1. Client-side auto-labeling: Based on sensitive info types (e.g., credit card numbers) or trainable classifiers (e.g., "Offensive Language"). This runs in Office apps. 2. Server-side auto-labeling: For data at rest in SharePoint Online and OneDrive for Business, or data in transit in Exchange Online (via transport rules). This is configured in the Microsoft Purview compliance portal under "Auto-labeling policies".
Configuration and Verification Commands
Sensitivity labels are managed in the Microsoft Purview compliance portal (compliance.microsoft.com) under Information Protection > Labels. To create a label: 1. Go to Microsoft Purview > Information Protection > Labels. 2. Click "Create a label". 3. Define name, display name, description. 4. Configure protection settings: encryption, content marking, auto-labeling. 5. Publish the label via a label policy (assign to users/groups).
For PowerShell (Exchange Online Protection Management module):
# Get all sensitivity labels
Get-Label | Format-Table Name, Priority, DisplayName
# Get label details
Get-Label -Identity "Confidential" | Format-List
# Create a new label (using New-Label cmdlet)
New-Label -Name "HighlyConfidential" -DisplayName "Highly Confidential" -Tooltip "Use for highly sensitive data" -EncryptionEnabled $trueFor verifying label application on a file, use the Azure Information Protection unified labeling client (now built into Office). You can also check the file properties: right-click > Properties > Details > look for "Sensitivity" field.
How Sensitivity Labels Interact with Related Technologies
Microsoft Purview Data Loss Prevention (DLP): DLP policies can detect sensitivity labels and block or warn when labeled content is shared externally. For example, a DLP rule: "If document has sensitivity label 'Confidential', block external sharing and notify admin."
Microsoft Defender for Cloud Apps (formerly Cloud App Security): Defender for Cloud Apps can apply sensitivity labels to files in third-party cloud apps (e.g., Dropbox, Google Drive) using its DLP engine. It can also detect and revoke access to files that have been shared inappropriately.
Microsoft 365 Groups and Teams: Sensitivity labels can be applied to containers (teams, groups, sites). This is separate from item-level labels. Container labels control guest access, external sharing, and privacy settings. The exam tests that container labels and item-level labels are different but can be used together.
Microsoft Purview Compliance Manager: Sensitivity labels contribute to compliance scores for regulations like GDPR, HIPAA, etc. by demonstrating that data is classified and protected.
Default Values and Exam Numbers
Maximum number of sensitivity labels: 500 (per tenant)
Maximum label priority range: 0 to 499 (0 is highest priority)
Default offline access period: 7 days
Encryption algorithm: AES-256
Supported file types for encryption: Office files (docx, xlsx, pptx, etc.), PDF (via Azure RMS), and generic files (txt, xml, etc.) via Azure Information Protection client (now legacy)
Auto-labeling policies: Up to 100 policies per tenant
Auto-labeling simulation mode: Yes, you can run in simulation before enforcement
Exam Trap: Label vs. Retention Label
A common exam question: "Which type of label should you use to ensure that a document is deleted after 5 years?" Answer: Retention label, not sensitivity label. Sensitivity labels protect data; retention labels manage lifecycle. Another trap: "Sensitivity labels can be used to prevent users from deleting a file." False. Sensitivity labels do not control deletion; they control access and encryption.
Exam Trap: Auto-labeling Scope
Auto-labeling can be applied to files in SharePoint, OneDrive, and Exchange (in transit). It cannot be applied to files in on-premises file servers unless you use Azure Information Protection scanner (legacy). The exam may ask: "Which workloads support auto-labeling?" Answer: SharePoint Online, OneDrive for Business, Exchange Online.
Summary of Protection Actions
Sensitivity labels can enforce:
Encryption (assign permissions to specific users/groups)
Visual markings (header, footer, watermark)
Access control (who can open, forward, print, etc.)
Expiration (access expires after a set time)
Offline access limit (default 7 days)
They cannot enforce:
Retention or deletion (that's retention labels)
Blocking file deletion (no such control)
Preventing local copy (encryption prevents opening without rights, but a user with View rights can screenshot)
Create a Sensitivity Label
In the Microsoft Purview compliance portal, navigate to Information Protection > Labels. Click 'Create a label'. Provide a name (e.g., 'Confidential'), display name, and description for users. The tooltip is important for user guidance. You can also set a color for the label in Office apps. This step defines the label's identity but not its protection settings.
Configure Protection Settings
After naming the label, you configure protection. Choose whether to apply encryption. If yes, select an Azure RMS template or configure custom permissions. You can assign specific users/groups and their rights (View, Edit, Copy, Print, Forward, etc.). You can also set expiration (e.g., 30 days) and offline access period (default 7 days). Next, add visual markings: header, footer, or watermark. For example, add a footer 'CONFIDENTIAL' and a watermark 'CONFIDENTIAL'. These markings are dynamic and update if the label changes.
Configure Auto-labeling Rules
In the same label creation wizard, you can define conditions for automatic labeling. Choose from sensitive info types (e.g., SSN, credit card) or trainable classifiers (e.g., 'Resumes'). You can also set a rule priority. Auto-labeling can be client-side (in Office apps) or server-side (in SharePoint, OneDrive, Exchange). The exam tests that auto-labeling policies are separate from label creation and are managed under 'Auto-labeling policies' in the compliance portal.
Publish the Label via Label Policy
After creating the label, you must publish it to users. Go to Information Protection > Label policies. Click 'Publish labels'. Select the label(s) to publish. Choose which users and groups get the policy (e.g., all users, specific departments). Configure policy settings: mandatory labeling (users must apply a label), default label, and justification if a user downgrades or removes a label. The policy can also apply a default label to documents and emails. Publish the policy; it may take up to 24 hours to propagate.
Monitor and Audit Label Usage
Once labels are published, you can monitor usage via Activity Explorer in the compliance portal. Filter by label name to see who applied which label to which file. Audit logs capture label changes (apply, change, remove). You can also use Content Explorer to see which files have specific labels. This helps in compliance reporting and identifying misclassified data.
Scenario 1: Healthcare Organization Classifying Patient Records A hospital uses sensitivity labels to classify patient data. They create labels: 'Public', 'Internal', 'Confidential Medical Records', and 'Highly Confidential - HIPAA'. The 'Confidential Medical Records' label enforces encryption and allows only doctors and nurses with a specific security group to view. It also adds a footer 'CONFIDENTIAL - HIPAA PROTECTED' and a watermark 'PATIENT CONFIDENTIAL'. The label is published to all users with mandatory labeling. Auto-labeling scans SharePoint libraries for documents containing patient names and SSNs, applying 'Confidential Medical Records' automatically. DLP policies block external sharing of any document with that label. Misconfiguration: The offline access period was left at default 7 days, causing doctors on flights to lose access after a week. They increased it to 30 days to match their typical trip duration.
Scenario 2: Financial Firm Protecting Merger Documents A bank working on a merger creates a label 'Merger - Highly Confidential'. This label encrypts files and restricts access to only the merger team (a security group). It sets expiration to 90 days (after merger closes). Visual markings include a header 'HIGHLY CONFIDENTIAL - DO NOT FORWARD'. The label is published only to the merger team. Auto-labeling is not used because the team applies the label manually. A user accidentally shares a document externally; Defender for Cloud Apps detects the label and revokes access automatically. Performance: With thousands of files, label application is instantaneous via Office client. The main challenge is ensuring users remember to apply the label; mandatory labeling solves this.
Scenario 3: Government Agency Using Container Labels A government department uses sensitivity labels for both items and containers. They have a container label 'Secret' applied to a SharePoint site. This restricts external sharing and guest access. Within the site, documents get item-level labels like 'Secret - Personnel' that encrypt and restrict access to specific groups. Misconfiguration: A site owner changed the container label to 'Internal' thinking it would allow broader collaboration, but this inadvertently allowed external users to see the site's metadata. The incident was detected via audit logs. The lesson: container labels and item labels are independent; changing one does not affect the other.
SC-900 Objective 4.2: Describe the capabilities of Microsoft Purview Information Protection The exam focuses on:
Understanding that sensitivity labels are used for classification and protection (encryption, visual markings)
Differentiating between sensitivity labels and retention labels
Knowing the default offline access period (7 days)
Understanding mandatory labeling and default label settings
Identifying which workloads support auto-labeling (SharePoint, OneDrive, Exchange)
Recognizing that sensitivity labels can be applied manually or automatically
Knowing that container labels (for Groups/Teams) are separate from item-level labels
Common Wrong Answers: 1. "Sensitivity labels can prevent deletion of files." → Wrong. Only retention labels can prevent deletion (by locking the file). Sensitivity labels control access, not lifecycle. 2. "Sensitivity labels are applied to entire SharePoint sites." → Wrong. That's container labels. Item-level labels are applied to individual files. However, container labels are also called sensitivity labels, but they have different settings. The exam may trick you by saying 'sensitivity labels can be applied to a SharePoint site' — that is true for container labels, but the question might be about item-level. 3. "Auto-labeling can be applied to on-premises file servers." → Wrong. Auto-labeling in Microsoft Purview works only for cloud workloads (SharePoint, OneDrive, Exchange). For on-premises, you need Azure Information Protection scanner (legacy). 4. "Sensitivity labels use public key encryption." → Wrong. They use symmetric encryption (AES-256) via Azure RMS.
Edge Cases: - What happens if a label is removed? The file remains encrypted if it was encrypted. To remove encryption, you need to remove the label (which requires rights). The exam may ask: "A user removes a 'Confidential' label from a file. What happens?" Answer: The encryption is removed only if the user has the 'Export' or 'Owner' right. Otherwise, the file remains encrypted. - Can a label be applied to a PDF? Yes, if the PDF is opened in Microsoft 365 or protected with Azure RMS. However, not all PDF readers support it. The exam may ask: "Which file types support sensitivity labels?" Answer: Office files, PDFs, and generic files (via AIP client).
Numbers to Memorize: - Default offline access period: 7 days - Maximum labels: 500 - Maximum auto-labeling policies: 100 - Encryption: AES-256
Sensitivity labels classify and protect data; retention labels manage lifecycle.
Default offline access period for encrypted content is 7 days.
Maximum of 500 sensitivity labels per tenant.
Auto-labeling works for SharePoint, OneDrive, and Exchange (not on-premises).
Mandatory labeling requires users to apply a label to all documents and emails.
Container labels (for Teams/Groups) are separate from item-level sensitivity labels.
Encryption uses AES-256 via Azure Rights Management.
Sensitivity labels can be applied to Office files, PDFs, and generic files (via AIP client).
Label priority determines which label takes precedence (lower number = higher priority).
DLP policies can detect sensitivity labels and block external sharing.
These come up on the exam all the time. Here's how to tell them apart.
Sensitivity Labels
Used for classification and protection (encryption, markings)
Can be applied manually or automatically
Protection travels with the data (persistent)
No retention or deletion capabilities
Can be used in DLP policies to block actions
Retention Labels
Used for data lifecycle management (retention, deletion)
Can be applied manually or automatically
Retention settings are stored in metadata, but protection is not applied
Can prevent deletion during retention period
Cannot be used directly in DLP policies (but can trigger labels via auto-labeling)
Client-side Auto-labeling
Runs in Office apps (Word, Excel, PowerPoint, Outlook)
Triggers when user saves or sends a document/email
Uses sensitive info types and trainable classifiers
User can override or confirm label
Requires Office 365 ProPlus or equivalent
Server-side Auto-labeling
Runs in SharePoint Online, OneDrive for Business, Exchange Online
Triggers on files already at rest or email in transit
Uses sensitive info types only (no trainable classifiers initially)
Can run in simulation mode without enforcement
No user interaction; label is applied automatically
Mistake
Sensitivity labels and retention labels are the same thing.
Correct
Sensitivity labels classify and protect data (encryption, markings). Retention labels manage data lifecycle (retention, deletion). They are separate types of labels with different purposes, though both are part of Microsoft Purview.
Mistake
Once a sensitivity label is applied, it cannot be changed.
Correct
Labels can be changed by users with appropriate rights (e.g., 'Owner' or 'Super User'). The label can be upgraded or downgraded. Justification may be required if configured in the label policy.
Mistake
Sensitivity labels only work in Microsoft 365 apps.
Correct
Sensitivity labels work across Microsoft 365 apps (Word, Excel, PowerPoint, Outlook), but also in third-party apps via Microsoft Defender for Cloud Apps. They can also be applied to files in SharePoint, OneDrive, and Exchange.
Mistake
Auto-labeling is the same as default label.
Correct
Default label is applied when no label is present (e.g., new document). Auto-labeling applies a label based on content (e.g., sensitive info types). They are different mechanisms. Default label is set in the label policy; auto-labeling is configured in auto-labeling policies.
Mistake
Sensitivity labels can be applied to emails after they are sent.
Correct
Labels can be applied before sending (in Outlook). After sending, the email is already delivered; the label cannot be retroactively applied unless the recipient is within the same tenant and using Microsoft 365. However, labels can be applied to archived emails in Exchange via auto-labeling policies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Sensitivity labels are used to classify and protect data (encryption, visual markings, access control). Retention labels are used to manage data lifecycle (how long to keep data, when to delete). They are separate label types in Microsoft Purview. On the exam, remember that sensitivity labels protect; retention labels retain/delete.
If the user has sufficient rights (e.g., Owner or Export), the label removal also removes encryption. If the user lacks those rights, the file remains encrypted and the label may reappear. The exam may test that removing a label does not automatically remove encryption unless the user has the 'Owner' right.
Sensitivity labels can be applied to Microsoft 365 Groups, Teams, and SharePoint sites (container labels). These labels control settings like guest access, external sharing, and privacy. They are independent of item-level labels. Container labels are configured in the same label creation wizard but have separate settings.
The default offline access period is 7 days. This means that after a user first accesses an encrypted file, they can open it offline for up to 7 days without reconnecting to Azure RMS. After that, they need to connect to get a new license. This value can be configured between 1 and 999 days, or set to never expire.
Yes, sensitivity labels can be applied to emails in Outlook. The label is applied before sending. It can encrypt the email and restrict actions (forward, copy, print). The label travels with the email and is visible to recipients within the same tenant. For external recipients, encryption may require Azure RMS support.
Mandatory labeling requires users to apply a label to every document and email before saving or sending. Default labeling automatically applies a specified label to new documents and emails if no label is manually chosen. Both are configured in the label policy, not in the label itself.
You've just covered Sensitivity Labels and Information Protection — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?