Microsoft Purview Sensitivity Labels: How to Deploy Information Protection Across Microsoft 365

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The most common Microsoft Purview deployment failure is getting the label taxonomy wrong at the start. Organizations create eight labels, none of them matching how employees actually think about data sensitivity, and adoption fails. The second most common failure is deploying labels without encryption and then discovering that the label provides no actual protection -- just a metadata tag that any user can remove. This guide covers taxonomy design first (because a wrong taxonomy is expensive to change), then the technical deployment, and then the common configuration mistakes that leave labeled data unprotected.
Design the Label Taxonomy: 5 Labels or Fewer
The label taxonomy is the most important design decision and the hardest to change after deployment. Principles: keep it simple. Most organizations need four to five labels: Public (content safe to share publicly), General or Internal (standard internal business content), Confidential (content restricted to employees and authorized partners), Highly Confidential (content with legal, financial, or security significance requiring strong access controls), Regulated (content subject to specific regulatory requirements such as HIPAA, PCI, or GDPR with the most restrictive controls). Each label should have an obvious place for any given document -- if employees have to think about which label to choose for a normal email, the taxonomy is too complex. Sub-labels: use sub-labels sparingly and only where genuine protection differentiation is needed. 'Confidential > All Employees' vs. 'Confidential > Finance Only' is a common and legitimate sub-label pattern. More than three levels (label, sub-label, sub-sub-label) is never needed and creates confusion. Before creating labels in Purview: run a workshop with HR, Finance, Legal, and IT to validate that the taxonomy makes sense to each group. Their buy-in determines adoption.
Publish Labels to Users via Label Policies
Labels are published via label policies in the Purview compliance portal. Policy settings: which users or groups see which labels, whether labeling is mandatory or optional, the default label for new documents, and whether users must justify downgrading a label. Recommended settings for an initial rollout: start with labeling as optional (not mandatory) -- forcing a label on every document before users understand the taxonomy creates negative perception. Set a default label of 'General/Internal' for new Office documents so users see labeling in action without requiring action. Enable mandatory labeling for email (email is the highest-risk exfiltration channel) but not for documents in the initial rollout. Rollout sequence: pilot group (IT and security team first, then a volunteer business unit, then broad rollout with training). Check the label activity report in Purview to see adoption metrics before expanding rollout.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Configure Encryption for Confidential Labels
A label without encryption protection provides no technical barrier to data leakage -- it is just a colored tag that any user can change. Confidential and Highly Confidential labels should include encryption. Encryption settings when creating a label: select 'Apply encryption' and configure who can decrypt: All employees (based on your organization's Entra ID tenant -- any authenticated user in your org), specific users or groups, or external partners by Entra ID tenant ID. Permissions: choose from presets (Viewer, Reviewer, Author, Co-Author) or define custom rights. Important: if you configure encryption that restricts to internal employees only, sharing a labeled document externally will fail -- the external user cannot decrypt. This is the desired behavior for Highly Confidential, but for Confidential content you may share with partners, configure the label to allow adding external users at the time of sharing. Test encryption thoroughly before broad rollout: send a labeled document to an external email address and verify they receive an access restriction, not an encrypted file they cannot open.
Auto-Labeling: Client-Side vs. Service-Side
Auto-labeling applies labels automatically based on content inspection -- the system finds a document with credit card numbers and labels it 'Highly Confidential - Financial' without user action. Two modes: Client-side auto-labeling runs in Office apps (Word, Excel, PowerPoint, Outlook) when a user opens or edits a document, detects sensitive content types (credit card numbers, SSNs, passport numbers) and recommends or auto-applies a label. Service-side auto-labeling (requires Purview P2) scans existing content in SharePoint, OneDrive, and Exchange and applies labels to content that was created before labels were deployed. Recommended deployment order: deploy client-side auto-labeling first with 'recommendation' mode (suggests the label, user confirms), run for 30 days and review false-positive rate, then switch to auto-apply. Service-side scanning: create a simulation run first to see how many documents would be labeled and check a sample for accuracy before enabling enforcement.
Integrate Sensitivity Labels with DLP Policies
Sensitivity labels become actionable in DLP policies. A DLP policy can target all content with a specific label ('block external sharing of any document labeled Highly Confidential'), or content with a label AND specific content types ('block email that contains a labeled document with credit card numbers'). Set up DLP policies in the Purview compliance portal: create a new policy, select the applicable locations (Exchange, SharePoint, OneDrive, Teams), add a condition of 'Content contains sensitivity label > Highly Confidential', add an action of 'Restrict access or encrypt content in Microsoft 365 > Block everyone'. Test in simulation mode first to see which activities would be blocked before enabling enforcement. Monitor DLP alerts in the Purview compliance portal for false positives -- a DLP policy that blocks too aggressively will generate tickets and user frustration that undermines the security program.
The bottom line
Label taxonomy design is where Microsoft Purview deployments succeed or fail. Get business stakeholder input before creating any labels, keep the taxonomy to five or fewer top-level labels, enforce encryption on your highest-sensitivity tiers, and deploy in waves: pilot, then mandatory email labeling, then optional document labeling, then auto-labeling, then DLP enforcement. Rushing to DLP enforcement before labels are adopted and tested produces false positives that create business-disrupting blocks and erode trust in the control.
Frequently asked questions
What Purview license is required for sensitivity labels?
Basic sensitivity labels in Office apps (manual labeling) require Microsoft 365 E3 or Microsoft 365 Business Premium. Auto-labeling policies, advanced DLP, and service-side auto-labeling require Microsoft 365 E5 or Purview Information Protection Plan 2. The exact license requirements for each feature are documented in the Microsoft Purview licensing documentation -- check it before building a deployment plan that depends on features your licenses may not include.
Can I use sensitivity labels on files that are not Office documents?
Yes, with limitations. PDF files: the Microsoft Information Protection client can label and encrypt PDFs natively. Third-party file types: the MIP SDK allows third-party applications to read and apply labels. Non-Office files (ZIP, MP4, etc.) can be labeled but cannot be encrypted natively -- only Office formats support embedded encryption with rights management. Label metadata is stored in the file for Office formats; for other formats, it may be stored in extended file attributes which can be stripped.
What happens when a labeled document is shared with someone outside the organization?
The behavior depends on the encryption settings. If the label applies no encryption: the document can be opened by anyone; the label is just metadata. If the label applies encryption restricted to internal users: the external user receives an error when trying to open the document and can request access from the document owner. If the label applies encryption that allows specific external domains or 'any authenticated user': the external user can open the document after authenticating with any Microsoft identity. If the label applies encryption with 'let users add permissions': the internal user can specify external user access when applying the label.
How do I handle pre-existing unlabeled content in SharePoint?
Service-side auto-labeling scans existing SharePoint and OneDrive content and applies labels retroactively. Configure a service-side auto-labeling policy in simulation mode first: you will see a count of files that would be labeled and a sample of the specific files detected. Review the simulation results to calibrate for false positives before enabling enforcement. For very large document libraries (millions of files), service-side scanning takes days to weeks to complete -- plan accordingly and monitor progress in the Purview compliance portal under Information Protection > Auto-labeling.
What happens to sensitivity labels when a document is downloaded and sent outside Microsoft 365?
If the label applies encryption via Azure Information Protection (AIP), the encryption travels with the document file. The recipient must have a Microsoft identity (Azure AD account or Microsoft account) and must be authorized in the label's encryption settings to open it -- the Microsoft Information Protection viewer or the Office app validates authorization against AIP before decrypting. If the label applies no encryption (classification only), the document is unprotected once downloaded; the label is just metadata that anyone can strip. For documents that leave the organization, encryption-backed labels are the only mechanism that provides protection beyond the Microsoft 365 boundary. Labels without encryption provide classification visibility but no access control once the file is outside the tenant.
How do I get adoption of sensitivity labels across an organization without making it a compliance checkbox exercise?
Adoption fails when labeling is perceived as bureaucratic overhead with no benefit to the labeler. Successful programs do three things. First, make labeling the default through auto-labeling: Microsoft Purview's auto-labeling policies scan SharePoint and OneDrive content for sensitive patterns (credit card numbers, SSNs, medical terms) and apply labels automatically, so users do not need to remember to label documents that are already sensitive. Second, give users visible feedback: when a user tries to share a Confidential-labeled document externally and a DLP policy blocks it, show them a specific message explaining why and offering an alternative (request guest access through an approved channel). Third, label with consequence: if classification labels do not trigger any actual controls (no sharing restrictions, no audit, no DLP), users quickly learn labels are meaningless. Start with a narrow set of labels that have real enforcement behind them rather than a comprehensive taxonomy with no enforcement.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
