Manage data protection using sensitivity labels

  • 6 minutes

Sensitivity labels are definitions that you can apply to documents and emails in your Office apps. For example, you can publish sensitivity labels within your Office environment that classify documents as "Classified," "Confidential," "Internal," "Draft," "Sensitive," and so on. Sensitivity labels are a way to classify and protect data based on its sensitivity or confidentiality level. Organizations use them to apply protection actions such as encryption, access restrictions, or watermarks to documents and emails.

In Microsoft 365, users, administrators, or the system itself can assign sensitivity labels. The choice depends on how an organization configured the sensitivity labeling policies.

  • Users can manually apply sensitivity labels to documents, emails, or other types of content to indicate the sensitivity of the information they contain.
  • Administrators can define sensitivity labeling policies that automatically apply labels based on certain conditions or criteria. For example, the contents of the document, the document's storage location, or the user who created the document.
  • Microsoft 365 can apply sensitivity labels based on the content classification or machine learning models. These tools, which include data classifiers and text recognition models, analyze the contents of documents and apply labels accordingly. Microsoft 365 also offers a feature called sensitivity label recommendations. This service suggests labels based on the content of the document or email. However, it's up to the user to accept or reject the recommendation and apply the label.

Sensitivity labels enable organizations to automatically encrypt confidential information in documents and emails. You can assign labels such as "Highly Confidential" to trigger this encryption. You can also assign other actions to sensitivity labels. For example, you can prohibit the system from sending sensitive documents in emails, restrict the use of files for various reasons, and even archive files after a certain period of time.

Organizations commonly use sensitivity labels to:

  • Provide protection settings that include encryption and content markings. Organizations can tie sensitivity labels with other actions on a document. For example, when you label a document or email as "Confidential," the system can automatically encrypt its content. At the same time, the system can apply a "Confidential" watermark to the content. Microsoft 365 can display content markings in headers, footers, and watermarks. Encryption can also restrict what actions authorized people can take on the content.
  • Protect content in Office apps across different platforms and devices. Word, Excel, PowerPoint, Outlook on the Office desktop apps, and Office on the web all support this feature. Windows, macOS, iOS, and Android also provide this protection.
  • Protect content in third-party apps and services by using Microsoft Cloud App Security. With Cloud App Security, organizations can detect, classify, label, and protect content in third-party apps and services, such as SalesForce, Box, or DropBox. They can do so even if the third-party app or service doesn't read or support sensitivity labels.
  • Protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites. This feature enables organizations to set privacy settings, external user access and external sharing, and access from unmanaged devices.
  • Classify content without using any protection settings. In its simplest design, organizations use sensitivity labels just to classify their content. They have no plans on tying labels with protection settings. This design provides users with a visual mapping of classification to their organization's label names. Organizations can also use the labels to generate usage reports and see activity data for its sensitive content. Based on this information, organizations can always choose to apply protection settings later.

In all these cases, sensitivity labels in Microsoft 365 can help organizations take the right actions on the right content. With sensitivity labels, you can classify data across your organization, and enforce protection settings based on that classification.

The following image shows available sensitivity labels in Excel, from the Home tab on the Ribbon. In this example, the applied label displays on the status bar.

Screenshot showing available sensitivity labels in Excel, from the Home tab on the ribbon.

Organizations can also extend sensitivity labels to the following solutions:

  • Power BI. When organizations turn on this capability, they can apply and view labels in Power BI. They can also protect data when a user saves it outside the service.
  • Assets in Azure Purview. When organizations turn on this capability, they can apply their sensitivity labels to assets such as SQL columns, files in Azure Blob Storage, and more.
  • Third-party apps and services. Third-party apps that use the Microsoft Purview Information Protection SDK can read sensitivity labels and apply their protection settings.

Additional reading. For more information about these and other scenarios supported by sensitivity labels, see Common scenarios for sensitivity labels. Microsoft continues to develop new features that support sensitivity labels, so you may also find it useful to reference the Microsoft 365 roadmap.

What a sensitivity label is

When you assign a sensitivity label to content, it's like a stamp attached to a document. Sensitivity labels are:

  • Customizable. Customizable labels are specific to your organization and business needs. You can create categories for different levels of sensitive content in your organization. For example, Personal, Public, General, Confidential, and Highly Confidential.
  • Clear text. The system stores a label in clear text in the metadata for files and emails. As such, third-party apps and services can read it and apply their own protective actions, if necessary.
  • Persistent. Because the system stores a label in the metadata for files and emails, the label roams with the content, no matter where it eventually gets saved or stored. The unique label identification becomes the basis for applying and enforcing the policies that you configure.

When viewed by users, a sensitivity label appears like a tag on apps that they use. This design enables organizations to easily integrate sensitivity labels into existing workflows.

Each item that supports sensitivity labels can have a single sensitivity label applied to it. Documents and emails can have both a sensitivity label and a retention label applied to them.

Screenshot showing a sensitivity label on an email.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

Organizations can tie sensitivity labels with other actions on a document. For example, an organization can configure a label, such as a "Highly Confidential" label, so that it encrypts the data in whatever document or email the organization applies it to. When a document is encrypted, what other effect can encryption have on the document?