Explore what sensitivity labels can do
After you apply a sensitivity label to an email or document, the system enforces any configured protection settings for that label on the content. You can configure a sensitivity label to:
Encrypt emails and documents to prevent unauthorized people from accessing this data. Organizations can also choose which users or groups have permissions to complete which actions and for how long. For example, you can choose to allow all users in your organization to modify a document while a specific group in another organization can only view it. Or, instead of administrator-defined permissions, you can allow your users to assign permissions to the content when they apply the label.
For more information about the Encryption settings when you create or edit a sensitivity label, see Restrict access to content by using encryption in sensitivity labels.
Mark the content when you use Office apps. You can mark content by adding watermarks, headers, or footers to email or documents that have the label applied. You can apply watermarks to documents but not email. The following example shows a Word document with a sensitivity label in the header and in a watermark.
Some, but not all apps support dynamic markings by using variables. For example, insert the label name or document name into the header, footer, or watermark. For more information, see Dynamic markings with variables.
Note
Watermarks have a limit of 255 characters. Headers and footers have a limit of 1024 characters, except in Excel. Excel has a total limit of 255 characters for headers and footers. However, this limit includes characters that aren't visible, such as formatting codes. If you reach that limit, the string you enter isn't displayed in Excel.
Protect content in containers. You can protect content in containers, such as sites and groups, when you enable the capability to use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites.
You can't configure protection settings for groups and sites until you enable this capability. This configuration doesn't result in the system automatically labeling documents or emails. Instead, the label settings protect content by controlling access to the container where you can store content. These settings include privacy settings, external user access and external sharing, and access from unmanaged devices.
Apply the label automatically to files and emails or recommend a label. Organizations can choose how to identify sensitive information they want labeled. The system can automatically apply the label, or you can prompt users to apply the label that you recommend. If you recommend a label, the prompt displays whatever text you choose, as seen in the following example.
For more information about the Autolabeling for files and emails settings when you create or edit a sensitivity label, see: Apply a sensitivity label to content automatically for Office apps, and Automatically label your data in Azure Purview.
When Office apps apply content marking and encryption
Office apps apply content marking and encryption with a sensitivity label differently, depending on the app you use.
| App | Content marking with a sensitivity label | Encryption |
|---|---|---|
| Word, Excel, PowerPoint on all platforms | Immediately | Immediately |
| Outlook for PC and Mac | After Exchange Online sends the email | Immediately |
| Outlook on the web, iOS, and Android | After Exchange Online sends the email | After Exchange Online sends the email |
Solutions that apply sensitivity labels to files outside Office apps do so by applying labeling metadata to the file. In this scenario, the system doesn't insert content marking from the label's configuration into the file, but it does apply encryption.
When you open a file such as this in an Office desktop app, the Microsoft Entra ID Protection unified labeling client automatically applies the content markings the first time you save the file. The system doesn't automatically apply content markings when you use built-in labeling for desktop, mobile, or web apps.
Note
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Scenarios that include applying a sensitivity label outside Office apps include:
- The scanner, File Explorer, and PowerShell from the Microsoft Entra ID Protection unified labeling client.
- Autolabeling policies for SharePoint and OneDrive.
- Exported labeled and encrypted data from Power BI.
- Microsoft Cloud App Security.
For these scenarios, using their Office apps, a user with built-in labeling can apply the label's content markings by temporarily removing or replacing the current label and then reapplying the original label.