Explore sensitivity label policies
After an organization creates its sensitivity labels, it must publish them to make them available to their assigned users and services. The users and services can then apply the sensitivity labels to Office documents, emails, and other items that support sensitivity labels.
If you recall from earlier training, you publish retention labels to locations such as Exchange mailboxes. In contrast, you publish sensitivity labels to users and groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.
When an organization configures a label policy, it can:
Choose which users and groups see the labels. You can publish labels to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have dynamic membership) in Microsoft Entra ID.
Apply a default label to documents and emails. You can apply a default label to all new documents and unlabeled emails created by the users and groups included in the label policy. You can apply the same or different default label to containers if you enable sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites. With this setting, the Microsoft Entra ID Protection unified labeling client also applies the default label to existing documents that are unlabeled. Users can always change the default label if it's not the right label for their document or email.
An organization should consider using a default label to set a base level of protection settings for its content. However, without user training and other controls, this setting can also result in inaccurate labeling. It's not a good idea to select a label that applies encryption as a default label to documents. For example, many organizations need to send and share documents with external users who may not have apps that support the encryption. Or, they may not use an account that you can authorize. For more information about this scenario, see Sharing encrypted documents with external users.
Require a justification for changing a label. You can require that users provide a justification for changing a label when they:
- Try to remove a label.
- Replace it with a label that has a lower-order number.
For example, a user opens a document labeled Confidential (order number 3) and replaces that label with one named Public (order number 1). Administrators can read the justification reason along with the label change in activity explorer.
Require users to apply a label with one option for email and documents, and another for containers. These options, which are also referred to as mandatory labeling, ensure that users must apply a label before they can save documents, send emails, and create new groups or sites.
- For containers, you must assign a label when you create the group or site.
- For documents and emails, the methods of assigning a label include:
- Manually by the user.
- Automatically because of a condition that you configure.
- Automatically as a system default (the default label option previously described).
The following image displays an example of a prompt shown in Outlook when a user must assign a label.
Note
Mandatory labeling for documents and emails isn't available for all apps or all platforms. For more information, see Require users to apply a label to their email and documents.
Provide a help link to a custom help page. If your users aren't sure what your sensitivity labels mean or how they should use them, you can provide a Learn More URL. This URL appears at the bottom of the Sensitivity label menu in the Office apps.
After you create a label policy that assigns new sensitivity labels to users and groups, users start to see those labels in their Office apps. Allow up to 24 hours for the latest changes to replicate throughout your organization.
There's no limit to the number of sensitivity labels that an organization can create and publish-with one exception: If the label applies encryption, the maximum number of labels that you can create is 500.
Warning
As a best practice to lower administrative overheads and reduce complexity for your users, try to keep the number of labels to a minimum. Real-world deployments have noticed a significant reduction in effectiveness when users have more than five main labels or more than five sublabels per main label.
Label policy priority (order matters)
An organization makes its sensitivity labels available to users by publishing them in a sensitivity label policy. These policies appear in a list on the Sensitivity policies tab on the Label policies page. Just like sensitivity labels, the order of the sensitivity label policies is important because it reflects their priority. The label policy with the lowest priority appears at the top, and the label policy with the highest priority appears at the bottom.
A label policy consists of:
- A set of labels.
- The users and groups you assign the policy to.
- The scope of the policy and policy settings for that scope (such as default label for files and emails).
You can include a user in multiple label policies. They get all the sensitivity labels and settings from those policies. If there's a conflict in settings from multiple policies, the system applies the settings from the policy with the highest priority (lowest position). In other words, the highest priority wins for each setting.
Tip
If you're not seeing the label or label policy setting behavior that you expect for a user or group, check the order of the sensitivity label policies. You may need to move the policy down. To reorder the label policies, select a sensitivity label policy, choose the ellipsis to the right of it, and then select Move up or Move down.
Note
When there's a conflict of settings for a user who has multiple policies assigned, the system applies the setting from the policy with the highest priority (lowest position).