Plan your deployment strategy for sensitivity labels
To successfully deploy sensitivity labels, an organization should create a project team that identifies and manages the:
- Business and technical requirements
- Proof of concept testing
- Internal checkpoints and approvals
- Final deployment for the production environment
Rather than building a large number of sensitivity labels all at one time, it may prove more effective for organizations to plan and deploy sensitivity labels in small increments. Organizations using this iterative approach should:
- Address one or two key scenarios that map to its most impactful business requirements.
- Create and configure sensitivity labels for those situations.
- Validate the effectiveness of the labels and settings and modify those needing adjustment.
- Repeat the process for the next set of impactful scenarios.
Microsoft provides the following table to assist organizations in this planning and deployment process. It includes common scenarios for which organizations apply sensitivity labels. Each scenario also includes a link to documentation that helps address the use of sensitivity labels in that scenario. All scenarios require organizations to create and configure sensitivity labels and their policies.
I want to ... | Documentation |
---|---|
Manage sensitivity labels for Office apps. Ensure that users label content when they create it. Verify that all platforms support manual labeling. | Manage sensitivity labels in Office apps. |
Extend labeling to File Explorer and PowerShell, with more features for Office apps on Windows (if needed). | Microsoft Entra ID Protection unified labeling client for Windows.Note: Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more. |
Encrypt documents and emails with sensitivity labels. Restrict who can access that content and how they can use it. | Restrict access to content by using sensitivity labels to apply encryption. |
Enable sensitivity labels for Office on the web. Also include support for coauthoring, eDiscovery, data loss prevention, and search, even when documents are encrypted. | Enable sensitivity labels for Office files in SharePoint and OneDrive. |
Use coauthoring and AutoSave in Office desktop apps when documents are encrypted. | Enable coauthoring for files encrypted with sensitivity labels. |
Automatically apply sensitivity labels to documents and emails. | Apply a sensitivity label to content automatically. |
Use sensitivity labels to protect content in Teams and SharePoint. | Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites. |
Use sensitivity labels to configure the default sharing link type for sites and individual documents in SharePoint and OneDrive. | Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive. |
Apply a sensitivity label to a document understanding model. By doing so, you must automatically classify and protect identified documents in a SharePoint library. | Apply a sensitivity label to a model in Microsoft SharePoint Syntex. |
Prevent or warn users about sharing files or emails with a specific sensitivity label. | Use sensitivity labels as conditions in DLP policies. |
Apply a sensitivity label to a file when you receive an alert that a user shared content containing personal data. | Investigate and remediate alerts in Privacy Risk Management. |
Apply a retention label to retain or delete files or emails that have a specific sensitivity label. | Automatically apply a retention label to retain or delete content. |
Discover, label, and protect files stored in data stores that are on premises. | Deploying the Microsoft Entra ID Protection scanner to automatically classify and protect files. |
Discover, label, and protect files stored in data stores that are in the cloud. | Discover, classify, label, and protect regulated and sensitive data stored in the cloud. |
Label SQL database columns by using the same sensitivity labels as those labels used for files and emails. By doing so, you create a unified labeling solution that can continue to protect this structured data if a user exports it. | Data Discovery & Classification for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. SQL Data Discovery and Classification for SQL Server on-premises. |
Apply and view labels in Power BI, and protect data when users save it outside the service. | Sensitivity labels in Power BI. |
Monitor and understand how my organization uses sensitivity labels. | Learn about data classification. |
Extend sensitivity labels to third-party apps and services. | Microsoft Purview Information Protection SDK. |
Extend sensitivity labels across content in Microsoft Purview Data Map assets. Asset examples include Azure Blob Storage, Azure Files, Azure Data Lake Storage, and multicloud data sources. | Labeling in Microsoft Purview Data Map. |
End-user documentation for sensitivity labels
The most effective end-user documentation that an organization can provide is customized guidance and instructions for the label names and configurations it chooses. Organizations can use the label policy setting Provide users with a link to a custom help page to specify an internal link for this documentation. Users can then easily access it from the Sensitivity button:
- For built-in labeling. See the Learn More menu option.
- For the Microsoft Entra ID Protection unified labeling client. Go to the Help and Feedback menu option, then select the Tell Me More link in the Microsoft Entra ID Protection dialog box.
Microsoft provides guidance to help organizations create customized documentation. End User Training for Sensitivity Labels includes instructions and downloads that can help organizations train their users.
You can also use the following resources for basic instructions:
If your sensitivity labels apply encryption for PDF documents, you can open these documents with Microsoft Edge on a Windows or Mac device. For more information, and alternative readers, see Which PDF readers support protected PDFs?