Every organization should have a method that allows its most sensitive data to be protected against access outside of the organization.  Whether content is shared accidentally or maliciously, the damage of sensitive content getting into someone’s hands shouldn’t be damaging to any organization.  Enter Microsoft 365 sensitivity labels.

Microsoft 365 Sensitivity Labels

Microsoft 365 sensitivity labels allow for content (documents or emails) to be classified/categorized based on sensitive information contained within.  The sensitive information is dependent on the organization. It can be as obvious as credit card numbers or health insurance information or specific to the company as employee numbers or strategic planning.  What is important here is that Microsoft 365 sensitivity labels provide organizations with a method to classify the content accordingly.

Content Marking

But what do sensitivity labels do?  Classification is great, but only if properly utilized.  One of the most visible features of a sensitivity label is its ability to mark content based on its sensitivity.  Within Microsoft 365, this is called “content marking,” It allows headers, footers, and watermarks to be applied to content automatically based on the label selected.  For example, an organization can create a sensitivity label to classify content that should be maintained internally and not shared.  The organization requires that all content classified this way should be labeled with a header and footer containing the text “Internal Use Only.”  Microsoft 365 sensitivity labels can be configured to do this when the label is applied to the content.

Microsoft 365 Sensitivity Labels - Content Marking Example

The header and footer are added once the document has been classified.  The modification to the content does not affect the modified date or is modified by the content’s properties.

Marking the content does not directly protect it, but it puts a visual reminder to anyone accessing the file.  This visual notification is intended to remind users that content labeled as such needs to be handled differently than other content.  In the case of our example, the content can’t be shared outside of the organization.  The content marking intends to help the user realize that.


Microsoft 365 sensitivity labels also have the ability to encrypt content and protect it from being accessed by users that should not have access.  Other ECM environments also encrypt content based on sensitivity, but the difference with Microsoft 365 is the encryption follows the file.  For example, if OpenText content is encrypted, it is only done while within the OpenText environment.  Microsoft 365 sensitivity labels allow the content’s encryption to exist even outside of the tenant’s control.  If I were to send a sensitivity label encrypted document that I had access to someone that didn’t have access to, the content would not be available to that user.  This is because the encryption is applied to the document itself and not to the storage location.  Microsoft 365 can do this due to integration with Azure Rights Management.  The process encrypts the content and then utilizes Azure RMS to confirm if a user attempting to access the content is who they say and if that identity is cleared to access the content.

Microsoft 365 Sensitivity Labels - Encryption Process

The sensitivity label itself can define the users or groups that can access the content when encrypted. The label can be configured to allow the user that applied the label to set the authorized users.

NOTE: If the label controls the user access, the list of authorized individuals or groups is dynamic. It can be updated via the security group assigned to the label.  If the user sets the permissions when the label is applied, then to change the access (when not utilizing an AD group), the label has to be removed, re-added, and the permissions updated.  This can be alleviated by utilizing AD groups as opposed to individual users when applying encryption permissions.


Currently, a sensitivity label cannot assist in controlling retention within the organization directly.  As of the creation of this post, sensitivity labels are not contained within the search index of content.  This is important because that is the method the system utilizes to determine the auto-application of retention labels.  However, content that could have sensitivity labels set based on content can also have retention labels applied using the same method.


In a future post, I will walk through setting up and applying sensitivity labels inside your tenant.

Thanks for reading!