Sensitivity Labels and Sensitivity Label Policies

Sensitivity Labels and Sensitivity Label Policies – A Complete Guide for SC-900

Why Are Sensitivity Labels and Sensitivity Label Policies Important?

In today's digital workplace, organizations handle vast amounts of sensitive data — from financial records and personal information to trade secrets and intellectual property. Without a proper classification and protection mechanism, this data can be accidentally shared, leaked, or misused. Sensitivity labels are a cornerstone of Microsoft's information protection strategy, enabling organizations to classify, protect, and govern their data consistently across the Microsoft 365 ecosystem and beyond.

Understanding sensitivity labels is not only critical for real-world data protection but is also a key topic on the SC-900: Microsoft Security, Compliance, and Identity Fundamentals exam. Microsoft expects candidates to understand what sensitivity labels are, how they work, and how sensitivity label policies distribute them to users.

---

What Are Sensitivity Labels?

Sensitivity labels are persistent, customizable tags that an organization creates and applies to documents, emails, containers (such as Teams, SharePoint sites, and Microsoft 365 Groups), and even schematized data assets in Microsoft Purview Data Map. They classify content based on its sensitivity level (e.g., Public, General, Confidential, Highly Confidential).

Key characteristics of sensitivity labels include:

• Customizable: Organizations define their own label taxonomy to match their classification requirements.
• Persistent: Once a label is applied, it stays with the content as metadata, regardless of where the content travels — inside or outside the organization.
• Clear text: The label metadata is stored in clear text so that third-party apps and services can read it and apply their own protective actions if needed.
• Unique per item: Only one sensitivity label can be applied to a document or email at any given time.

What Can a Sensitivity Label Do?

When you configure a sensitivity label, you can associate one or more of the following protection actions:

1. Encryption: Restrict access to labeled content. You can control who can open, copy, print, or forward the content. Encryption follows the document wherever it goes.

2. Content Marking: Add watermarks, headers, or footers to documents and emails that bear the label. This provides a visual indicator of the sensitivity level.

3. Protect content in containers: When applied to Microsoft Teams, Microsoft 365 Groups, or SharePoint sites, labels can enforce privacy settings (public vs. private), external user access policies, access from unmanaged devices, and more.

4. Auto-labeling: Automatically apply or recommend a label when specific sensitive information types (e.g., credit card numbers, Social Security numbers) or trainable classifiers are detected in the content.

5. Extend to third-party apps and services: Using the Microsoft Information Protection SDK, third-party applications can read and apply sensitivity labels.

6. Protect meetings and chats: Sensitivity labels can be extended to Teams meetings to control meeting options such as who can bypass the lobby, who can present, and whether chat is allowed.

---

What Are Sensitivity Label Policies?

Creating a sensitivity label alone does not make it available to users. You must publish labels through a sensitivity label policy. A label policy defines:

• Which users and groups can see and use the published labels (scoping).
• A default label that is automatically applied to new documents, emails, or containers if no label is selected by the user.
• Justification requirements: Whether users must provide a justification before removing a label or replacing it with a lower-sensitivity label.
• Mandatory labeling: Whether users are required to apply a label before saving a document or sending an email.
• Help links: A custom help page URL to guide users on how to use labels properly.

Important: Label policies are how labels get distributed. Without a policy, labels remain dormant and invisible to end users. It can take up to 24 hours (sometimes up to 48 hours) for a newly published label policy to propagate to all users and apps.

---

How Sensitivity Labels Work – Step by Step

1. Admin creates labels in the Microsoft Purview compliance portal (compliance.microsoft.com). Labels are defined with a name, description, scope (files, emails, groups & sites, schematized data assets), and protection settings (encryption, content marking, auto-labeling conditions).

2. Admin creates a label policy and selects which labels to publish, which users/groups are in scope, and configures policy settings (default label, mandatory labeling, justification for changes).

3. Labels propagate to the targeted users' Microsoft 365 apps (Word, Excel, PowerPoint, Outlook, Teams, SharePoint, etc.).

4. Users apply labels manually from the sensitivity button in their Office apps, or labels are automatically applied based on auto-labeling rules configured by the admin.

5. Protection is enforced: Based on the label's configuration, encryption is applied, watermarks/headers/footers are added, and access restrictions take effect.

6. Labels persist: When a labeled document is shared externally, the label and its protections travel with the document. Recipients need appropriate permissions (and potentially Azure Rights Management) to access encrypted content.

---

Label Priority and Order

Sensitivity labels have an order of priority (determined by their position in the list within the admin portal). The label at the bottom of the list has the highest priority. This is important because:

• Auto-labeling applies the highest-priority label when multiple conditions match.
• Users may be required to justify downgrading from a higher-priority label to a lower one.
• The label order reflects increasing sensitivity (e.g., Public → General → Confidential → Highly Confidential).

Sublabels: Organizations can create sublabels under a parent label for more granular classification (e.g., Confidential → Confidential - All Employees, Confidential - Finance Only). A parent label itself cannot be applied directly if it has sublabels; users must choose a sublabel.

---

Auto-Labeling vs. Label Policies (Client-Side vs. Service-Side)

There are two types of auto-labeling:

• Client-side auto-labeling: Configured within the sensitivity label settings. When a user is working in an Office app and sensitive content is detected, the label is either automatically applied or recommended to the user. This requires the user to have the label published to them via a label policy.

• Service-side auto-labeling: Configured through auto-labeling policies (separate from label policies). These policies scan content already stored in SharePoint, OneDrive, and Exchange Online and apply labels automatically without user interaction. This is useful for labeling data at rest across the organization at scale.

---

Where Sensitivity Labels Can Be Applied

• Microsoft 365 Apps (Word, Excel, PowerPoint, Outlook) on desktop, web, and mobile
• Outlook for email messages
• Microsoft Teams (chats, channels, meetings)
• Microsoft 365 Groups
• SharePoint Online sites
• Power BI
• Microsoft Purview Data Map (schematized data assets like Azure SQL columns)
• Files in SharePoint and OneDrive

---

Key Concepts to Remember for the SC-900 Exam

• Sensitivity labels are created in the Microsoft Purview compliance portal.
• Labels must be published via a label policy to be visible to users.
• Only one sensitivity label can be applied to a document at a time.
• Labels are stored as clear-text metadata so other systems can read them.
• Encryption and content marking are optional protection actions configured in the label.
• Label priority matters: labels lower in the list have higher priority (higher sensitivity).
• Mandatory labeling and default labels are configured in the label policy, not in the label itself.
• Justification can be required when a user downgrades or removes a label.
• Auto-labeling can be client-side (within the label) or service-side (via auto-labeling policies).
• Label policies can take up to 24 hours to take effect.
• Sensitivity labels for containers (Teams, Groups, Sites) control privacy, external access, and device access — they do not automatically label the files inside the container.

---

Exam Tips: Answering Questions on Sensitivity Labels and Sensitivity Label Policies

1. Distinguish between the label and the label policy. If a question asks about making a label available to users, the answer involves a label policy (publishing). If a question asks about encryption or content marking, the answer involves the label configuration itself.

2. Remember: one label per item. Exam questions may try to trick you into thinking multiple labels can coexist on a single document. Only one sensitivity label can be applied at a time.

3. Default labels and mandatory labeling are policy settings. If a question asks how to ensure all documents have a label, think about the label policy settings — specifically the default label and mandatory labeling options.

4. Auto-labeling questions: If the scenario involves labeling content at rest in SharePoint/OneDrive/Exchange without user intervention, the answer is service-side auto-labeling policies. If it involves recommending a label to a user in real-time in an Office app, it is client-side auto-labeling within the label settings.

5. Container labels ≠ file labels. Applying a sensitivity label to a Teams site or SharePoint site does not automatically label the individual files within it. The container label governs access and privacy settings for the container. File labeling must be handled separately.

6. Know the admin portal. Sensitivity labels are managed in the Microsoft Purview compliance portal (compliance.microsoft.com). If a question mentions the Azure portal or another admin center, be cautious — sensitivity labels are not primarily managed there.

7. Encryption specifics: When a label applies encryption, the organization retains control over who can access the content, even after it leaves the organization. If a question asks about protecting content shared externally, encryption via sensitivity labels is a key answer.

8. Propagation delay: If a question mentions that labels are not appearing for users immediately after publishing, recall that label policies can take up to 24 hours to propagate.

9. Sublabels: If a parent label has sublabels, the parent label itself cannot be applied directly. Users must select a sublabel. Exam questions may test this nuance.

10. Watch for keywords in questions:
- "Classify and protect" → Sensitivity labels
- "Publish labels" → Label policy
- "Require justification" → Label policy setting
- "Apply a label by default" → Label policy setting
- "Watermark, header, footer" → Content marking in the label
- "Restrict access, prevent forwarding" → Encryption in the label
- "Automatically apply label to data at rest" → Auto-labeling policy (service-side)
- "Recommend a label to users" → Client-side auto-labeling in the label

11. Integration with DLP: Sensitivity labels can be used as conditions in Data Loss Prevention (DLP) policies. If a question asks how to prevent sharing of Highly Confidential labeled documents externally, a DLP policy that references the sensitivity label is a valid answer.

12. Rights Management: Sensitivity labels leverage Azure Rights Management (Azure RMS) for encryption. You do not need deep knowledge of Azure RMS for SC-900, but know that it is the underlying technology that enforces encryption for labeled content.

---

Summary

Sensitivity labels are a powerful tool within Microsoft Purview Information Protection that allow organizations to classify, protect, and govern their data. They can enforce encryption, apply visual markings, and control access at the container level. However, labels only become operational when published to users through sensitivity label policies. For the SC-900 exam, focus on understanding the difference between labels and label policies, the protection capabilities of labels, how auto-labeling works, and the key policy settings like mandatory labeling, default labels, and justification requirements. Mastering these concepts will help you confidently answer exam questions on this topic.