DEMO: Create and Configure a Sensitivity Label in Microsoft 365
Start course

This course guides you through the actual process of creating and publishing labels through some practical demonstrations from the Microsoft 365 platform. After watching the demos in this course, you should have a basic understanding of how to create sensitivity labels and how to publish them with label policies.

Learning Objectives

  • Get a basic understanding of sensitivity labels and how to create them
  • Learn how to create a label policy and publish labels

Intended Audience

This course is intended for those who wish to learn how to create and configure sensitivity labels and policies in Microsoft 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Hello, and welcome back. What we're gonna do here in this demonstration is create and configure a sensitivity label. Now, once we've done this, what we'll do in the next exercise is create a label policy that assigns the label. Now, to create and configure a sensitivity label, what we're gonna do here is use the Microsoft 365 compliance center. I'm actually logged into the compliance center with my global admin account here and I'm at the home page.

To create sensitivity labels, we need to browse down to Information protection under Solutions here. So if we scroll down here, we open up information protection, we see we have two options here. We have a labels option and a label policies option. Label policies is where we'll actually create the sensitivity label policy in the next exercise. The labels screen is where we'll actually create and view existing labels that we've already created. We're not gonna migrate any Azure information protection label, so let me close this notification out. And you can see here, we don't have any labels created yet. So what we'll do is we'll create our first label.

Now, on this name and description page, we need to provide some information. We need to provide a name for the label, a display name, and a description for users. The name for the label is the name of the label that admins see in the Microsoft 365 compliance center when they work with the label. So I'll just call this MyLabel. Now, this display name, this display name is the name that the users will see in their applications once it's been published. This is what they'll see in apps like Word and Outlook and SharePoint.

If you notice in this tooltip, what the tooltip recommends is that we use a name that helps the user understand what the label is used for. It gives the examples of confidential and personal. So I'll just use personal here just because it's a demo. And in this description for users box here, this description is what users see as a tooltip when they view the label in their apps. So the display name shows the name of the label, while the description shows a tooltip.

So, basically, what I'll do here for this tooltip, I'll just write in here, "This is the personal label." Notice there's a red asterisk here, so this is required. And then this description for admins isn't required, but what this does is display for admins who are managing the label in the security center or in the compliance center. So now that we have the name, display name, and description here, we'll go ahead and next it. And from this scope page, what we can see here is that we can apply labels directly to files and emails, groups and sites, or to Azure Purview assets.

Now, the Purview assets, what this does is allow us to apply the label to assets in Azure Purview. And this includes things like SQL columns and files in Azure Blob Storage. This is a preview feature right now, so we're not gonna use it for this demonstration, so we'll uncheck the box. And, instead, what we'll do here is just assign this to files and emails. So that'll be the scope for the label.

So we'll go ahead and next this. And now from this files and emails page, we have to choose the protection settings for files and emails. We can encrypt files and emails, which essentially lets us control who can access those files and emails once this label is applied to them, or we can mark the content of files. This allows us to add custom headers or footers, or watermarks to files and emails that have this label applied. 

What I'll do here is encrypt files and emails for this demonstration. And we'll go ahead and next it. And then from here, we need to configure the encryption. This is where we can control who can access our files and emails once this label's been applied to them. So leave configure encryption settings turned on here. And then what we can do here is we can either assign permissions now or let users assign permissions when they apply the label.

For this demonstration, we'll just assign the permissions. And then if we hover over the icon here for user access, what this does is allow us to limit how long users can access content with this label. If we select the dropdown here, we can either never expire it, we can expire it on a specific date, or we can expire it after a specific number of days after the label is applied. We'll just leave this set to never. And now this dropdown for allow offline access, you notice here we have an always, never, or only for a number of days.

If we hover over the icon here, what this option does is allow us to, basically, do what the title of the box is. It allows us to specify the parameters for allowing offline access to any content labeled with this label. Essentially, if we specify that labeled content is either never available offline, or if it's available offline only for a certain number of days, what happens is when that threshold gets reached, the users trying to access that content must be re-authenticated and their access gets logged. If their credentialed aren't cached, the users are then prompted to sign in to Microsoft 365 before they can open the document or email. We'll just leave this set to always. And then this last option here, assign permissions to specific users and groups, if we hover over the icon here, we can see that this option allows us to assign permissions to specific people so only they can interact with the content that's labeled with this specific label.

So, for example, if I click Assign permissions here, what I can do is select the users and I can choose the permissions. So for this exercise, I'll add all users and groups in my organization. And if I click Choose permissions here, I can select co-owner, coauthor, reviewer, viewer, or custom. I'll leave co-author selected here, and we'll save it. And then we'll save it again. So now we're granting all users and groups co-author permissions to anything that gets labeled with this sensitivity label.

Now, we could use Double Key Encryption here. Now, what Double Key Encryption is, is it allows you to use two additional keys to secure your sensitive documents. And this is typically for regulatory reasons. You can see here in the tooltip that you manage one key in Azure RMS and the other key in the Double Key Encryption service. We're not gonna do that here, so we'll just next this. And then this auto-labeling screen here allows us to configure auto-labeling. And what this means is that when a user edits office files or creates an email, or even forwards emails from Outlook that contain content matching the conditions that we choose here, Microsoft 365 will automatically apply this label to that content. So we'll go ahead and turn this on.

Now, once we turn on auto-labeling, we need to specify the conditions so that Microsoft 365 knows what to look for when it's looking to auto-label something. So we'll select the Add condition here. And we'll Content contains.

Now from here, we'll add, and we'll add a sensitive info type. And if we scroll down here, let's see if we can find, maybe we'll do like social security number for U.S. I don't remember where it's at offhand, let's find out. It's probably down here under U.S. Here we go, U.S. social security number. So we'll add that.

Now, this medium confidence dropdown here allows us to assign low, medium, or high confidence to a number that matches the formatting of a U.S. social security number. We'll just leave this set to medium confidence. And then instance count here is how many instances it shows up as. We'll leave this at one to infinite, basically. So, basically, what this means is if the document includes at least one instance of a number that seems to be formatted as a U.S. social security number, it'll trigger the auto-labeling. And then we have a couple different options here. We can either recommend that users apply the label, or we can automatically apply the label.

For this exercise, we will automatically apply the label when this content matches these conditions. And then what we'll do here in this last box, Display this message to users when label is applied, essentially, this tells the user that, "Hey, I've just added a label to this particular piece of content." There is a default message that can be displayed automatically, or we can create our own. If we leave this blank, we get the default message. So we'll just leave the default message. And we'll go ahead and next it.

And then we have protection settings for groups and sites. I don't have this enabled for my tenant, so we're not gonna make any changes here. Instead, we'll next it. And then what we can do is review our settings. We have my label, it's called personal, we have a tooltip for users, the scope is file and email, we're going to encrypt, we're not doing any content marketing, we are auto-labeling. And if we're happy with these settings, we can click Create label. And at this point, the label's been created. We'll go ahead and click Done. And now we have the personal label, and we can view the settings for this label.

Now, what we could do here is click Publish label, and this would launch us into the label policy creation. But I'm not gonna do that yet because I'll do that in the next demonstration. But what we have right now is a label that's available to us, but it's not available for use with our users yet because it hasn't been published using a label policy. So join me in the next lesson where we'll create that label policy.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.