1. Home
  2. Training Library
  3. Microsoft 365
  4. Microsoft 365 Courses
  5. Intro to Sensitivity Labels in Microsoft 365

An Intro to Sensitivity Labels

An Intro to Sensitivity Labels

This course introduces you to sensitivity labels in Microsoft 365, and you’ll learn what they are and what functions they perform. We’ll then look at the steps you need to take to define sensitivity labels. Finally, we'll take a look at classifying and protecting data with sensitivity labels.

Learning Objectives

By the time you finish this course, you should have a good understanding of what sensitivity labels are and what role they play in Microsoft 365.

Intended Audience

This course is intended for anyone who wishes to learn what sensitivity labels are and how to classify and protect data with them in Microsoft 365.


To get the most out of this course, you should already have a basic understanding of Microsoft 365.


Sensitivity labels are used to classify and protect your data, without affecting user productivity. They can be used to do lots of different things. For example, you can use sensitivity labels to encrypt files and to even watermark them. For example, you might apply a "Classified" sensitivity label to a particular document that not only encrypts the content, but also applies a "Classified" watermark to the document. Encrypting a document with a sensitivity label can restrict what actions that certain people can take on the document. More specifically, you might use sensitivity labels to allow some users in your organization to modify a document, while only allowing a certain group of users to view the document.

You can use sensitivity labels to protect content in Office apps across multiple devices and even multiple platforms, like Windows, macOS, iOS, and Android. Sensitivity labels can be used with the desktop versions of Word, Excel, PowerPoint, and Outlook, AND they work with Office on the web. 

Using Cloud App Security and sensitivity labels, you can even protect content in third-party apps and services. You can use them to detect, classify, label, and protect content in apps and services, like DropBox, even if the third-party app or service doesn’t support sensitivity labels.

You can also protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites by using labels to set privacy settings, to configure external user access, to configure external sharing settings, and to configure access from unmanaged devices.

Sensitivity labels can be extended to Power BI, to assets in Azure Purview, and to third-party apps and services. For example, if you extend sensitivity labels to Power BI, you can apply and view labels right within Power BI, AND you can protect data even when it's saved outside the service. Extending sensitivity labels to assets in Azure Purview allows you to apply sensitivity labels to things like SQL columns and files in Azure Blob Storage. Extending sensitivity labels to third-party apps and services via the Microsoft Information Protection SDK, allows them to read the labels and apply protection settings.

You can also use sensitivity labels to simply classify content without specifying protection settings. 

As you can probably tell, you can use sensitivity labels to classify data across the organization, and you can use them to enforce protection settings on that data.

I should point out that you need to be signed in with your Microsoft 365 work or school account in order to apply sensitivity labels.

So, now that you know how you can use sensitivity labels, let’s talk a little bit about what a sensitivity label is, exactly.

A sensitivity label is sort of like a stamp that you would apply to a physical document. It’s a customizable stamp that is specific to your organization. Sensitivity labels allow you to create different categories for the different sensitivity levels of content within your organization. Organizations will, for example, often create labels for categories like Personal, Public, General, Confidential, and Highly Confidential documents.

Sensitivity labels are clear-text labels that are stored in the metadata of your files and emails. Since they are clear text, many third-party apps and services can read the labels you define. Those third-party apps and services can even sometimes apply their own protective actions, based on your defined sensitivity labels.

Sensitivity labels are also persistent. They are persistent because they are stored in the metadata for files and emails. Because they are stored in the metadata, sensitivity labels move with the content they are applied to, regardless of where the content saved or stored. 

Sensitivity labels appear to users as tags on apps that they use - and they can be integrated into existing workflows.

I should mention that you can only apply ONE sensitivity label to a document. Which makes sense, since there is really no reason to categorize a specific document as “Confidential” AND “Public”. However, while a document can only have one sensitivity label assigned to it, it CAN have both a sensitivity label AND a retention label applied to it. The same goes for emails.

When working with sensitivity labels, you can apply labels automatically to your files and emails, or you can recommend a label that should be applied manually. For example, you might want to decide how to identify sensitive information that you want to label, and then label that content automatically. If you recommend labels, you can prompt your users to apply whatever label you recommend when they work with the type of document you want to protect or classify. 

The image on your screen shows the type of notification a user might see if you recommend a label.

Join me in the next lesson, where I’ll talk about what goes into defining a sensitivity label.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.