1. Home
  2. Training Library
  3. Microsoft 365
  4. Microsoft 365 Courses
  5. A Practical Guide to Sensitivity Labels

Create A Sensitivity Label Demo



The course is part of this learning path

Create A Sensitivity Label Demo

Sensitivity labels are one way that data classification can be applied to files and documents. Aside from labels built into Microsoft 365, you can define custom labels and apply them to documents manually or automatically via rules. In this course, we create a sensitivity label and apply it to a document and then change that document's label. Labels are embedded in documents allowing classification to follow a document from one domain or file system to another. We look at how label embedding is achieved. Finally, we see how to integrate MS365 sensitivity label functionality with Azure AD groups and sites.

Learning Objectives

  • Create a sensitivity label
  • Use a sensitivity label
  • See how sensitivity labels are implemented within an MS365 Office document
  • Learn how to integrate sensitivity label functionality with Azure AD groups and sites

Intended Audience

  • Students who want to take a practical and in-depth look at sensitivity labels, from their creation, application, and how they are implemented within an office document



Let's go through the process of creating our own sensitivity label, starting from the Microsoft 365 admin center. Click show all in the left-hand menu blade to expose all the admin centers, then click compliance to open Microsoft Purview. Sensitivity labels are found under information protection. To create a new label, click create a label above the list of predefined labels. In my case, I already have a custom label defined called Project BB. Apart from the typical columns created by and last modified, we have order and scope. Scope is the type of document the label is applied to, while order is associated with a label's priority and how restrictive you want the label to be. The least restrictive with the lowest number is at the top, down to the most restrictive. This is important as users can change a document's label, thereby possibly changing other accessibility attributes. As we shall see, one of the options when setting up a label is to require a user to justify changing a document's label to a less restrictive or lower-order priority. 

I'm going to turn on labeling with Microsoft Purview Data Map. The purview data map is a platform as a service that maintains a map of the files' metadata across cloud and on-premises environments. This map-slash service is the foundation of automated data classification and other purview services that monitor data compliance. Having turned on the purview data map, I'm told I haven't turned on the ability to process encrypted labels. This is correct. Sensitivity labels can do more than classify data. You can configure a label to encrypt a document that it's applied to automatically. You can also get a label to apply a watermark to documents but not emails automatically. Watermarks have a limit of 255 characters, but Microsoft explicitly states that watermarks exceeding that length, including formatting characters, will not display on Excel documents. The implication, to me anyway, is that the first 255 watermark characters will display on non-Excel documents. Having said that, a watermark shouldn't be longer than 255 anyway; this all seems a bit flaky. The bottom line, test your watermarks before deploying them.

Right, let's click the create a label button. I'll give the label a name, a display name, and a description for users and admins. I'll select a color for the label as well. Next, we define the label's scope. By default, items that are office files and Power BI items are checked, as well as data assets as detected by Microsoft Purview Data Map. Groups and sites are currently disabled. This is because I haven't set up my Azure AD to synchronize with Microsoft purview. I won't do that now as It's a bit involved and distracts us from our purpose, but I will come back to it. Click next to choose protection settings for the labeled items. This is where you can get the label to apply encryption or a watermark to an item. I won't enable auto-labeling, but if I did, it would involve setting up a series of conditions that a newly created Office document would need to possess to get this label. We can say we want the label automatically applied or recommend that the users apply the label. You can also display a message to the user when the label is applied. Click next.

If I'd checked groups and sites earlier, which is disabled, these two check boxes would be enabled. Click next to finish the create label configuration. You can review and edit the settings at this point, but I'll create the label. The label has been created, so click done to exit the wizard. 

A created label needs to be published to be effective. Selecting the label will display its properties, where you can edit, delete, or publish the label. By default, the label is published for everyone in the AD, but you can restrict the label to particular users or groups by clicking choose user or group. Next, we configure the policy settings for the label. I'm just going to make users justify removing or changing it to a lower-priority label on a document. I can specify that the label is mandatory for emails, documents, and Power BI content. Funnily enough, I don't have a help page for labels, so I'll leave provide users with a custom help page unchecked. Next, we can specify whether we want the label automatically applied to office documents. If you think we're getting the hard sell treatment on label application — you're not alone. I'll leave it as none, as other users in my AD won't appreciate their documents being automatically labeled. Next, I'll make emails behave as documents and won't automatically apply the label to Power BI content. Last but not least, I'll give the policy a name and description. Finally, I can review the policy settings and submit them, clicking done to finish the process. 

We can see the new My Sensitivity Label sitting at the bottom of the label list with the highest order priority and that it can be applied to files, emails, and schematized data assets. 

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.