Sensitivity Labels in Microsoft 365: The Admin Setup Guide

Microsoft 365Security & ComplianceSMB SolutionsDefenderCloud SecurityMicrosoft 365 Copilot
Written By Tiago Carvalho
Microsoft 365 Copilot

Compliance  ·  Microsoft Purview  ·  Information Protection  ·  2026

Copilot generates responses using content your users can already access. That sounds obvious — but it has a concrete implication: if a document labelled "Confidential" has no encryption behind it, Copilot can summarise it, quote from it, and surface it across the tenant. Sensitivity labels are how you close that gap. They attach classification and optional protection directly to content, so the label travels with the file regardless of where it ends up.

This guide walks through the entire setup in Microsoft Purview — from the one tenant setting most admins miss, to creating your first label, configuring access control and scope, and publishing a label policy to users. All screenshots are from a real Microsoft 365 tenant.

🏷️
A sensitivity label is metadata — with optional teeth. On its own, a label is just a classification tag visible to users. Add access control settings and it becomes encryption-backed: only permissioned users can open the file, in any app, anywhere it travels.
⚠️
There is a critical tenant-level prerequisite most admins miss. Microsoft Purview shows a yellow banner on the Sensitivity labels page: "Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint." Until you enable this, SharePoint and OneDrive cannot process encrypted Office files with sensitivity labels, which breaks key scenarios such as Office for the web, search, DLP, eDiscovery and collaborative features. The file remains protected, but the service cannot handle it the way you need — and OneDrive and SharePoint are a core content source for Microsoft 365 Copilot.
📋
Creating a label is not enough — you must also publish it. Labels are configured in the label wizard, but they only appear in users' Microsoft 365 apps (Word, Outlook, Teams) once you create a label publishing policy that targets the right users or groups.
🤖
Copilot respects sensitivity label encryption. If a file is protected with a sensitivity label that restricts access, Copilot cannot read or surface content from that file for users who do not have the required permissions. Labels with encryption are therefore a hard control, not just a classification hint.
In this article
The prerequisite you cannot skip Creating your first label Scope and Items settings Access control (encryption) Groups & sites Publishing with a label policy Recommended label taxonomy Pre-deployment checklist

The prerequisite you cannot skip

Before creating any labels, navigate to Microsoft Purview → Information Protection → Sensitivity labels. If your tenant has never enabled label-based encryption for SharePoint and OneDrive, you will see a yellow banner at the top of the page.

Microsoft Purview — Sensitivity labels overview page showing the yellow 'Turn on now' banner warning that the organisation has not turned on the ability to process content in Office online files with encrypted sensitivity labels stored in OneDrive and SharePoint.
The Sensitivity labels overview in Microsoft Purview. The yellow banner indicates that encrypted labels are not yet enabled for OneDrive and SharePoint — a prerequisite that must be resolved before labels with access control settings will function in those workloads.

The banner reads: "Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint."

⚠️
Do this before creating labels. Click Turn on now to enable label processing for SharePoint and OneDrive. Without this setting, any label you create with access control (encryption) will not be honoured when the file is stored in SharePoint or OneDrive — the two workloads Copilot draws from most heavily. Microsoft notes that additional configuration may be required for Multi-Geo environments. See Enable sensitivity labels for Office files in SharePoint and OneDrive.

Creating your first label

From the Sensitivity labels page, click + Create a label. The wizard opens with five steps in the left navigation: Label details → Scope → Items → Groups & sites → Finish.

Step 1 — Label details

Fill in the label name and description. The Name field is the internal identifier (visible to admins). The Display name is what users see in Office apps — keep it short and clear. The Description for users appears as a tooltip when a user hovers over the label in Word, Outlook or Teams — make it actionable.

New sensitivity label wizard — Step 1: Label details. Name field shows 'Confidential', Display name shows 'Confidential', Label priority shows 'Highest', and Description for users reads 'For internal documents with business-sensitive content. Restricts sharing outside the organisation.'
Step 1 — Label details. The Name and Display name are both set to "Confidential". The description for users is shown in Office apps as a tooltip, so it should explain what the label means in plain language. Label priority is set to Highest by default — you can reorder labels after creation.
ℹ️
Label priority matters. When multiple labels are available, a higher-priority label cannot automatically be replaced by a lower-priority one. This prevents Copilot-assisted workflows or users from inadvertently downgrading the classification of a sensitive document.

Step 2 — Scope

Scope determines which types of content the label can be applied to. The wizard shows three options.

New sensitivity label wizard — Step 2: Scope. 'Files and other data assets' is checked (covering Microsoft 365, Microsoft Fabric, and Microsoft Azure). 'Emails' is checked. 'Groups and sites' is greyed out with a note that you must first complete prerequisite steps to enable it.
Step 2 — Scope. "Files & other data assets" and "Emails" are selected by default. "Groups & sites" is greyed out because the tenant has not yet completed the prerequisite steps to enable container labels — the link "complete these steps" walks you through that configuration.
Scope option What it covers Copilot relevance
Files & other data assets Office files, PDFs, and data assets in Microsoft 365, Fabric, and Azure High — Copilot draws primarily from files in SharePoint and OneDrive
Emails Messages in all versions of Outlook Medium — Copilot can summarise email threads with the right licence
Groups & sites Teams, Microsoft 365 Groups, SharePoint sites, Loop workspaces High — container-level labels set the default classification for all content within a site or team
💡
Groups & sites requires separate enablement. Container labels for Teams, Groups and SharePoint sites need to be enabled via PowerShell or the prerequisite link shown in the wizard. This is separate from the "Turn on now" banner. See Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites.

Step 3 — Items: access control and content marking

The Items step is where a label gains real protection capability. It presents two checkboxes.

New sensitivity label wizard — Step 3: Items. Two options: 'Control access — Control who can access and view labeled items' (checked) and 'Apply content marking — Add custom headers, footers, and watermarks to labeled items' (unchecked).
Step 3 — Items. "Control access" adds encryption-backed permissions. "Apply content marking" adds visual headers, footers, or watermarks without restricting access. You can enable both on the same label.

Checking Control access advances to the Access control sub-step, where you configure how encryption is applied.

Access control settings

New sensitivity label wizard — Access control sub-step. 'Configure access control settings' radio is selected. Dropdowns show: Assign permissions now, User access to content expires: Never, Allow offline access: Always. The 'Assign permissions to specific users and groups' section shows 1 item assigned.
Access control settings. "Assign permissions now" enforces the permissions automatically when the label is applied — users cannot change them. The alternative "Let users assign permissions" prompts the user to choose recipients at the time of labelling, which is useful for ad-hoc encryption in Outlook.

The three key settings here are:

1
Assign permissions now or let users decide?
Choose Assign permissions now for a consistent, admin-controlled policy (recommended for most scenarios). Choose Let users assign permissions if the label is designed for users to encrypt individual emails or documents with a custom recipient list — common for a "Do Not Forward" or personal-encryption label.
2
User access to content expires
Set to Never for most labels. Use a date-based expiry for labels on time-sensitive content — for example, a label on board meeting materials that should become inaccessible after 90 days. Note that expiry requires the Azure Rights Management service to be reachable when the file is opened.
3
Assign permissions to specific users and groups
Click Assign permissions to open the permissions panel. You can add All users and groups in your organisation (equivalent to all internal users), Any authenticated user (any Azure AD account globally), specific groups, or individual email addresses. Set the appropriate permission level — Co-Owner, Co-Author, Reviewer, Viewer, or custom.
Assign permissions side panel showing four options: '+ Add all users and groups in your organization', '+ Add any authenticated users', '+ Add users or groups', '+ Add specific email addresses or domains'. The Choose permissions section shows Editor preset selected.
The Assign permissions panel. "Add all users and groups in your organization" grants access to all internal users — equivalent to the EEEU group scope, but at the encryption layer rather than the SharePoint permission layer. Choose "Add users or groups" to target a specific security group for a label meant for a restricted audience.
⚠️
Co-authoring requires a separate tenant setting. The Access control page shows an info banner: "Turn on co-authoring for Office desktop apps so multiple users can simultaneously edit labeled documents that have access control settings applied." If you skip this and users try to co-edit an encrypted document in Word desktop, they will encounter errors. Enable co-authoring before rolling out encryption labels to broad audiences. See Enable co-authoring for files encrypted with sensitivity labels.

Auto-labeling for files and emails

After access control, the wizard shows the Auto-labeling sub-step. This toggle is off by default.

New sensitivity label wizard — Auto-labeling for files and emails. The toggle is off. The description explains: When users edit Office files or compose emails containing content matching the conditions you choose, the label will be automatically applied or recommended.
Auto-labeling for files and emails — disabled by default. When enabled, the label can be applied automatically or recommended when content matches specified conditions (for example, files containing credit card numbers or passport details detected by built-in sensitive information types). Note the info box: auto-labeling policies for already-saved files in SharePoint or OneDrive are configured separately via dedicated auto-labeling policies.
ℹ️
Client-side vs. service-side auto-labeling are different things. The toggle on this page enables client-side auto-labeling — the label is applied when a user is actively editing a file in an Office app. Service-side auto-labeling (which can process files already saved in SharePoint and OneDrive at scale) is configured through a separate auto-labeling policy and requires a Microsoft 365 E5 Compliance licence or equivalent.

Step 4 — Groups & sites

If you enabled the Groups & sites scope, this step allows you to define what happens at the container level when the label is applied to a Team, SharePoint site, or Microsoft 365 Group.

New sensitivity label wizard — Step 4: Define protection settings for groups and sites. Three unchecked options: 'Privacy and external user access', 'External sharing and Conditional Access', and 'Private teams discoverability and shared channel settings'.
Step 4 — Groups & sites protection settings. These settings apply to containers (Teams, Groups, SharePoint sites) that have the label applied — they do not apply to individual files stored inside those containers. The privacy setting controls whether a team is public or private by default when the label is applied.
Setting What it controls Typical use
Privacy and external user access Whether a labelled Team or Group is Public or Private; whether guest access is allowed Set to Private + block guest access for a "Confidential" label applied to a finance team
External sharing and Conditional Access SharePoint site-level sharing controls; whether Conditional Access policies apply when accessing the site Restrict external sharing to only existing guests, require managed devices via Conditional Access
Private teams discoverability and shared channel settings Whether a private team is discoverable in search; what types of teams can be invited to shared channels Hide highly sensitive teams from tenant-wide search results

After Groups & sites, the wizard shows a Review your settings and finish summary before you create the label.

New sensitivity label wizard — Finish: Review your settings and finish. Summary shows Name: Confidential, Display name: Confidential, Description for users: For internal documents with business-sensitive content. Restricts sharing outside the organisation. Scope: Files & other data assets, Email. Access control: Access control. Content marking: None. Auto-labeling for files and emails: None. All steps in left nav are checked.
The finish step summarises every configuration choice made in the wizard. All four left-nav steps show a blue checkmark. Click "Create label" to save the label — it will appear in the Sensitivity labels list but will not be visible to users yet. Publishing requires a separate label policy (next section).

Publishing with a label policy

A label that has been created but not published is invisible to end users. To make labels available in Office apps, Outlook, and Teams, you must create a label publishing policy.

Navigate to Information Protection → Policies → Label publishing policies. A fresh tenant will show no policies — the page confirms labels are available to publish but none have been deployed yet.

Microsoft Purview — Label policies page showing 0 items and 'No data available'. The toolbar shows a 'Publish label' button. A note at the top explains that Publish one or more labels to users' Microsoft 365 apps like Outlook and Word.
The Label policies page before any policies have been created. The "Publish label" button launches the publishing wizard, where you select which labels to publish, which users or groups to target, and configure default label behaviour for each app.

Click Publish label and complete the publishing wizard. The key decisions are:

1
Choose labels to publish
Select one or more labels from the list. You can publish all labels in a single policy for simplicity, or create separate policies — for example, a policy that publishes all labels to the entire organisation and a separate policy that includes a "Highly Confidential" label available only to the security team.
2
Assign admin units and users
Target the policy at All users and groups for a tenant-wide deployment, or select specific security groups to stage a pilot rollout. This is a common approach: publish a basic label set broadly, then publish a stricter label set (with mandatory labelling enabled) to a pilot group first.
3
Policy settings
Configure default labels (optional), whether users must justify downgrading or removing a label, and whether labelling is mandatory. For Copilot readiness, consider configuring a default label — available at the policy level for Office apps and, separately, at the document library level in SharePoint for certain scenarios. This ensures content is classified at creation rather than relying on users to remember, but the right scope depends on your configuration: policy-level defaults apply across Office apps, while library-level defaults in SharePoint apply to specific libraries where you have enabled this feature.
4
Allow propagation time
After saving a label policy, allow time for the policy to propagate to users' apps. Microsoft's documentation notes that policy changes can take time to reach all clients — avoid scheduling user training immediately after publishing. For details, see Create and configure sensitivity labels and their policies.

Recommended label taxonomy for most organisations

A common mistake is creating too many labels. If users face too many choices, they will pick the lowest-sensitivity label by default. A four-label taxonomy covers most SMB and mid-market scenarios.

Label name Intended use Access control? Copilot behaviour
Public Content approved for external distribution — press releases, public documentation No encryption Copilot can summarise and surface freely
Internal Default label for day-to-day business content not intended for external parties No encryption (visual marking only) Copilot surfaces to all internal users
Confidential Business-sensitive content — finance, HR, contracts, strategic plans Encryption — intended audience (all internal users in some organisations, but often a narrower group for genuinely sensitive content), Co-Author Copilot surfaces only to users with decryption rights
Highly Confidential Restricted information — board materials, personal data, M&A Encryption — named groups only (e.g. Finance, Legal, Executives) Copilot cannot surface to users outside the permitted group
Start with visual marking, add encryption incrementally. Deploy the full label set initially with content marking only (headers, footers, watermarks) and no encryption. This lets users build the labelling habit before enforcement kicks in. Add access control settings to Confidential and Highly Confidential labels in a second phase once adoption is established. Mandatory labelling — requiring users to apply a label to every new document — can follow in a third phase.

Pre-deployment checklist

  • Enable sensitivity labels for SharePoint and OneDrive Click "Turn on now" from the Sensitivity labels overview page in Microsoft Purview. Required for SharePoint and OneDrive to process encrypted Office files with sensitivity labels — without this, key scenarios such as Office for the web, search, DLP, eDiscovery and co-authoring will not work as expected. The file remains protected, but the service cannot handle it the way you need. Docs ↗
  • Enable sensitivity labels for Teams, Groups, and SharePoint sites Separate from the above — required if you want to apply container-level labels to Teams and SharePoint sites. Follow the prerequisite steps shown in the Scope wizard step. Docs ↗
  • Enable co-authoring for encrypted files Required if you plan to use access control (encryption) on labels applied to files in OneDrive and SharePoint. Without this, co-editing in Office desktop apps will fail. Docs ↗
  • Design your label taxonomy before creating labels Agree on label names, descriptions, and access control scope with your security and compliance team before building in Purview. Renaming or restructuring labels after deployment is disruptive to end users and active files.
  • Create all labels before publishing any policy Build the full label set first so you can publish all labels in a single well-structured policy. Publishing partial sets and amending them later can create inconsistencies across users' apps.
  • Publish to a pilot group first Target the label publishing policy at a test security group before rolling out to the full organisation. Verify that labels appear correctly in Word, Outlook, and Teams, and that encrypted files can be co-edited as expected.
  • Allow propagation time after publishing After publishing a label policy, allow time for changes to reach all users' apps before scheduling user communications or training. Check the Microsoft 365 admin centre for policy status.
  • Plan service-side auto-labeling for existing content (E5 feature) Client-side auto-labeling (configured in the label wizard) only triggers when users are actively editing files. To classify files already stored in SharePoint and OneDrive at scale, configure a separate auto-labeling policy — this requires Microsoft 365 E5 Compliance or an equivalent add-on licence.
Related article
SharePoint Oversharing: The Security Problem Copilot Just Made Urgent
Sensitivity labels are one layer of Copilot readiness. SharePoint permissions are another — and often a bigger immediate risk. Read the SharePoint oversharing guide →
Official documentation
Tiago Carvalho
Previous

Microsoft 365 Copilot Readiness Scorecard 2026: Permissions, Security and Governance
Next

SharePoint Oversharing: The Security Problem Copilot Just Made Urgent