MSB365 Logo
Security

Microsoft 365 Sensitivity Labels

.

ByDrago Petrovic
Updated:
7937 views
Microsoft 365 Sensitivity Labels
Step-by-Step: Configure Microsoft 365 Sensitivity Labels (Internal, External, Confidential, High Confidential, Finance)

Microsoft 365 Sensitivity Labels: A Complete, Step‑by‑Step Implementation for InternalExternalConfidentialHigh ConfidentialFinance

This guide shows you exactly how to design, build, and roll out the five labels—including default labeling, content markings, encryption, DLP blocking for externals, Conditional Access for compliant devices, and auto‑labeling for financial data. It also includes a reusable concept/template for customer projects. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)

What Sensitivity Labels Do (in one paragraph)

Sensitivity labels in Microsoft Purview classify and protect documents, emails, and even containers (Teams/Groups/Sites). They can apply encryption, headers/footers/watermarks, restrict actions (e.g., forwarding), and integrate with SharePoint/OneDrive, Exchange, DLP, and Conditional Access to enforce your data protection model across apps and devices. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)

Prerequisites & Design Decisions

  • Licensing & apps: Ensure users have supported Microsoft 365 subscriptions; sensitivity labeling is built into Office apps and supported across desktop, web, and mobile (Exchange mailboxes must be in Exchange Online). [2](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps)
  • Who can create/manage labels: Use the Microsoft Purview portal to create labels and publish them via label policies to selected users/groups. [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)
  • Default label support: Purview provides default labeling options via label policies, which can pre‑apply a default label to new docs/emails. [4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)
  • Content marking behavior: Labels can add headers, footers, and watermarks; header/footer placement can be adjusted (e.g., right‑aligned header for “top‑right” visual marking). [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)[5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
  • Auto‑labeling & SITs: You can auto‑label content in Exchange/SPO/OneDrive based on sensitive information types (e.g., Credit Card Number). [6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)[7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)
  • DLP & labels together: DLP rules can use “Content contains sensitivity label” conditions for Exchange, SharePoint, OneDrive, and devices—ideal to block external sends when an “Internal” label is present on mail or attachments. [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)
  • Require compliant devices: Enforce compliant (Intune‑managed) devices with Microsoft Entra Conditional Access; connect CA to SharePoint via authentication context, or scope per site/label. [10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)[11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)
  • Endpoint DLP (optional but recommended): Block copying labeled files to USB, personal cloud, or network shares on endpoints. [12](https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings)[13](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)

Label Objectives (what each must do)

  • Internal: Default for new docs/emails; block external sending of messages or messages with “Internal” labeled attachments; orange “Internal” marking top‑right. [4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)[8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)
  • External: Blue “Public” marking top‑right; allowed to send externally. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)[5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
  • Confidential: Red “Confidential” top‑right; only a specific Entra ID group may set/open; enforce via encryption scoped to that group. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)[3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)
  • High Confidential: Red “High Confidential” top‑right and bottom‑left; only a specific Entra ID group may set/open; content not available offline; access only from compliant, managed devices; emails must be encrypted. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)[10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)
  • Finance: Gray “Finance” top‑right; only Finance group may set/open; emails must be encrypted; auto‑label when account/credit card info is detected. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)[6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)[7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)

Note on “top‑right” visual: Office “watermark” renders across the page; to achieve a discrete “top‑right” mark use a Header content marking aligned right (color per requirements). [5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)

Step‑by‑Step Implementation

  1. Create the Entra ID groups

    Create mail‑enabled security groups (or Microsoft 365 groups) for Label‑Confidential‑Users, Label‑HighConfidential‑Users, and Label‑Finance‑Users. You will use these to (a) publish labels only to people who can apply them, and (b) assign encryption permissions to control who can open labeled content. [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)[14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)

    Tip: If you also plan to govern Teams/SharePoint privacy/external sharing with container labels, enable sensitivity labels for Groups & Sites and sync labels to Entra. [15](https://learn.microsoft.com/en-us/entra/identity/users/groups-assign-sensitivity-labels)
    # Enable sensitivity labels for Groups & Sites (if needed)
# Ref: Assign sensitivity labels to M365 groups (Entra ID)
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
# Check and set EnableMIPLabels = True as per docs
# ...follow steps in Microsoft guidance...

    Follow Microsoft Entra guidance to turn on EnableMIPLabels for Groups & Sites and (if applicable) sync labels. [15](https://learn.microsoft.com/en-us/entra/identity/users/groups-assign-sensitivity-labels)

  2. Create the five sensitivity labels in Microsoft Purview

    In Purview portal → Solutions → Information Protection → Sensitivity labels → + Create a label. Repeat per label; see detailed settings below. [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)

  3. Configure each label

    1) Internal

    • Scope: Items (Files & Emails). No encryption. Add content marking Header, align Right, color Orange, text: Internal. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)[5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
    • Policy goal: Make this the default label for new docs and emails via a label publishing policy. [4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)
    • Block external sends (mail or attachments labeled “Internal”):
      1. Preferred: Create a DLP policy for Exchange with condition Content contains sensitivity label → Internal AND Recipient is outside organizationBlock and show policy tip. [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)
      2. Optional fallback: A mail flow (transport) rule can block messages to external recipients—with a custom rejection reason to inform users—though it’s broader and not label‑aware. [16](https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions)[17](https://www.codetwo.com/admins-blog/how-to-prevent-office-365-users-from-sending-emails-outside-organization/)

    2) External

    • Scope: Items (Files & Emails). No encryption. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)
    • Content marking: Header, align Right, color Blue, text: Public. [5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
    • Sending externally: Allowed (no DLP rule for this label). [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)

    3) Confidential

    • Scope: Items (Files & Emails). Enable Encryption and Assign permissions now to the Label‑Confidential‑Users group (e.g., Viewer/Editor as needed). [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Content marking: Header, align Right, color Red, text: Confidential. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)
    • Who can apply/open: Publish the label only to approved users and use encryption to limit who can open content. [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)[14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)

    4) High Confidential

    • Scope: Items (Files & Emails). Enable Encryption; assign permissions to Label‑HighConfidential‑Users. In Encryption → Allow offline access, set to Never so content cannot be opened offline. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Content marking: Add two markings—Header (Right) and Footer (Left)—both text High Confidential, color Red. [5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
    • Email behavior: In the label’s email settings, apply encryption (e.g., “Do Not Forward” equivalent) to ensure protected send. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Only on compliant, managed devices:
      1. Create a Conditional Access policy that Requires device to be marked as compliant for SharePoint/OneDrive access. [10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)
      2. Bind CA to high‑risk sites via Authentication context (assign to sites or container labels). [11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)
      3. Optional defense‑in‑depth: Use Endpoint DLP to block copying High Confidential files to USB/unapproved cloud on Windows/macOS. [12](https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings)[13](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)

    5) Finance

    • Scope: Items (Files & Emails). Enable Encryption; assign permissions to Label‑Finance‑Users. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Content marking: Header, align Right, color Gray, text: Finance. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)
    • Email behavior: Apply encryption when the label is used on email. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Auto‑label Finance content:
      1. Client‑side (Office apps): configure the label to auto‑apply or recommend when patterns match. [6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)
      2. Service‑side: create an Auto‑labeling policy for Exchange/SPO/OneDrive to detect built‑in SITs like Credit Card Number and apply the Finance label automatically. [6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)[7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)

  4. Publish the labels (and make “Internal” the default)

    Create a label publishing policy that includes all five labels for the appropriate audiences. In policy settings, set Default label to Internal for documents and emails so new content starts with the right baseline. [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)[4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)

    You can also enforce mandatory labeling or require justification to lower classifications if you want stricter governance. [18](https://www.amdhservicesltd.com/sensitivity-labels-default-mandatory-and-recommended-labels)

  5. Create DLP policies to enforce “Internal must not go external”

    In Purview → Data loss prevention → Policies, create a policy for Exchange email with a rule:

    • Conditions: Content contains → Sensitivity label = Internal AND Recipient is outside organization. [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)
    • Actions: Block (reject) and Show policy tip with a user‑friendly explanation. [9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)[19](https://learn.microsoft.com/en-us/purview/dlp-policy-reference)

    DLP can also detect sensitivity labels on attachments (Office & PDF) to prevent sending labeled docs externally. [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[20](https://m365admin.handsontek.net/sensitivity-label-as-a-condition-support-for-pdf-on-exchange-online/)

  6. (Optional) Add a transport rule as a safety net

    In Exchange admin center → Mail flow → Rules, add a rule for recipients “outside the organization” → Block the message and include a clear explanation. Use sparingly (it’s not label‑aware but is immediate and effective). [16](https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions)[17](https://www.codetwo.com/admins-blog/how-to-prevent-office-365-users-from-sending-emails-outside-organization/)

  7. Enable SharePoint/OneDrive processing for labeled content

    Turn on Enable sensitivity labels for files in SharePoint and OneDrive so co‑authoring/search/eDiscovery work with encrypted files and so service‑side auto‑labeling can function correctly. [21](https://learn.microsoft.com/en-us/purview/sensitivity-labels-sharepoint-onedrive-files)

  8. Validate and pilot

    • Test content markings in Office (header/footer placement and styles). [5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
    • Send test emails externally with “Internal” label (expect block with policy tip/NDR). [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)
    • Open High Confidential docs offline (expect denied). [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
    • Attempt to access High Confidential sites/files from non‑compliant devices (expect CA block). [10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)[11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)
    • Validate Finance auto‑label on credit card test numbers (Luhn‑valid). [6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)[7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)

Key Configuration Snippets

Encryption (Confidential / High Confidential / Finance)

When editing a label → Control accessAssign permissions now → add the corresponding Entra group; configure rights and set Allow offline access (for High Confidential → Never). Apply email encryption (e.g., Do Not Forward) for the labels that require protected email. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)

Conditional Access for Compliant Devices

Create a CA policy: Users/Groups = everyone or high‑risk groups, Cloud apps = SharePoint/OneDrive, Grant = Require device to be Compliant. Use SharePoint authentication context to apply this only to high‑risk sites/labels. [10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)[11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)

Endpoint DLP (optional)

Enable Endpoint DLP and configure policies to Block or Block with override for copying labeled files to removable drives, unapproved domains, or network shares—especially for High Confidential. [12](https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings)[13](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)

Reusable Concept & Customer Template

1) Taxonomy & Visuals

  • Internal — Header “Internal” (orange, right). No encryption. Default for new docs/emails. [4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)[5](https://m365admin.handsontek.net/header-and-footer-content-mark-changes-for-microsoft-purview-information-protection-in-word/)
  • External — Header “Public” (blue, right). No encryption. External sharing allowed. [1](https://learn.microsoft.com/en-us/purview/sensitivity-labels)
  • Confidential — Header “Confidential” (red, right). Encrypt to Label‑Confidential‑Users. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)
  • High Confidential — Header (red, right) + Footer (red, left) “High Confidential”. Encrypt to Label‑HighConfidential‑Users; offline access Never; CA require compliant device. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)[10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)
  • Finance — Header “Finance” (gray, right). Encrypt to Label‑Finance‑Users. Auto‑label on credit card/account data. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)[6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)[7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)

2) Enforcement Matrix

  • DLP (Exchange): Block if Internal label on mail/attachment AND recipients external (policy tip → user sees “Cannot send externally”). [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)
  • Auto‑label: Service‑side auto‑label for Finance (Credit Card Number SIT). Pilot in simulation, then enforce. [6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)
  • CA (SharePoint/OneDrive): Require device compliance on High Confidential sites with authentication context. [11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)[10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)
  • Endpoint DLP: Block copy to USB/personal cloud for High Confidential. [12](https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings)[13](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)

3) Publication & Scope

  • Publish all labels tenant‑wide, except Confidential/High Confidential/Finance which can be scoped to relevant user groups (publish & encryption). [3](https://learn.microsoft.com/en-us/purview/create-sensitivity-labels)
  • Set Internal as the default in the publishing policy. Consider mandatory labeling in a later phase. [4](https://learn.microsoft.com/en-us/purview/default-sensitivity-labels-policies)[18](https://www.amdhservicesltd.com/sensitivity-labels-default-mandatory-and-recommended-labels)

4) Rollout & Operations

  • Pilot with Finance and a cross‑functional cohort; tune markings and DLP tips; stage to production. [19](https://learn.microsoft.com/en-us/purview/dlp-policy-reference)
  • Educate users on the Sensitivity button, default labels, and what happens when attempting to send “Internal” externally. [2](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps)
  • Monitor DLP matches and activity explorer; iterate the policies. [19](https://learn.microsoft.com/en-us/purview/dlp-policy-reference)
  • Support known label/Office quirks (e.g., markings behavior in headers/footers) during the first weeks. [22](https://support.microsoft.com/en-us/office/known-issues-with-sensitivity-labels-in-office-b169d687-2bbd-4e21-a440-7da1b2743edc)

FAQ & Field Notes

Q: Why use DLP instead of a mail flow rule for “Internal not external”?
A: DLP is label‑aware (matches when mail or attachments carry a specific sensitivity label), shows policy tips, and is more precise; transport rules are coarse and not label‑aware. [8](https://learn.microsoft.com/en-us/purview/dlp-sensitivity-label-as-condition)[9](https://learn.microsoft.com/en-us/purview/dlp-exchange-conditions-and-actions)[17](https://www.codetwo.com/admins-blog/how-to-prevent-office-365-users-from-sending-emails-outside-organization/)

Q: Can we really block offline access for High Confidential documents?
A: Yes—set the label’s encryption option Allow offline access to Never, so users must re‑authenticate online each time. [14](https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels)

Q: How do we ensure “company device only” access?
A: Use Conditional Access Require device to be compliant for SharePoint/OneDrive (optionally via authentication context) and complement with Endpoint DLP to prevent exfiltration from compliant devices. [10](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance)[11](https://learn.microsoft.com/en-us/sharepoint/authentication-context-example)[12](https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings)

Q: What detects credit card data for the Finance auto‑label?
A: Built‑in Sensitive Information Types such as Credit Card Number (with Luhn check) are supported triggers for auto‑labeling and DLP policies. [7](https://learn.microsoft.com/en-us/purview/sit-defn-credit-card-number)[6](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically)

Appendix: Quick Reference

Authored for hands‑on administrators. All steps verified against current Microsoft Learn guidance. If you want this packaged as a playbook (Word/PDF) or with ready‑to‑import JSON/PowerShell, let me know and I’ll generate the files.

About MSB365

Every article on MSB365 is crafted with expertise in Microsoft 365 technologies. We provide in-depth analysis, practical guides, and the latest insights to help you maximize your productivity with Microsoft's ecosystem.

Related Topics

Sensitivity LabelsDLPMicrosoft 365

Written by Drago Petrovic

© 2025 MSB365 - The Microsoft Blog

Back to Blog

Comments (0)

Leave a Comment

No comments yet. Be the first to comment!