Azure

Microsoft Sensitivity Label Complete Design: 5-Tier Classification, Auto-labeling, Encryption, Container Labels

2026-05-24
NicheeLab Editorial Team

Sensitivity Labels are the core feature of Microsoft Purview Information Protection, providing a mechanism to assign 'classification labels' to documents, emails, sites, and data across the organization. Applying a label automatically triggers encryption, watermarks, headers/footers, content marking, and DLP integration, serving as the foundation of an organization-wide data classification strategy. This article comprehensively covers 5-tier classification design, Auto-labeling, encryption, Container Labels, and operational best practices.

5-Tier Classification Design

The standard pattern recommended by Microsoft (customizable per organization).

LabelPurposeProtectionExample
PersonalPersonal files / private dataOutside organization's protectionPersonal photos / private documents
PublicAlready-public / to-be-published infoNo protection requiredPress releases / public materials
InternalEmployees-only viewingNotify when sent externallyInternal memos / guidelines
ConfidentialConfidentialEncryption / restricted external sharingFinancial / HR data
Highly ConfidentialTop secretMandatory encryption / no print, copy, forwardM&A info / patent applications

Sub Labels (Confidential\Finance, Confidential\HR) for departmental subdivision are also standard.

Auto-labeling

A feature that automatically detects sensitive data and applies labels.

Two Modes

ModeBehaviorUse Case
Client-sideDetects on save in Microsoft 365 apps → user approvesNew documents
Server-side (Auto-labeling Policy)Auto-scans SharePoint / OneDrive / ExchangeExisting data / continuous scanning

Detection Criteria

  • Sensitive Info Type (SIT, 200+ built-in)
  • SIT threshold (apply when X+ matches)
  • Trainable Classifier (machine-learning based)
  • Contextual conditions (sender, recipient, location)

Typical Rules

  • 'Detect 5+ credit card numbers → automatically apply Confidential\Finance label'
  • 'Detect employee SSN → Highly Confidential\HR'

Encryption and Permission Controls

When encryption is configured on a Sensitivity Label, labeled files are encrypted with Microsoft 365 Rights Management, and only authorized users can decrypt them.

Permission Models

MethodBehavior
User Assigned PermissionsSpecify fixed users/groups + permissions at label definition
User Defined PermissionsUsers specify individually when creating files (for external sharing)
Encryption with Custom PermissionsDetailed permission customization (print, copy, forward, edit)

Permission Levels

  • Owner: All permissions
  • Co-Owner: Edit, print, copy
  • Co-Author: Edit, copy (no print)
  • Reviewer: Edit (no copy, no print)
  • Viewer: View only
  • Custom: Individual permissions

Double Key Encryption (DKE)

Double Key Encryption (DKE) is a dual-encryption feature for top-secret data.

  • Dual encryption with Customer-managed Key + Microsoft Key
  • Even Microsoft cannot decrypt
  • Customer operates their own on-premises DKE Server
  • For top-secret data at financial institutions, government agencies, and healthcare
  • An option when you want to minimize trust in the cloud provider

Container Labels

A feature for applying labels at the container level — SharePoint Site, Teams, Microsoft 365 Group.

Container Label Configuration

  • Privacy: Public, Private
  • External User Access: Allow, Block
  • Unmanaged Device Access: Allow, Block, Limited
  • Authentication Context: Requires a specific Conditional Access policy
  • Default Document Label: Label automatically applied to files inside the container

Typical Scenarios

  • SharePoint Site with 'Confidential\HR' label → External User Access Block + Unmanaged Device Block + Default Document Label applied
  • 'Highly Confidential\M&A' Teams → only specific approved devices can access

Combining Container Labels with Document Labels achieves dual protection at both the container and file levels.

Microsoft Purview Information Protection Scanner

MIP Scanner is an agent that automatically applies Sensitivity Labels to documents on on-premises file servers (Windows file servers, NAS).

Setup

  1. Install MIP Scanner Service on Windows Server
  2. Configure target paths and SQL Server (metadata DB)
  3. Run periodic scans
  4. Detection criteria are the same as Auto-labeling Policy (SIT, Trainable Classifier)

Two-Stage Operation

  • Discovery mode: Detect only, no labels applied
  • Enforce mode: Actually apply labels

Often used in cloud migration projects as a Pre-migration analysis tool, and an important feature for organizational data visibility.

Operational Best Practices

  1. 5-tier standard labels + departmental Sub Labels for organizational customization
  2. Set Default Label to Internal (so users get labels applied without thinking)
  3. Auto-detect sensitive data with Auto-labeling Policy
  4. Mandatory Labeling enforcement (no save without a label)
  5. Require Justification input when Downgrading (Confidential → Internal)
  6. Configure label UI colors that are easy to see in Microsoft 365 apps
  7. User education content (Microsoft Viva Learning integration)
  8. Dual protection by combining Container Labels and Document Labels
  9. Send Sensitivity Label events to Microsoft Sentinel
  10. Review label usage statistics quarterly

Related Certifications

Frequently Asked Questions

What is a Sensitivity Label?

Sensitivity Labels are the core feature of Microsoft Purview Information Protection, providing a way to assign 'classification labels' to documents, emails, sites, and data across the organization. Applying a label automatically triggers encryption, watermarks, headers/footers, content marking, and DLP integration. The standard label hierarchy: 1) Personal, 2) Public, 3) Internal (employees only), 4) Confidential (specific groups only), 5) Highly Confidential (encryption + permission-restricted). Labels are applied uniformly across Microsoft 365 apps (Word, Excel, PowerPoint, Outlook, Teams, SharePoint, OneDrive), Power BI, Fabric, and Defender for Cloud Apps, serving as the foundation of an organization-wide data classification strategy.

How do you design the 5-tier label classification?

The standard pattern recommended by Microsoft (customizable per organization). Personal: personal files and private data, outside the organization's protection scope. Public: already-public or to-be-published information (press releases, public materials, websites), no protection needed. Internal: employees-only viewing (internal memos, guidelines, standard documents), Notify when sent externally. Confidential: sensitive information (financial data, HR data, sales strategy), accessible only to specific internal groups, encryption applied, external sharing restricted. Highly Confidential: top secret (M&A information, patent applications, customer PII), only Owner + designated users, mandatory encryption, no print/copy/forward, watermarks, expiration dates. The hierarchy escalates sensitivity in the order Personal → Public → Internal → Confidential → Highly Confidential, and Sub Labels (Confidential\Finance, Confidential\HR) for departmental subdivision are also standard. In production, a combination of industry standards + organizational customization is optimal.

How do you configure Auto-labeling?

Auto-labeling automatically detects sensitive data and applies labels. Two modes: Client-side Auto-labeling: detects in the background when documents are saved in Microsoft 365 apps (Word, Outlook) → suggests labels (applied after user approval). Server-side Auto-labeling (Auto-labeling Policy): automatically scans SharePoint Online, OneDrive, and Exchange Email → detects sensitive data → automatically applies labels (no user action required). Detection criteria: 1) Sensitive Info Types (SIT, e.g., credit card numbers, SSNs), 2) SIT thresholds (apply when X or more matches), 3) Trainable Classifier (organization-specific classification based on machine learning), 4) contextual conditions (sender, recipient, location). Typical rules: 1) 'Detect 5+ credit card numbers → automatically apply Confidential\Finance label', 2) 'Detect employee SSN → Highly Confidential\HR'. Auto-labeling is essential for organization-wide rollout of Sensitivity Labels; relying on manual labeling has clear coverage limitations.

How do encryption and permission controls work?

When encryption is configured on a Sensitivity Label, labeled files are encrypted with Microsoft 365 Rights Management (formerly Azure Rights Management), and only authorized users can decrypt them. User Assigned Permissions: specify fixed users/groups + permission levels (Owner, Co-Owner, Co-Author, Reviewer, Viewer, Custom) at label definition. User Defined Permissions: users specify them individually when creating the file (for external sharing). Encryption with Custom Permissions: detailed permission customization (per-action control over print, copy, forward, edit). Double Key Encryption (DKE): for top-secret data, dual encryption with Customer-managed Key + Microsoft Key — even Microsoft cannot decrypt. Even when encrypted files are sent outside the organization, the recipient cannot open them without Entra ID authentication + an authorized account. This is an essential feature for meeting Data Protection requirements of compliance regimes (GDPR, HIPAA, PCI DSS).

What about Container Labels (SharePoint Site / Teams / Microsoft 365 Group)?

Container Labels apply labels at the container level — SharePoint Site, Teams, Microsoft 365 Group. While Document Labels protect individual files, Container Labels unify security settings for the entire container. Container Label configuration: 1) Privacy (Public, Private), 2) External User Access (Allow, Block), 3) Unmanaged Device Access (Allow, Block, Limited), 4) Authentication Context (requires a specific Conditional Access policy), 5) Default Document Label (label automatically applied to files inside the container). Typical scenarios: 1) SharePoint Site with 'Confidential\HR' label → External User Access Block + Unmanaged Device Block + Default Document Label applied, 2) 'Highly Confidential\M&A' Teams → only specific approved devices can access. Combining Container Labels with Document Labels achieves dual protection at both the container and file levels.

What is the Microsoft Purview Information Protection Scanner?

MIP Scanner is an agent that automatically applies Sensitivity Labels to documents on on-premises file servers (Windows file servers, NAS). Install MIP Scanner Service on Windows Server → configure target paths and SQL Server (metadata DB) → run periodic scans. Detection criteria are the same as Auto-labeling Policy (SIT, Trainable Classifier). Typical use cases: 1) retroactively labeling existing documents on on-prem file servers, 2) data classification before Azure migration, 3) continuous scanning to automatically label new files, 4) generating Discovery reports for compliance audits. Standard two-stage operation: Discovery mode (detect only, no labels applied) and Enforce mode (actually apply labels). It's often used in cloud migration projects as a Pre-migration analysis tool, and is an important feature for organizational data visibility.

What are the operational best practices for labels?

Key practices: 1) 5-tier standard labels + departmental Sub Labels for organizational customization, 2) set Default Label to Internal (so users get labels applied without thinking), 3) automatically detect sensitive data with Auto-labeling Policy, 4) enforce Mandatory Labeling (no save without a label), 5) require Justification when Downgrading (Confidential → Internal), 6) configure label UI colors that are easy to see in Microsoft 365 apps, 7) user education content (Microsoft Viva Learning integration), 8) dual protection by combining Container Labels and Document Labels, 9) send Sensitivity Label events to Microsoft Sentinel, 10) quarterly review of label usage statistics (which labels are unused, where they're being bypassed). Labeling is 'organizational culture change' — success hinges on both wheels: technical configuration + ongoing Change Management.

What are the related certification exams?

SC-400 (Information Protection and Compliance Administrator Associate) is the flagship certification, with Sensitivity Labels heavily tested in Domain 1 (Information Protection, 30-35%). SC-100 (Cybersecurity Architect Expert) covers the Data pillar of zero-trust strategy, MS-102 (Microsoft 365 Administrator Expert) Domain 4 (Purview, 20-25%) covers enterprise-wide deployment, SC-200 (Security Operations Analyst) covers label-based DLP event operations, and AI-103 (GA 2026-06) covers label application to AI-generated data. As the core feature of Microsoft Purview Information Protection, it's an essential skill for data governance professionals.

Related Articles & Deep Dives

MS-102 完全ガイド|Microsoft 365 Administrator Expert 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Microsoft 365 Administrator Expert (MS-102) の完全ガイド。4 ドメインの出題範囲、テナント / Entra ID / Defender XDR / Purview を横断的にカバー、SC-300 / SC-200 との重複と差異、Microsoft 365 Developer Program 活用法、3-4 ヶ月の合格ロードマップ、SC-100 / MD-102 への展開ルートを日本語で網羅。

SC-400 完全ガイド|Microsoft Information Protection and Compliance Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Information Protection and Compliance Administrator Associate (SC-400) の完全ガイド。4 ドメインの出題範囲、Microsoft Purview の Sensitivity Label / DLP / Insider Risk / Communication Compliance / eDiscovery / Retention の実装、3-4 ヶ月の合格ロードマップ、SC-100 / MS-102 への展開ルートを日本語で網羅。

Microsoft 365 / Modern Workplace エンジニア キャリアロードマップ|MS-900 → MS-102 → アーキテクトへの道【2026 年版】

Microsoft 365 / Modern Workplace エンジニアになるための認定取得ロードマップ完全版。MS-900 → MS-102 (Expert) の王道ルート、MD-102 / SC-300 / SC-400 / MS-700 / PL シリーズとの組み合わせ、Microsoft 365 Developer Program 活用法、8-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Microsoft Purview DLP 完全設計|Sensitive Info Types・Endpoint DLP・Adaptive Protection・EDM【2026 年版】

Microsoft Purview Data Loss Prevention (DLP) の完全設計ガイド。DLP Policy 構成 (Locations / Conditions / Actions)、Sensitive Information Types (SIT) 200+ 活用、Endpoint DLP、Adaptive Protection でリスクベース動的制御、Exact Data Match (EDM)、段階導入ベストプラクティス、関連認定試験 (SC-400 / SC-100 / MS-102) を日本語で網羅。

Technical information in this article is based on the Microsoft Purview Sensitivity Labels Documentation. This article is not an official product of Microsoft Corporation and has no affiliation or sponsorship relationship with it. Microsoft, Azure, and Microsoft Purview are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure Exam Prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.