Sensitive data? – Label it!

What and Why?

Sensitivity labels is part of Microsoft Purview and can be used to label a email, meeting invite, or document – and when the item is labeld any configured protection settings for that label are enforced on the content.

Protection settings you can add to thes items are

  • Encrypt
  • Mark the content

Encryption that’s applied by sensitivity labels to documents, emails, and meeting invites all use the Azure Rights Management service (Azure RMS) from Azure Information Protection. This protection solution uses encryption, identity, and authorization policies.

When we now see more extent use of home office, remote work the importans of safeguarding your data is key to keep a good data hygien. Lately we have seen Microsoft 365 Copilot surface in demos and we now need to prepare our data before adopting this service as well!

With sensitivity labels we are marking our data with data labeling matching the content and with that labels we also can protect sensitive data for beeing opened by unauthorized users with the encryption setting. but not only that we can also make sure that authorized personell is knowing that the data their are looking at is sensitive or not by marking it with a watermark and ofcourse the label itself is visible on several services and surfaces.

Sensitivity labels can be appled automatically or we can recommend applying them. You can decide how to identify sensitive information and either apply a label automatically.


Microsoft Purview Sensitivity Labels can be setup quite easily and making it available for users are easy with Sensitivity label policies pin-pointing the right label with the right protection setting deploying them by both users and services.

First thing we need to do is to create the labels that we want to show to our users and Microsoft has a great tutorial on how to create Sensitivity labels – have a look on it here on

Second is to deploy the labels to our users. also on this task Microsoft has an awesome tutorial on

Wrap up

So to wrap things up on this one, when you assign a sensitivity label to content, it’s like a stamp that’s applied and is:

  • Customizable. Specific to your organization and business needs, you can create categories for different levels of sensitive content in your organization. For example, Personal, Public, General, Confidential, and Highly Confidential.
  • Clear text. Because a label is stored in clear text in the metadata for files and emails, third-party apps and services can read it and then apply their own protective actions, if required.
  • Persistent. Because the label is stored in metadata for files and emails, the label stays with the content, no matter where it’s saved or stored. The unique label identification becomes the basis for applying and enforcing policies that you configure.

One Comment

Comments are closed.