Get started with sensitivity labels

Microsoft 365 licensing guidance for security & compliance.

For information about what sensitivity labels are and how they can help you protect your organization's data, see Learn about sensitivity labels.

If you have Azure Information Protection, determine whether you need to migrate labels to the unified labeling platform, and which labeling client to use:

When you're ready to start protecting your organization's data by using sensitivity labels:

  1. Create the labels. Create and name your sensitivity labels according to your organization's classification taxonomy for different sensitivity levels of content. Use common names or terms that make sense to your users. If you don't already have an established taxonomy, consider starting with label names such as Personal, Public, General, Confidential, and Highly Confidential. You can then use sublabels to group similar labels by category. When you create a label, use the tooltip text to help users select the appropriate label.

    For more extensive guidance for defining a classification taxonomy, download the white paper, "Data Classification & Sensitivity Label Taxonomy" from the Service Trust Portal.

  2. Define what each label can do. Configure the protection settings you want associated with each label. For example, you might want lower sensitivity content (such as a "General" label) to have just a header or footer applied, while higher sensitivity content (such as a "Confidential" label) should have a watermark and encryption.

  3. Publish the labels. After your sensitivity labels are configured, publish them by using a label policy. Decide which users and groups should have the labels and what policy settings to use. A single label is reusable—you define it once, and then you can include it in several label policies assigned to different users. So for example, you could pilot your sensitivity labels by assigning a label policy to just a few users. Then when you're ready to roll out the labels across your organization, you can create a new label policy for your labels and this time, specify all users.

The basic flow for deploying and applying sensitivity labels:

Diagram showing workflow for sensitivity labels

Subscription and licensing requirements for sensitivity labels

A number of different subscriptions support sensitivity labels and the licensing requirements for users depend on the features you use.

To see the options for licensing your users to benefit from Microsoft 365 compliance features as of April 1, 2020, see the Microsoft 365 licensing guidance for security & compliance. For sensitivity labels, see the Information Protection section and related PDF or Excel download.

Permissions required to create and manage sensitivity labels

Members of your compliance team who will create sensitivity labels need permissions to the Microsoft 365 compliance center, Microsoft 365 security center, or the Security & Compliance Center.

By default, global administrators for your tenant have access to these admin centers and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this delegated limited admin access, add users to the Compliance Data Administrator, Compliance Administrator, or Security Administrator role group.

Alternatively to using the default roles, you can create a new role group and add either Sensitivity Label Administrator or Organization Configuration roles to this group. For a read-only role, use Sensitivity Label Reader.

For instructions to add users to the default roles or create your own role groups, see Give users access to the Office 365 Security & Compliance Center.

These permissions are required only to create and configure sensitivity labels and their label policies. They are not required to apply the labels in apps or services. If additional permissions are needed for specific configurations that relate to sensitivity labels, those permissions will be listed in their respective documentation instructions.

Deployment strategy for sensitivity labels

A successful strategy to deploy sensitivity labels for an organization is to create a working virtual team that identifies and manages the business and technical requirements, proof of concept testing, internal checkpoints and approvals, and final deployment for the production environment.

Using the table in the next section, we recommend identifying your top one or two scenarios that map to your most impactful business requirements. After these scenarios are deployed, return to the list to identify the next one or two priorities for deployment.

You'll find additional general deployment guidance in the downloadable Microsoft 365 Information Protection & Compliance deployment acceleration guide. For more information, see the blog post, Microsoft Information Protection and Compliance Deployment Acceleration Guide.

Common scenarios for sensitivity labels

All scenarios require you to Create and configure sensitivity labels and their policies.

I want to ... Documentation
Manage sensitivity labels for Office apps so that content is labeled as it's created—includes support for manual labeling on all platforms Use sensitivity labels in Office apps
Enable users to label and protect files from Windows computers using Office apps, File Explorer, and PowerShell Azure Information Protection unified labeling client for Windows
Encrypt documents and emails with sensitivity labels and restrict who can access that content and how it can be used Restrict access to content by using sensitivity labels to apply encryption
Enable sensitivity labels for Office on the web, with support for coauthoring, eDiscovery, data loss prevention, search—even when documents are encrypted Enable sensitivity labels for Office files in SharePoint and OneDrive
Automatically apply sensitivity labels to documents and emails Apply a sensitivity label to content automatically
Use sensitivity labels to protect content in Teams and SharePoint Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites)
Discover, label, and protect files stored in data stores that are on premises Deploying the Azure Information Protection scanner to automatically classify and protect files
Discover, label, and protect files stored in data stores that are in the cloud Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Apply and view sensitivity labels in Power BI, and protect data when it is exported Data protection in Power BI
Monitor and understand how sensitivity labels are being used in my organization Know your data - data classification overview

View label usage with label analytics
Extend sensitivity labels to third-party apps and services Microsoft Information Protection SDK

End-user documentation for sensitivity labels

The most effective end-user documentation will be customized guidance and instructions you provide for the label names and configurations you choose. However, you can use the following resources for basic instructions:

If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see Which PDF readers are supported for protected PDFs?