Plan your deployment strategy for sensitivity labels
To successfully deploy sensitivity labels, an organization should create a project team that identifies and manages the:
- business and technical requirements.
- proof of concept testing.
- internal checkpoints and approvals.
- final deployment for the production environment.
It's recommended that organizations use the table in the next section to identify its top one or two scenarios that map to its most impactful business requirements. After an organization deploys these scenarios, it should return to the list to identify the next one or two priorities for deployment.
Common scenarios for sensitivity labels
All scenarios require organizations to create and configure sensitivity labels and their policies.
| I want to ... | Documentation |
|---|---|
| Manage sensitivity labels for Office apps. Ensure that content is labeled as it's created and manual labeling is supported on all platforms. | Manage sensitivity labels in Office apps. |
| Extend labeling to File Explorer and PowerShell, with more features for Office apps on Windows (if needed). | Azure Information Protection unified labeling client for Windows. |
| Encrypt documents and emails with sensitivity labels. Restrict who can access that content and how it can be used. | Restrict access to content by using sensitivity labels to apply encryption. |
| Enable sensitivity labels for Office on the web. Also include support for coauthoring, eDiscovery, data loss prevention, and search, even when documents are encrypted. | Enable sensitivity labels for Office files in SharePoint and OneDrive. |
| Use co-authoring and AutoSave in Office desktop apps when documents are encrypted. | Enable co-authoring for files encrypted with sensitivity labels. |
| Automatically apply sensitivity labels to documents and emails. | Apply a sensitivity label to content automatically. |
| Use sensitivity labels to protect content in Teams and SharePoint. | Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites. |
| Use sensitivity labels to configure the default sharing link type for sites and individual documents in SharePoint and OneDrive. | Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive. |
| Apply a sensitivity label to a document understanding model. By doing so, ensure that identified documents in a SharePoint library are automatically classified and protected. | Apply a sensitivity label to a model in Microsoft SharePoint Syntex. |
| Prevent or warn users about sharing files or emails with a specific sensitivity label. | Use sensitivity labels as conditions in DLP policies. |
| Apply a sensitivity label to a file when you receive an alert that content containing personal data is being shared and needs protection. | Investigate and remediate alerts in Privacy Risk Management. |
| Apply a retention label to retain or delete files or emails that have a specific sensitivity label. | Automatically apply a retention label to retain or delete content. |
| Discover, label, and protect files stored in data stores that are on premises. | Deploying the Azure Information Protection scanner to automatically classify and protect files. |
| Discover, label, and protect files stored in data stores that are in the cloud. | Discover, classify, label, and protect regulated and sensitive data stored in the cloud. |
| Label SQL database columns by using the same sensitivity labels as those labels used for files and emails. By doing so, the organization will have a unified labeling solution that can continue to protect this structured data when it's exported. | Data Discovery & Classification for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. SQL Data Discovery and Classification for SQL Server on-premises. |
| Apply and view labels in Power BI, and protect data when it's saved outside the service. | Sensitivity labels in Power BI. |
| Monitor and understand how sensitivity labels are being used in my organization. | Learn about data classification. |
| Extend sensitivity labels to third-party apps and services. | Microsoft Purview Information Protection SDK. |
| Extend sensitivity labels across content in Microsoft Purview Data Map assets. Asset examples include Azure Blob Storage, Azure Files, Azure Data Lake Storage, and multi-cloud data sources. | Labeling in Microsoft Purview Data Map. |
End-user documentation for sensitivity labels
The most effective end-user documentation that an organization can provide will be customized guidance and instructions for the label names and configurations it chooses. Organizations can use the label policy setting Provide users with a link to a custom help page to specify an internal link for this documentation. Users can then easily access it from the Sensitivity button:
- For built-in labeling: See the Learn More menu option.
- For the Azure Information Protection unified labeling client. Go to the Help and Feedback menu option > Tell Me More link in the Microsoft Azure Information Protection dialog box.
To help organizations provide customized documentation, see the following page and downloads they can use to help train their users: End User Training for Sensitivity Labels.
You can also use the following resources for basic instructions:
If your sensitivity labels apply encryption for PDF documents, these documents can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see Which PDF readers are supported for protected PDFs?