10.3 Sensitivity Labels and Label Policies

What a Sensitivity Label Does

Sensitivity labels are the heart of Microsoft Purview Information Protection (the capability formerly called Microsoft Information Protection, and before that Azure Information Protection). A sensitivity label does two jobs at once: it classifies content with a sensitivity level, and it can protect that content by applying real enforcement. Most organizations build a small hierarchy of labels such as Public → General → Confidential → Highly Confidential, sometimes with sub-labels (for example Confidential\Finance, Confidential\Legal).

The protection a label can enforce includes:

• Encryption — the label can apply rights-management encryption that controls who can open the content and what they can do (read, edit, print, forward, copy). Encryption is enforced by usage rights, so even a leaked file stays unreadable to unauthorized people.
• Content marking — automatic headers, footers, and watermarks (for example a "Confidential" watermark on every page).
• Protection for containers — labels can also be applied to Teams, Microsoft 365 Groups, and SharePoint sites to control external sharing, guest access, and privacy.
• Auto-labeling — a label can be applied automatically when classification (a SIT or trainable classifier) matches, so users do not have to remember.

The most-tested property is persistence. A sensitivity label is written into the file as metadata that travels with the content. If a labeled and encrypted document is emailed outside the company, copied to a USB drive, or uploaded to a non-Microsoft service, the label and its protection stay attached. This is why labels — not DLP — are the answer when a scenario asks for protection that follows the data everywhere.

Label Policies and How Labels Are Applied

Creating a label is only half the work — users cannot see a label until it is published through a sensitivity label policy (also called a label policy). The policy controls who gets which labels and how they behave:

• Scope — which users and groups the labels are published to (you can give different labels to different departments).
• Default label — a label automatically pre-selected on new documents and emails.
• Mandatory labeling — require users to apply a label before they can save a document or send mail ("no label, no save").
• Justification for downgrade — require a reason when a user lowers a label (Confidential → General) or removes one. These events show up in Activity explorer.
• A link to the help page that explains the labels to users.

Labels can reach content three ways: manual (the user picks it from the Sensitivity button in Office, Outlook, or the web), automatic (an auto-labeling policy applies it when classification matches), and recommended (Office prompts the user to apply a suggested label and lets them accept or dismiss it). A crucial rule: only one sensitivity label can be applied to an item at a time, and when multiple auto-labeling conditions match, the label with the higher priority (its order in the list) wins.

Sensitivity vs Retention — the key trap

SC-900 deliberately tests the difference between the two Purview label families because both use the word "label":

Remember the one-line distinction: sensitivity labels protect data; retention labels govern its lifecycle. If a scenario mentions confidentiality, encryption, watermarks, or controlling who can open a file, choose a sensitivity label. If it mentions keeping records for seven years, deleting after a period, or declaring a record, choose a retention label (next two sections). Mixing these up is one of the most common SC-900 mistakes.

A Worked Label Hierarchy and Common Distinctions

A typical organization publishes a short, ordered label set. Order matters because it sets priority — a label lower in the list is more restrictive and wins when auto-labeling conditions overlap:

Sub-labels (like Confidential\Finance) let you offer departmental variants under one parent without cluttering the top-level list.

Several distinctions appear repeatedly on the exam:

• Label vs label policy. The label defines what protection (encryption, marking). The label policy defines who can use the label and how it behaves (default, mandatory, justification). A question that says "users can't see the labels" is a policy problem; a question about what encryption is applied is a label problem.
• Manual vs automatic vs recommended. Users can choose a label themselves, the service can apply one automatically when classification matches, or Office can recommend one and let the user accept or dismiss it.
• Persistent protection. Because the label is metadata embedded in the file and the encryption is enforced by usage rights, the protection works even outside Microsoft 365 — on a USB stick or a competitor's cloud. This is the property DLP does not have; DLP acts at the service boundary, while the label travels with the file.
• One label at a time. An item has at most one sensitivity label. If you need both protection and lifecycle governance, you pair one sensitivity label with one retention label.

For SC-900 you will not configure encryption keys or rights — you will choose sensitivity labels whenever the requirement is to classify, mark, or protect content, and you will separate that cleanly from DLP (prevent sharing) and retention (govern lifecycle).