3.1.1. Information Protection and Sensitivity Labels

💡 First Principle: Sensitivity labels are persistent metadata tags attached to content that travel with the file or email wherever it goes — and they can enforce protection actions (encryption, access restrictions, content marking) automatically based on the label. The label is the control; the policy defines what the label does.

Think of a sensitivity label like a classification stamp on a physical document — "Confidential" stamped in red on a folder. But unlike a physical stamp, a digital sensitivity label can also lock the folder: encrypt it so only specific people can open it, prevent printing or forwarding, and watermark every page. The label travels with the content even if it's downloaded, emailed, or shared externally.

Label hierarchy example:

Personal
Public
General
Confidential
    Confidential \ All Employees
    Confidential \ Specific People
Highly Confidential
    Highly Confidential \ All Employees
    Highly Confidential \ Legal

What a sensitivity label can do:

• Apply encryption (restrict who can open or edit the file)
• Add content marking (headers, footers, watermarks)
• Apply to SharePoint sites and Teams (restrict external sharing, prevent guest access)
• Control meeting protections in Teams (prevent recording, prevent transcription)
• Trigger auto-labeling based on content inspection (if a file contains credit card numbers, auto-apply "Confidential")

Label policies control which labels are available to which users, and whether labeling is mandatory (users must label before saving).

⚠️ Exam Trap: Creating a sensitivity label and creating a label policy are two separate steps. A label that hasn't been published via a label policy won't appear to users. The label exists in Purview; the policy makes it available.

Reflection Question: An organization creates 10 sensitivity labels but users report they don't see any labels in Word or Outlook. What's the most likely cause?