By Åsne Holtklimpen
So you’ve sorted out access (Entra ID, roles, goodies) and you’re ready to take the next step: labeling your data so Copilot (and your brain) knows what’s sensitive, what’s shareable, and what’s “definitely locked down.” In this post, I’ll walk you through how to set up sensitivity labels today — plus tell you what’s new, what to watch out for, and how to keep the lawyers and security team (mostly) happy.
Heads-up: this is geared for folks who already have some clue what data you’re dealing with. If you’re still asking “what are we even storing?”, pause and figure that first.
Roles, licenses & admin prep (because yes, Microsoft still loves prerequisites)
Before you can mess with labels, you need the right permissions (duh). Here’s what I recommend as of mid-2025:
| Role / License | Use / Why | Pro tip |
|---|---|---|
| Compliance Administrator (or equivalent) | Enough to create, edit, publish sensitivity labels | Use PIM (Privileged Identity Management) to activate just-in-time. Don’t live in permanent admin land. |
| Global Administrator | Only if absolutely necessary | If someone says “just make me global for labels,” hand them coffee and say no. |
| License | E5 / A5 / E5 Compliance / or license that includes Information Protection + auto-labeling | Double-check new licensing docs — auto-labeling, Data Map stuff, meeting labels may require higher SKUs. |
Once you have roles and licenses sorted, you’re ready to dive in.
Step 1. Create your sensitivity labels (the foundation)
Here’s how to lay the groundwork in the modern Microsoft Purview Information Protection world (not the old AIP stuff). The UI, naming, and behavior may look a bit different than what you saw in 2024.
- Go to the Compliance / Purview portal → Information Protection → Sensitivity Labels.
(Sometimes the path is “Solutions > Information Protection > Sensitivity labels” depending on your tenant’s navigation.) - At this point you may see a “Classic label scheme” or “Modern label scheme” tab — confirm which scheme your tenant is using (or migrate).
- If you’re on classic, many newer features (meeting labels, Data Map labeling) might be locked or in preview.
- If you’re on modern (recommended), you’ll see the newer labeling UI, templated labels, and more flexibility.
- Create or edit your labels (e.g. Personal / Public / General / Confidential / Highly Confidential, or names that suit your org).
- Set the scope: files & emails, groups & sites, meetings (if available).
- Under labels settings / items, decide what actions to take (encrypt, restrict access, mark content).
- Content markings (headers, footers, watermarks) — be cautious. These look nice, but overdo them and your files get ugly. Also note: if a label is auto-applied (via policy), content markings might not be applied in all cases (especially server-side).
- In groups & sites scope, you can use labels to control sharing policies / external access boundaries.
Tip: Don’t overload every label with every setting. Start simple. E.g. only Highly Confidential gets encryption + restricted access + watermark; lower levels stay lightweight.
Step 2. Publish, test, refine (don’t go full “label crusade” on day one)
Even after creating labels, they’re invisible to users until you publish them via a label policy. Here’s how:
- In the Sensitivity Labels UI, click Publish labels (or “create label policy”).
- Pick which labels to include in this policy.
- Choose target audiences (users, security groups, departments).
- Configuration options to consider carefully:
- “User must provide justification to remove or lower classification” — good for visibility and accountability.
- “Require users to apply a label to their emails and documents” — use carefully. If you’re too harsh out of the gate, people will rebel (or turn off auto-save).
- Default label: some tenants allow you to enforce a default label (e.g. “General”) — don’t do this lightly. Users should see the choices. If everything gets auto-labeled to “Confidential” by default, they’ll stop caring.
- Name your policy well. Give it a real description. Don’t let your test pilot be called “TestPolicy0943.”
- Pilot! Pick a small group (IT, security team, “cool early adopters”) and let them test for weeks. Gather feedback. Tweak.
Once you’re confident, roll out to broader audiences. Monitor adoption, user complaints, and labeling gaps (more on that soon).
So, when this is all done and you really want the magic to happen – have a look at these next steps!
Step 3. Auto-labeling/automatic classification (so you don’t rely on user discipline)
Labels are great, but users forget or get distracted. That’s where auto-labelling comes in. In 2025, this is much improved — but with caveats.
What’s possible now
- Client-side auto-labeling (in Office apps): labels get suggested / applied when users author or edit content.
- Service-side / policy-based auto-labeling: the backend (Exchange, SharePoint, etc.) can scan and label items based on defined rules.
- Trainable classifiers / sensitive info types: you can use built-in sensitive info types (credit cards, PII, etc.) or train your own classifiers.
- Data Map / external data labeling (preview): in some tenants, labels can apply to data outside the typical M365 surface (Azure data lakes, databases) via Purview Data Map. This is still in preview and has limitations (supported sources, performance, cost).
How to configure auto-labeling
- In the Sensitivity Labels area, find the Auto-labeling (files & emails) section (or “Auto-apply decision rules”).
- Create a new rule. Choose conditions (e.g., “if document contains > 5 credit card numbers / social security numbers / company secrets”)
- Decide the scope (which sites, libraries, Exchange mailboxes).
- Choose which label to apply (or suggest).
- Configure what happens if a document is already labeled (e.g. don’t override stronger labels).
- Save and monitor results.
Key considerations:
- There can be delay/sync latency between the rule evaluation and actual label application.
- Auto-label policies typically apply only to new or changed items. They don’t always retroactively label your entire archive without re-scanning/reindexing.
- Some settings (like watermarks/headers) may not be applied when the label is auto-applied via service-side policy.
- Auto-labeling at scale may incur extra cost (especially in large orgs), check your license documentation.
Step 4. Labeling for Meetings, Teams, Loop, etc. (new frontiers)
Labeling is no longer just for files and emails. Microsoft is pushing labeling into collaboration spaces:
- Meetings / Calendar items: in modern tenants, you may see Meeting scope in your label configuration. Use it to control how meeting topics, chat logs, and meeting transcripts are treated.
- Loop / component labeling in Teams messages: roadmap items suggest labels will follow pieces of collaborative content (in preview) — meaning your scribbles in Loop might someday carry sensitivity tags.
- External files / data surfaces via Data Map (preview): if supported in your tenant, you can define labels on data sources (like Azure storage, databases). Use it where appropriate, but beware limitations.
If your tenant doesn’t show these yet, keep an eye on the “What’s new in Purview/Microsoft 365 Info Protection” pages for rollout announcements.
Step 5. Audit, monitor & tweak (you’re not done after publishing)
Labels are not “set and forget.” You need visibility and feedback loops.
- Enable audit logging for sensitivity label events (label applied, changed, removed, failed, etc.).
- Use reports / dashboards in Purview / Compliance to see adoption rates, overrides, labeling gaps.
- Watch for conflicts or overrides (e.g. a stricter policy somewhere else).
- Collect user feedback / trouble tickets — labeling mistakes > labeling too strict.
- Periodically revisit your label taxonomy: maybe you need a “Moderately Confidential” or rethink “Highly Confidential.”
- Before major data or process changes (e.g. merging document libraries, new app), validate how labels will behave.
Why your (non-technical) leaders should care
- Governance & risk: Without labels, Copilot might ingest / surface sensitive data you didn’t want shared. Labels help define guardrails.
- User trust: If users see that documents are handled respectfully (e.g. encryption, restricted sharing), they’ll have more confidence in AI tools.
- Audit & compliance: Many regulatory regimes require that you classify, protect, and log handling of data. Labels are your weapon.
- Scalability: You can’t manually police every document. Automating, guiding, and enforcing with labels lets Copilot scale responsibly.
Quick start checklist (in your pocket)
| Step | Action |
|---|---|
| 1 | Ensure you have the right admin roles + license |
| 2 | Confirm whether you’re on Modern label scheme |
| 3 | Create a few base labels (Public / Confidential / Highly Confidential) with sensible settings |
| 4 | Publish them to a pilot group; include justification / remove settings |
| 5 | Configure one auto-labeling rule (e.g. detect credit card / PII) |
| 6 | Observe results for a few weeks, adjust thresholds / scope |
| 7 | Expand labeling to Teams / meeting / external data surfaces if available |
| 8 | Keep auditing & refining — labels evolve, so should your policies |
Final thoughts (and a tiny rant)
Labels are not magical pixie dust. You’ll get pushback (users who say “why must I label every doc?”), weird edge cases, and some mislabeled files. But once the system’s humming, Copilot becomes exponentially safer, smarter, and less likely to leak your secrets into someone else’s breakfast cereal.
This isn’t “set once and done”, it’s “build, pilot, learn, repeat.”
Author
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.
Per-Torben Sørensen