Automate labeling of sensitive information

We’ve come a long way since the “label everything manually” days

Back in June 2024, I wrote about how to automate sensitivity labeling in Microsoft 365, using custom Sensitive Information Types (SITs), a bit of RegEx magic, and a lot of patience.
Fast-forward a year, and Microsoft Purview has levelled up.

We now have smarter auto-labeling, cross-platform protection, and visibility deep into non-Microsoft data sources. Plus, Copilot and AI are no longer running wild — they now respect your sensitivity labels (mostly).

So here’s what’s new, what actually works, and what to watch out for.

What’s new in sensitivity labeling

Auto-apply sensitivity labels (finally works properly)

You can now define rules that automatically apply a label when content matches your chosen criteria — for example, if a file or mail contains a credit-card number or national ID.

No more hoping users remember to label things. Purview does the heavy lifting for you.

(Admin centre → Purview → Information Protection → Auto-labeling policies)

Sensitivity labels in the Microsoft Purview Data Map

The big step forward: you can now label non-Microsoft data assets, such as Azure Storage, SQL, or third-party repositories, straight from the Purview Data Map.
That means your unified data catalogue can actually reflect the same classification structure as your M365 environment.

This is how you get one governance framework instead of seventeen spreadsheets pretending to be one.

Better auditing and failure visibility

New audit events tell you exactly when labeling fails:

• Failed to apply file sensitivity label
• Failed to change file sensitivity label
• Failed to remove file sensitivity label

Perfect for spotting misconfigurations before compliance officers start emailing you screenshots.

AI and Copilot integration

Copilot now respects sensitivity labels. If content is marked Highly Confidential, the AI won’t happily summarise it for the wrong person.
Purview enforces access boundaries for Copilot Chat and Microsoft 365 Chat. Unfortunately, the error message doesn’t specify what prevents it from processing data with a strict label…

In short: your data governance settings now extend into the AI layer, which is exactly where they belong.

Default labels and policy templates

Microsoft has introduced built-in default labels and auto-label policies. These templates give you a solid baseline for rolling out Information Protection, and are handy when you just want to get started fast (and fix later).

Not everyone wants to spend their Friday afternoon arguing about what counts as Confidential vs Internal Only. Microsoft clearly noticed, so they’ve now rolled out default labels and policy templates in Purview.

These are pre-configured, ready-to-go sensitivity labels that give you a baseline to start with, including:

• Public – content safe for external sharing
• General – everyday internal content
• Confidential – limited to internal use
• Highly Confidential – restricted to specific users or groups, typically encrypted

Each of these labels comes with a matching auto-labeling policy template that already includes common conditions, such as:

• detection of credit card or national ID numbers (may cause a lot of false positive, always tweak your own SITs).
• detection of sensitive keywords (e.g. “salary”, “passport”, “medical”).
• optional encryption for Highly Confidential

To get these preconfigured labels and policies, use DSPM (Data Security Posture Management) for AI and from Recommendations, select Protect your data with sensitivity labels.

After the labels and policies are created, you’ll need to enable sensitivity labels for SharePoint and OneDrive. This one-time, manual step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.

To do this step, use the following banner at the top of the Information Protection > Overview page, and select Turn on now. If you don’t see this banner, sensitivity labels for SharePoint and OneDrive have already been enabled for your tenant.

Most organizations struggle to define their label hierarchy because the initial workshop often devolves into a philosophical debate about color coding and overthinking label names.
These defaults cut through the noise and give you a functional, secure-by-default baseline that you can later customise.

Legacy content coverage

Auto-labeling still applies only to new or changed content by default.
For old files, you’ll need to trigger a rescan or use Graph API to bulk-apply labels.
(Yes, it’s tedious. No, it hasn’t magically changed but you can use PowerShell magic…..)

A small example

If a Teams chat or Outlook email includes a national ID number, your Highly Confidential label can now apply automatically, complete with encryption, visual markings, and the correct policy tips.

In scanned external sources (via Purview Data Map), the same detection can tag documents without anyone ever opening them.

Consistency finally feels achievable.

Common pitfalls (aka “lessons learned the hard way”)

• Auto-labeling still skips files at rest unless rescanned.
• Visual markings (headers, footers) won’t show up for auto-labeled content unless handled client-side.
• Graph API-based labeling has licensing and cost implications.
• Some old file types or exotic storage systems are still unsupported.
• Always test in simulation or on a dev site, unless you enjoy mass-encrypting sales party pictures.

In short

Microsoft Purview labeling has grown up.
You can now:

• auto-label across Microsoft 365 and beyond
• protect AI-accessible content
• audit and fix failures automatically

But don’t skip the governance basics: define, test, and monitor.
Automation without strategy is just a faster way to make a mess.