Deploy Sensitivity Labels with Auto-Labeling

About This Lab

Microsoft Purview Information Protection is a cloud-based solution that helps organizations discover, classify, and protect sensitive data wherever it lives or travels across Microsoft 365, on-premises, and third-party SaaS applications. Sensitivity labels are metadata tags applied to documents and emails that define the classification level and trigger protection actions such as encryption, content marking, and access restrictions.

Auto-labeling policies use sensitive information types (SITs), trainable classifiers, and exact data match (EDM) to automatically detect and classify content without relying on end-user action. This lab walks you through a complete, enterprise-grade deployment: from designing your label taxonomy through creating labels, configuring encryption, publishing to users, deploying auto-labeling, and establishing ongoing governance.

🏢 Enterprise Use Case

Woodgrove Bank, a financial services company with 3,000 employees, must classify and protect customer PII, financial records, and internal strategy documents across Microsoft 365 to comply with GDPR, CCPA, and SOX regulations. The compliance team has identified over 15,000 documents containing unclassified sensitive data across SharePoint Online, OneDrive, and Exchange.

Regulatory auditors require evidence that all sensitive data is labeled, encrypted when appropriate, and access-controlled within 90 days. The organization needs both manual labeling (user-driven) and automatic labeling (policy-driven) to achieve full coverage without disrupting productivity. Success criteria: 100% label coverage for new content, 95%+ auto-labeling accuracy, encryption on Highly Confidential data, and quarterly compliance reporting.

🎯 What You Will Learn

1. Navigate to Information Protection in the Microsoft Purview compliance portal
2. Design a hierarchical label taxonomy aligned to enterprise data classification policies
3. Create sensitivity labels with parent-child relationships and appropriate scopes
4. Configure encryption settings with rights management templates and user permissions
5. Configure content marking including headers, footers, and watermarks
6. Publish labels to users via label policies with default labels and mandatory labeling
7. Configure auto-labeling policies using sensitive information types and simulation mode
8. Test label application across Office apps, SharePoint, and Exchange
9. Establish user training and change management for label adoption
10. Monitor label usage with analytics dashboards and audit log queries

🔑 Why This Matters

According to the IBM Cost of a Data Breach Report, the average cost of a data breach reached $4.45 million in 2023, with breaches involving unclassified or improperly protected data costing 28% more. GDPR fines have exceeded €4 billion since enforcement began, with many penalties stemming from inadequate data classification and protection controls.

Insider threats account for 25% of data breaches, and sensitivity labels with encryption prevent unauthorized access even when files are exfiltrated or shared improperly. Organizations with mature data classification programs reduce incident response time by 33% because responders can immediately assess the sensitivity of compromised data. Automated labeling eliminates the human inconsistency factor: studies show manual-only labeling programs achieve less than 60% coverage, while auto-labeling pushes coverage above 95%.

• Licensing: Microsoft 365 E5, E5 Compliance, or E5 Information Protection & Governance add-on (required for auto-labeling and analytics)
• Admin Roles: Global Administrator or Compliance Administrator role in the Microsoft 365 admin center
• Portal Access: Access to the Microsoft Purview compliance portal at compliance.microsoft.com
• Unified Labeling: Azure Information Protection unified labeling must be activated in your tenant (default for new tenants since 2019)
• Test Mailboxes: At least two test user mailboxes with Exchange Online licenses for testing email auto-labeling
• SharePoint Sites: A test SharePoint Online site collection with document libraries for testing document auto-labeling
• Sample Data: Test documents containing sample PII data (credit card numbers, Social Security numbers, passport numbers) for auto-labeling validation
• PowerShell: Exchange Online Management module and Security & Compliance PowerShell (Install-Module ExchangeOnlineManagement) for scripted configuration
• Office Apps: Microsoft 365 Apps for Enterprise (Word, Excel, PowerPoint, Outlook) version 2211 or later for built-in labeling support
• Network: Outbound HTTPS (443) connectivity to Microsoft 365 service endpoints from client workstations

The first step is to access the Information Protection blade in the Microsoft Purview compliance portal. This is the central management hub where you create labels, define policies, monitor analytics, and configure auto-labeling. You will also verify that unified labeling is active and review any existing labels in your tenant.

Portal Instructions

1. Open your browser and navigate to compliance.microsoft.com
2. Sign in with an account that holds the Compliance Administrator or Global Administrator role
3. In the left navigation pane, expand Information protection
4. Click Labels to view the current label inventory
5. Review any existing default labels (Public, General, Confidential, Highly Confidential) that Microsoft may have pre-created
6. Click Label policies to check if any policies are already publishing labels to users
7. Navigate to Auto-labeling to verify that the feature is available in your tenant (requires E5)
8. Note the Data classification section in the left nav. you will use this later for analytics

PowerShell Alternative

Connect to Security & Compliance PowerShell and verify that Information Protection labels are accessible:

# Connect to Security & Compliance PowerShell
# WHY: Establishes a remote session to the Microsoft Purview compliance centre
# using modern authentication (supports MFA). Required before running any
# sensitivity label, DLP, or compliance cmdlets.
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Verify Information Protection is available
# WHAT: Lists all sensitivity labels defined in the tenant
# OUTPUT: DisplayName (user-facing name), Guid (unique identifier used in policies),
#         Priority (lower number = lower sensitivity; higher = more restrictive)
# EXPECT: If no labels appear, unified labeling may not be activated in your tenant
Get-Label | Format-Table DisplayName, Guid, Priority

Before creating labels in the portal, you need a well-designed taxonomy that aligns with your organization's data classification policy. A good taxonomy is simple enough for users to understand but granular enough to apply appropriate protections. This step focuses on planning. no technical configuration yet.

Recommended Taxonomy Structure

Design a four-tier hierarchy with sub-labels for the two highest sensitivity levels:

• Public. Information intentionally made available to external audiences (press releases, marketing materials)
• General. Internal business data that does not require protection (meeting notes, internal announcements)
• Confidential. Business-sensitive data that could cause harm if shared externally
  • Confidential \ All Employees. Accessible to all internal staff
  • Confidential \ Finance. Restricted to finance department
  • Confidential \ HR. Restricted to human resources
  • Confidential \ Legal. Restricted to legal department
• Highly Confidential. Data whose unauthorized disclosure could cause severe financial, legal, or reputational damage
  • Highly Confidential \ Executive. Board and C-suite strategy documents
  • Highly Confidential \ Project. Code-named strategic projects
  • Highly Confidential \ Regulated. PII, PHI, PCI data subject to regulatory requirements

Label Scope Decisions

For each label, decide which Microsoft 365 workloads it applies to. Scope options include:

• Items (Files & Emails): Applies to Office documents, PDFs, and Outlook messages. the most common scope
• Groups & Sites: Controls privacy settings, external sharing, and guest access for Teams, SharePoint sites, and Microsoft 365 Groups
• Schematized data assets: Extends classification to Azure Purview Data Map for databases, data lakes, and other structured data sources
• Meetings: Applies labels to Teams meetings to control recording, transcription, and who can present

Design Principles

1. Keep the top-level hierarchy to 4–5 labels maximum. users should be able to choose in under 5 seconds
2. Use sub-labels only when different protection actions are needed (e.g., different encryption recipients)
3. Align label names with your existing data classification policy to avoid user confusion
4. Define clear tooltip text for each label so users understand when to apply it
5. Document the taxonomy in a data classification guide and share it with stakeholders before implementation
6. Establish a label naming convention that supports sorting by priority (e.g., prefix with numbers internally)
7. Consider regulatory requirements. some industries (healthcare, finance) require specific classification levels mandated by law

Now that your taxonomy is designed, create the labels in the Microsoft Purview compliance portal. Each label needs a display name, tooltip, description, scope, and priority order. You will create parent labels first, then add sub-labels underneath them.

Portal Instructions

1. Navigate to Information protection > Labels and click + Create a label
2. Enter the Name: Confidential
3. Enter the Display name: Confidential
4. Set the Description for users (tooltip): Business data that could cause harm if shared externally. Apply to internal business-sensitive documents.
5. Set the Description for admins: Parent label for business-sensitive content. Sub-labels define specific audience restrictions.
6. Under Scope, select: Items (Files, Emails) and Groups & sites
7. Click Next through the protection settings. do not configure encryption or content marking on the parent label (these are set on sub-labels)
8. Set the Priority order: Public (0), General (1), Confidential (2), Highly Confidential (3)
9. Click Create label to save
10. Repeat for each parent label: Public, General, Highly Confidential
11. To create a sub-label, select the parent label, click the ... menu, and choose Create sub-label
12. Create sub-labels: Confidential \ All Employees, Confidential \ Finance, Confidential \ HR, Confidential \ Legal

PowerShell Alternative

Use PowerShell to create labels programmatically, which is especially useful for bulk creation or infrastructure-as-code deployments:

# Create a Confidential label
# WHAT: Creates a top-level parent sensitivity label in the tenant
# WHY: Parent labels organise the taxonomy; protection actions are
#      configured on sub-labels, not the parent itself
# -Tooltip: Text shown to users when hovering over the label in Office apps
# -Comment: Admin-only description visible in the compliance portal
New-Label -DisplayName "Confidential" -Name "Confidential" -Tooltip "Business data that could cause harm if shared externally" -Comment "Apply to internal business-sensitive documents"

# Create a sub-label for Confidential \ All Employees
# WHAT: Creates a child label nested under the Confidential parent
# -ParentId: Links this sub-label to its parent using the parent's GUID
# WHY: Sub-labels carry the actual protection settings (encryption,
#      content marking) while the parent provides the hierarchy
# OUTPUT: A new label appears under Confidential in the portal and Office apps
New-Label -DisplayName "All Employees" -Name "Confidential-AllEmployees" -ParentId (Get-Label -Identity "Confidential").Guid -Tooltip "Confidential data accessible to all employees"

Encryption is the most powerful protection action a label can apply. When a labeled document is encrypted, the protection travels with the file regardless of where it is stored, copied, or forwarded. Only authorized users can open encrypted content, even if it leaves your organization's boundaries.

Portal Instructions

1. Navigate to Information protection > Labels
2. Select the Confidential \ All Employees sub-label and click Edit label
3. On the Encryption page, select Configure encryption settings
4. Choose Assign permissions now (admin-defined permissions)
5. Set User access to content expires to Never
6. Set Allow offline access to Always
7. Click Assign permissions > Add all users and groups in your organization
8. Set the permission level to Co-Author (allows editing, saving, but not removing encryption)
9. Optionally, add specific external domains with Viewer permissions for controlled sharing
10. Click Save and proceed to the next configuration page

PowerShell Alternative

# Configure encryption on a label
# WHAT: Enables Azure Rights Management encryption on the Confidential\All Employees label
# WHY: Encryption travels with the file - even if exfiltrated, only authorised
#      users can open it. This is the strongest protection a label can apply.
# -EncryptionProtectionType "Template": Uses admin-defined permissions (not user-chosen)
# -EncryptionRightsDefinitions: Grants specific rights to the contoso.com domain:
#   VIEW = open/read, DOCEDIT/EDIT = modify content, PRINT = print,
#   EXTRACT = copy text, OBJMODEL = programmatic access (macros)
# OUTPUT: All future documents labeled Confidential\All Employees will be encrypted
Set-Label -Identity "Confidential-AllEmployees" `
  -EncryptionEnabled $true `
  -EncryptionProtectionType "Template" `
  -EncryptionRightsDefinitions "domain:contoso.com:VIEW,VIEWRIGHTSDATA,DOCEDIT,EDIT,PRINT,EXTRACT,OBJMODEL"

Understanding Permission Levels

• Viewer: Read-only access. users can open and view but cannot edit, copy, or print
• Reviewer: View and edit, but cannot copy content or change permissions
• Co-Author: Full editing rights including save, but cannot remove encryption
• Co-Owner: Full control including the ability to remove encryption and change permissions

Encryption Behavior by Application

• Office Desktop Apps: Encryption is applied at save time and enforced on every open. Users see a yellow “Restricted Access” bar at the top of the document
• Office for the Web: Encrypted documents open in read-only mode in the browser unless the user has edit permissions. Co-authoring is supported for encrypted files
• Outlook: Encrypted emails display a lock icon. Recipients outside the authorized list see a message explaining they cannot open the content
• SharePoint / OneDrive: Encrypted files can be previewed in the browser if the user has appropriate rights. Search indexing works on encrypted content in SharePoint
• Mobile Apps: Office mobile apps support encrypted files. Users authenticate via Azure AD to verify permissions before opening

Content marking adds visual indicators to labeled documents: headers, footers, and watermarks. These markings serve as a constant reminder of the document's classification and help prevent accidental sharing. Unlike encryption, content marking is visible. it acts as a deterrent and provides context to anyone viewing the document.

Portal Instructions

1. Edit the Confidential \ All Employees sub-label
2. Navigate to the Content marking page
3. Enable Add a header:
   • Text: CONFIDENTIAL. Contoso Internal
   • Font size: 10
   • Font color: #b35a5a (red)
   • Alignment: Center
4. Enable Add a footer:
   • Text: This document is classified as Confidential
   • Font size: 8
   • Font color: #808080 (gray)
   • Alignment: Center
5. Enable Add a watermark:
   • Text: CONFIDENTIAL
   • Font size: 48
   • Font color: #b35a5a (red)
   • Layout: Diagonal
6. Click Save to apply the content marking configuration

PowerShell Alternative

# Add header, footer, and watermark to the label
# WHAT: Configures visual content marking on the Confidential\All Employees label
# WHY: Visual indicators remind users of the document's classification and deter
#      accidental sharing. Markings are applied by Office apps at label-apply time.
# HEADER: Red centered text at the top of every page - immediately visible
# FOOTER: Gray centered text at the bottom - provides classification context
# WATERMARK: Diagonal text overlay - only applies to Word documents
# NOTE: Existing documents won't update until the user re-opens and saves them
Set-Label -Identity "Confidential-AllEmployees" `
  -ContentMarkingHeaderEnabled $true `
  -ContentMarkingHeaderText "CONFIDENTIAL. Contoso Internal" `
  -ContentMarkingHeaderFontSize 10 `
  -ContentMarkingHeaderFontColor "#b35a5a" `
  -ContentMarkingHeaderAlignment "Center" `
  -ContentMarkingFooterEnabled $true `
  -ContentMarkingFooterText "This document is classified as Confidential" `
  -WatermarkEnabled $true `
  -WatermarkText "CONFIDENTIAL"

Labels are not visible to users until they are published via a label policy. A label policy defines which labels users see, which users and groups the labels apply to, and what default behaviors are enforced (default labels, mandatory labeling, justification for downgrading). You can create multiple policies for different groups of users.

Portal Instructions

1. Navigate to Information protection > Label policies
2. Click Publish labels
3. Select the labels to publish: Public, General, Confidential (and all sub-labels), Highly Confidential (and all sub-labels)
4. Under Users and groups, select All users and groups (or target a pilot group first)
5. Configure policy settings:
   • Set a Default label for documents: General
   • Set a Default label for emails: General
   • Enable Require users to apply a label to their email and documents
   • Enable Require users to provide justification when removing or downgrading a label
6. Under Apply to, select: Exchange, SharePoint sites, OneDrive accounts, Microsoft 365 Groups
7. Name the policy: Global Label Policy
8. Click Submit to create and publish the policy

PowerShell Alternative

# Create a label policy to publish labels to all users
# WHAT: Publishes the selected sensitivity labels so they appear in Office apps
# WHY: Labels are invisible to users until published via a policy - this is the
#      step that makes labeling available across the organisation
# -Labels: List of label names to include (parent + sub-labels)
# -ExchangeLocation/SharePointLocation/OneDriveLocation "All": Publish to all M365 workloads
# -Settings:
#   DefaultLabelId: Auto-applies "General" to new documents/emails (reduces unlabeled content)
#   MandatoryLabelEnabled: Users MUST select a label before saving/sending
#   JustificationEnabled: Users must explain why when downgrading a label
# OUTPUT: Labels appear in the Sensitivity button in Office apps within 4-24 hours
New-LabelPolicy -Name "Global Label Policy" `
  -Labels "Public","General","Confidential","Confidential-AllEmployees","Highly Confidential" `
  -ExchangeLocation "All" `
  -SharePointLocation "All" `
  -OneDriveLocation "All" `
  -Settings @{
    "DefaultLabelId" = (Get-Label -Identity "General").Guid;
    "MandatoryLabelEnabled" = "true";
    "JustificationEnabled" = "true"
  }

Auto-labeling policies automatically detect and classify content based on sensitive information types (SITs), trainable classifiers, or exact data match (EDM). Unlike manual labeling which depends on user action, auto-labeling ensures consistent classification at scale. Always deploy in simulation mode first to validate accuracy before turning on automatic application.

Portal Instructions

1. Navigate to Information protection > Auto-labeling
2. Click + Create auto-labeling policy
3. Select the sensitive information types to detect:
   • Credit Card Number. minimum count: 1, confidence: 85%
   • U.S. Social Security Number (SSN). minimum count: 1, confidence: 85%
   • U.S. Bank Account Number. minimum count: 1, confidence: 75%
4. Select the label to apply: Confidential \ All Employees
5. Set locations: SharePoint sites (All), OneDrive accounts (All), Exchange email (All)
6. Name the policy: Auto-Label PII Financial
7. Set the mode to Run policy in simulation mode
8. Click Create policy
9. Wait 24–48 hours for the simulation to scan existing content
10. Review simulation results: check matched items, false positives, and confidence scores
11. If accuracy is satisfactory (95%+), edit the policy and change the mode to Turn on policy

PowerShell Alternative

# Create an auto-labeling policy for credit card numbers
# WHAT: Deploys a service-side auto-labeling policy that scans content across
#       SharePoint, OneDrive, and Exchange for sensitive information types
# WHY: Ensures consistent classification without relying on user action  - 
#      auto-labeling typically achieves 95%+ coverage vs 60% for manual-only
# -Mode "TestWithNotifications": Runs in SIMULATION mode first - shows what
#   would be labeled without actually applying labels. Always start here.
# -ApplySensitivityLabel: The label to apply when a match is found
New-AutoSensitivityLabelPolicy -Name "Auto-Label PII Financial" `
  -SharePointLocation "All" `
  -ExchangeLocation "All" `
  -OneDriveLocation "All" `
  -ApplySensitivityLabel (Get-Label -Identity "Confidential-AllEmployees").ImmutableId `
  -Mode "TestWithNotifications"

# Add a rule for credit card detection
# WHAT: Defines the sensitive information type (SIT) that triggers the auto-label
# -MinCount 1: Even a single credit card number triggers the policy
# -MinConfidence 85: High confidence threshold reduces false positives
#   (85% means the pattern strongly matches a real credit card, not just any 16 digits)
# OUTPUT: After 24-48 hours, check simulation results to review matched items
New-AutoSensitivityLabelRule -Policy "Auto-Label PII Financial" `
  -Name "Credit Card Detection" `
  -ContentContainsSensitiveInformation @{
    Name = "Credit Card Number";
    MinCount = 1;
    MinConfidence = 85
  }

Before rolling out to the full organization, thoroughly test label application across all workloads: manual labeling in Office desktop apps, default label application for new documents, auto-labeling on SharePoint and OneDrive files, and email labeling in Outlook. Verify that encryption, content marking, and access restrictions work as expected.

Portal Instructions. Manual Testing

1. Open Microsoft Word and create a new document
2. Verify that the Sensitivity button appears in the ribbon (Home tab)
3. Click Sensitivity and verify all published labels are visible
4. Verify that the default label (General) is automatically applied to new documents
5. Apply the Confidential \ All Employees label and verify:
   • Header appears: CONFIDENTIAL. Contoso Internal
   • Footer appears: This document is classified as Confidential
   • Watermark appears: CONFIDENTIAL
6. Try to downgrade the label to General. verify the justification prompt appears
7. Save the document to a SharePoint library and verify the label persists
8. Open the document from SharePoint in the browser and verify content markings display

Auto-Labeling Validation

1. Create a test document containing sample credit card numbers (use test numbers: 4111-1111-1111-1111)
2. Upload the document to the SharePoint site included in the auto-labeling policy scope
3. Wait for the auto-labeling policy to process (can take 1–24 hours in simulation mode)
4. Check the auto-labeling simulation results in Information protection > Auto-labeling
5. Verify the test document appears in the matched items list with the correct label recommendation

PowerShell Verification

# Check label status on a specific document
# WHAT: Reads the sensitivity label metadata from a file on a network share
# OUTPUT: Shows the applied label name, label ID, and whether it was applied
#         manually or automatically. Useful for spot-checking test documents.
Get-FileSensitivityLabelInfo -Path "\\server\share\TestDocument.docx"

# View auto-labeling simulation results
# WHAT: Retrieves the current mode and processing status of the auto-label policy
# OUTPUT: Mode (TestWithNotifications = simulation, Enable = enforcing),
#         Status (InProgress, Completed, or Failed)
# EXPECT: Wait 24-48 hours after creation before checking simulation results
Get-AutoSensitivityLabelPolicy -Identity "Auto-Label PII Financial" | Format-List Mode, Status

Technical deployment is only half the battle. user adoption determines the success of your labeling program. Create clear training materials, communicate the “why” behind labeling, and establish support channels for questions. Frame sensitivity labeling as data stewardship, not bureaucratic overhead.

Training Content to Develop

1. Create a data classification quick reference card (one page) with label names, descriptions, and examples of data that belongs in each category
2. Develop a short video walkthrough (3–5 minutes) showing how to apply labels in Word, Excel, PowerPoint, and Outlook
3. Write an FAQ document covering common questions: “What if I’m not sure which label to use?”, “Can I change a label after applying it?”, “What happens if I email a Confidential document externally?”
4. Create department-specific guidance for teams that handle regulated data (Finance, HR, Legal) with examples relevant to their workflows
5. Establish a support channel (Teams channel or ticketing queue) where users can ask labeling questions

Communication Plan

• Week -2: Send an executive-sponsored announcement explaining the data classification initiative and its importance
• Week -1: Distribute the quick reference card and FAQ to all employees
• Week 0 (Go-Live): Send a “labels are now active” email with links to the training video and support channel
• Week +1: Send a follow-up with tips and address common questions from the first week
• Week +4: Share adoption metrics (e.g., “85% of new documents are now classified”) and recognize top-performing departments

Once labels are deployed, continuous monitoring is essential to measure adoption, detect compliance gaps, and tune auto-labeling accuracy. Microsoft Purview provides several analytics tools: the Data Classification dashboard, Activity Explorer, Content Explorer, and the unified audit log.

Portal Instructions. Data Classification Dashboard

1. Navigate to Data classification > Overview in the compliance portal
2. Review the Top sensitivity labels applied to content chart. this shows label distribution
3. Check the Top sensitive information types found across your content
4. Click Content explorer to browse labeled content by label, SIT, or location
5. Click Activity explorer to review labeling activity:
   • Filter by Activity type: Label applied, Label changed, Label removed
   • Filter by User to identify employees who are not labeling content
   • Filter by Label to see which labels are most and least used
6. Review Auto-labeling policy results: matched items, applied items, and simulation accuracy

Governance Metrics to Track

• Label coverage rate: Percentage of documents and emails with a label applied (target: 95%+)
• Auto-labeling accuracy: Ratio of true positives to total auto-labeled items (target: 95%+)
• Label downgrade rate: Frequency of label downgrades with justification (investigate spikes)
• Unlabeled content volume: Number of documents without any label (should decrease over time)
• User adoption by department: Label usage broken down by organizational unit

PowerShell. Export Label Activity

# Export label activity for reporting
# WHAT: Searches the unified audit log for all sensitivity label events in the last 30 days
# WHY: Generates data for compliance dashboards and quarterly governance reviews
# -RecordType "MIPLabel": Filters to Microsoft Information Protection label events only
# -ResultSize 5000: Maximum records per call (use paging for larger datasets)
# OUTPUT: CSV file with columns: CreationDate, UserIds (who applied/changed the label),
#         Operations (LabelApplied, LabelChanged, LabelRemoved), AuditData (full JSON details)
# USE: Import into Power BI or Excel to visualise label adoption trends over time
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -RecordType "MIPLabel" -ResultSize 5000 | 
  Select-Object CreationDate, UserIds, Operations, AuditData |
  Export-Csv -Path "LabelActivity.csv" -NoTypeInformation

Additional Audit Log Queries

# Find label downgrades in the last 7 days
# WHAT: Detects when users changed a label from higher to lower sensitivity
# WHY: Label downgrades may indicate policy circumvention or misunderstanding  - 
#      frequent downgrades should trigger additional user training
# -Operations "SensitivityLabelUpdated": Catches label changes (not initial applications)
# WHERE-OBJECT filter: Only includes events where an old label existed (true downgrade)
# OUTPUT: Date, user, and full audit details for each downgrade event
# CONCERN: Investigate spikes - a single user downgrading many labels may be exfiltrating data
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
  -Operations "SensitivityLabelUpdated" -ResultSize 1000 |
  Where-Object { ($_.AuditData | ConvertFrom-Json).SensitivityLabelEventData.OldSensitivityLabelId -ne $null } |
  Select-Object CreationDate, UserIds, AuditData

# Identify users who have never applied a label
# WHAT: Compares all mailbox users against label audit data to find non-adopters
# WHY: Users who never label content represent a compliance gap - target them
#      for additional training or investigate whether they handle any sensitive data
# Step 1: Get all users who HAVE applied labels in the last 90 days
$labelUsers = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) `
  -EndDate (Get-Date) -RecordType "MIPLabel" -ResultSize 5000 |
  Select-Object -ExpandProperty UserIds -Unique

# Step 2: Get ALL mailbox users in the organisation
$allUsers = Get-Mailbox -ResultSize Unlimited | Select-Object -ExpandProperty UserPrincipalName
# Step 3: Find the difference - users with no label activity at all
$noLabelUsers = $allUsers | Where-Object { $_ -notin $labelUsers }
# Step 4: Export the non-adopter list for follow-up training
# OUTPUT: CSV of users who may need labeling training or workflow integration
$noLabelUsers | Export-Csv -Path "UsersWithoutLabels.csv" -NoTypeInformation

Quarterly Governance Review Process

1. Review label usage analytics and identify underperforming departments or locations
2. Audit auto-labeling policy accuracy and tune SIT confidence thresholds based on false positive data
3. Evaluate the need for new labels or sub-labels based on changing business requirements
4. Review and retire unused or redundant labels (archive, do not delete, to preserve audit history)
5. Update training materials and communicate any taxonomy changes to all employees
6. Generate a compliance report for regulatory auditors showing label coverage, encryption adoption, and DLP policy alignment
7. Benchmark your organization’s labeling maturity against Microsoft’s Information Protection maturity model
8. Review label justification logs to identify patterns that may indicate labels are misunderstood or misapplied

What You Accomplished

• Connected to the Microsoft Purview compliance portal and verified Information Protection availability
• Designed a four-tier hierarchical label taxonomy aligned to enterprise data classification policies
• Created sensitivity labels with parent-child relationships, appropriate scopes, and clear tooltips
• Configured encryption settings with rights management to protect Confidential content
• Added content marking (headers, footers, watermarks) for visual classification indicators
• Published labels to all users via a global label policy with default labels and mandatory labeling
• Deployed auto-labeling policies in simulation mode for PII and financial data detection
• Tested label application across Office apps, SharePoint, OneDrive, and Exchange
• Developed user training materials and a phased communication plan for organizational rollout
• Established ongoing monitoring with analytics dashboards and quarterly governance reviews

Cost Considerations

• Manual labeling: Included in Microsoft 365 E3, E5, Business Premium, and standalone Azure Information Protection P1
• Auto-labeling: Requires Microsoft 365 E5, E5 Compliance, or E5 Information Protection & Governance add-on
• Data classification analytics: Content Explorer and Activity Explorer require E5-level licensing
• Azure Information Protection P2: Required for client-side auto-labeling (recommended conditions in Office apps)
• No additional infrastructure costs. Purview Information Protection is fully cloud-delivered
• Consider data ingestion costs if forwarding label activity logs to Microsoft Sentinel for SIEM integration

Cleanup (Lab Environment Only)

If you are working in a lab or test tenant and need to remove the labels and policies created in this lab:

# LAB CLEANUP ONLY - Do NOT run in production environments
# WHAT: Removes all labels and policies created during this lab
# ORDER MATTERS: Delete in reverse dependency order to avoid orphaned references

# Step 1: Remove auto-labeling policies first (they reference labels)
Remove-AutoSensitivityLabelPolicy -Identity "Auto-Label PII Financial" -Confirm:$false

# Step 2: Remove label policies (unpublishes labels from users' Office apps)
Remove-LabelPolicy -Identity "Global Label Policy" -Confirm:$false

# Step 3: Remove sub-labels BEFORE parent labels (children must go first)
Remove-Label -Identity "Confidential-AllEmployees" -Confirm:$false
Remove-Label -Identity "Confidential-Finance" -Confirm:$false
Remove-Label -Identity "Confidential-HR" -Confirm:$false
Remove-Label -Identity "Confidential-Legal" -Confirm:$false

# Step 4: Remove parent labels last
# WARNING: Encrypted content using deleted labels may become permanently inaccessible
Remove-Label -Identity "Confidential" -Confirm:$false
Remove-Label -Identity "Highly Confidential" -Confirm:$false
Remove-Label -Identity "General" -Confirm:$false
Remove-Label -Identity "Public" -Confirm:$false

Next Steps

• Next Lab: Deploy Data Loss Prevention (DLP) Policies
• Explore Microsoft Learn: Sensitivity Labels for advanced scenarios including Teams, Power BI, and Azure Purview integration
• Integrate sensitivity labels with Microsoft Defender for Cloud Apps to extend classification to third-party SaaS applications