Skip to main content

How to create a sensitivity label?

Microsoft Purview Information Protection configuration

The workflow presented below is an example of how to set up Microsoft Purview Information Protection (formerly Microsoft Information Protection) Sensitivity Labels. The configurations listed here are only example configurations and must be set up on a company-specific basis.

tip

You can skip this chapter if you are already familiar with creating Sensitivity labels or your organization has created Label policies.

To create a new Sensitivity label, you must have the correct permission to the Microsoft Purview, described in the Prerequisites.

New Label

New Sensitivity Label

Begin by providing the basic details of your label:

Label Details

  1. Name: An internal name for your label, visible only in Purview.
  2. Display Name: The name of the label that your users will see.
  3. Description for users: This description is what your users will see when choosing the label to be applied.

Define Scope of Label

Next, we want to define the scope of the Sensitivity label. In general, admins can choose between 4 groups: Files and other data assets, Emails, Meetings and Groups & Sites. For our use case, we only want to select Files and Emails

Label Scope

Protection Settings for Items

The protection settings you configure will be enforced when the label is applied to items in Microsoft 365.

Label Items

Choose only Control Access from the list and select Next

Access Control

In this section, you define who in your organization has what control over the Sensitivity label.

Label Access

  1. Configure access control settings: Select Configure access control settings to configure them now
  2. Assign permissions now or let user decide: Select Assign permissions now
  3. User access to content expires: Select Never
  4. Allow offline access: Select Never
  5. Assign permission: Choose who in your organization can use the Sensitivity label and who owns it
  6. Users and groups: For example, you can make the label available to all users in your organization, but make only an admin group the owner
  7. Use Double Key Encryption: Select Use DKE
  8. DKE Endpoint URL: Provide your DKE Endpoint-URL that you generated in the Access URL page.
note

It is recommended to set Allow offline access to 'Never'.

  • Never: Use for highly sensitive content (e.g., employee or customer data, passwords, source code, financial reports). This ensures maximum security—revoked users can’t reopen the document. Ideal when access must be fully revoked immediately.
  • Always: Use for less sensitive content where it's acceptable for users to retain access for up to 30 days (or your tenant's configured license period) after access is removed.

How it works: When a user opens encrypted content, they receive a use license from Azure Rights Management. This includes their usage rights (certificate), the documents encryption key, and an expiration date (if set, default 30 days). During this time, users can access the content—even offline—without reauthentication. After expiration, they must reconnect to reauthenticate, and any changes to permissions or group membership will take effect.

Further reading Microsoft Purview - Assign permissions now

Finalize Label

The next 2 sections are highly dependent on your company's policies therefore these sections will be skipped. However, we recommend not enabling Auto-labeling for files and emails and to leave all Group & Sites Protection Settings unchecked. All default values of the options.

The last page is a summary of the Sensitivity label. Once you have verified that all details are correct, select Create Label.

Label Done

Afterwards, the page will reload and the new Sensitivity label will be created. Purview will ask you if you would like to publish it now or at a later point. Selecting Publish label will begin publishing it, the process usually takes a few minutes, depending on the size of your company.

Publishing Label

If you choose to publish the label at a later point, you can go to the Sensitivity Labels page, select your newly selected label and Publish it. This will begin creating a new policy.

Label Publish

tip

You can publish multiple labels at the same time.

Admin Units

Do not specify admin units. This way the policy will apply to all users and groups. Select Next.

Users and Groups

The labels you selected will be available for the users, distribution groups, mail-enabled security groups, and Microsoft 365 Groups you choose here.​ By default, this is all Users and Groups.

Policy Users

Policy Settings

Configure settings for the labels included in this policy.

We recommend enabling Users must provide a justification to remove a label or lower its classification.

Policy Settings

The rest of the settings can all be left as default. Again, publishing the policy can take a few minutes, depending on the size of your company.

Begin Using Sensitivity Labels

The user must then log out and restart all of their Microsoft related applications (Word, Outlook, Excel, etc.) to see the Sensitivity label in the list. In some cases a full workstation restart is required.

Labels

tip

In the above image, there are 5 additional sensitivity labels. These 5 labels are provided by Microsoft. You can read more about them in this article.

While their creation is not explicitly covered in this document, the process of creation is the same.

info

You are now ready to begin using our Sensitivity labels. For examples, see the Using DKE page.

What's Next