When you collaborate in Copilot Pages, you create live, editable documents that team members can view and edit. Without proper controls, a page containing sensitive financial forecasts or legal drafts can be shared with the entire organization or external guests. Microsoft Purview sensitivity labels let you enforce access restrictions directly on the page, blocking unauthorized sharing and preventing data leaks. This article explains how to configure and apply sensitivity labels to Copilot Pages so that only approved users can read or edit the content.
Key Takeaways: Restricting Copilot Pages Sharing with Sensitivity Labels
- Microsoft Purview compliance portal > Information protection > Label policies: Create and publish sensitivity labels that restrict sharing to specific users or groups.
- Copilot Pages > Sensitivity label picker: Apply a label to a page from the top-right menu to enforce sharing restrictions immediately.
- Label policy settings > Protection settings > Access control: Configure the label to block external sharing or limit editing to label members only.
How Sensitivity Labels Control Sharing in Copilot Pages
Sensitivity labels in Microsoft Purview classify and protect content at the file or page level. When you apply a label to a Copilot Page, the label attaches metadata that tells Microsoft 365 how to handle the page. For sharing restrictions, the label can enforce encryption, set permissions, and block actions such as forwarding, printing, or copying. The label also prevents the page from being shared with people outside your organization unless you explicitly allow it.
The protection works through Azure Rights Management, part of Azure Information Protection. When a user tries to share a labeled page, SharePoint or OneDrive for Business checks the label’s permissions. If the label says “Do not share externally,” the share dialog blocks external email addresses. If the label says “Only these users can edit,” the page becomes read-only for anyone not on the allowed list.
You need two prerequisites before you can use labels on Copilot Pages. First, your organization must have Microsoft Purview Information Protection licenses, which are included in Microsoft 365 E5, E5 Compliance, or as an add-on. Second, you must publish a label policy that makes the label available to users in your tenant. Without a published policy, the label will not appear in the Copilot Pages sensitivity picker.
Steps to Create and Publish a Sensitivity Label for Copilot Pages
The following steps assume you have Global Administrator or Compliance Administrator permissions in the Microsoft Purview portal. If you already have a label that you want to use for Copilot Pages, skip to Step 5 to publish it.
Create a New Sensitivity Label
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your admin account. In the left navigation, select Information protection. - Create a new label
On the Labels tab, click Create a label. Enter a display name, such as “Confidential – No External Sharing,” and a description that explains the restriction. Click Next. - Define protection settings
On the Define protection settings page, select Control access and then click Next. - Configure access control
On the Access control page, select Configure access control settings. Under Assign permissions now, click Assign permissions. Add users or groups who can view and edit the page. Under Other settings, check Block external sharing and optionally check Block printing or Block copying. Click OK, then Next through the remaining screens, and finally Create.
Publish the Label to Users
- Start a label policy
In the Information protection page, select Label policies from the left menu. Click Publish label. - Choose the label to publish
Click Choose sensitivity labels to publish, select the label you just created, and click Add. Click Next. - Assign the policy to users
Under Publish to users and groups, click Choose users and groups. Select the users or security groups who should see this label in Copilot Pages. Click Add, then Next. - Configure policy settings
On the Policy settings page, leave the default options unless you need a specific behavior. For Copilot Pages, ensure Users must provide justification to remove a label is enabled if you want to prevent accidental downgrades. Click Next, then Submit.
Applying the Sensitivity Label to a Copilot Page
After the label is published, users can apply it to any Copilot Page they own or have edit permissions on. The label takes effect immediately after the user saves the page.
- Open a Copilot Page
In the Copilot app or Microsoft 365, navigate to the page you want to protect. Click the page title to open it in editing mode. - Locate the sensitivity label picker
In the top-right corner of the page, next to the Share button, click the sensitivity label icon. It looks like a shield or a tag, depending on your version. If you do not see the icon, the label policy has not propagated yet, or you do not have a label assigned. - Select the label
From the dropdown list, choose the label you created, such as “Confidential – No External Sharing.” The page will briefly show a confirmation message. The label now applies to the page and all its content. - Test the restriction
Click Share and try to add an external email address. The share dialog should block the action and display an error message saying the label prevents sharing with people outside the organization.
If the Label Does Not Block Sharing as Expected
The sensitivity label does not appear in the picker
The label may not have been published to the user’s group, or the label policy has not synced. Wait up to 24 hours for propagation. Alternatively, the user may be in a different tenant or using a guest account that does not have the label policy applied.
The share dialog still allows external users
This usually happens when the label’s access control settings were not configured to block external sharing. Open the label in the Purview portal, go to Protection settings, and verify that Block external sharing is checked. If you changed the label, you must republish the label policy for the change to take effect.
A user can remove the label and share the page
If the label policy does not require justification for removal, any user with edit permissions can downgrade or remove the label. To prevent this, edit the label policy and enable Users must provide justification to remove a label. This setting logs the removal and can be audited.
Sensitivity Label vs Manual Sharing Permissions: Key Differences
| Item | Sensitivity Label | Manual Sharing Permissions |
|---|---|---|
| Description | Applies metadata-based protection that travels with the page | Sets ad-hoc permissions in the share dialog |
| Persistence | Protection stays even if the page is copied or downloaded | Protection is lost if the page is copied or moved |
| Management | Centralized through Purview label policies | Decentralized, managed per user |
| External sharing | Can be blocked or allowed based on label settings | User decides per share action |
| Audit trail | Label changes logged in Purview audit log | Only share activity logged |
Sensitivity labels provide persistent, policy-driven protection that manual permissions cannot match. For Copilot Pages containing confidential data, always use a sensitivity label instead of relying on the default share dialog.
You can now restrict sharing on any Copilot Page by creating and applying a sensitivity label. Start by publishing a label that blocks external access and limits editing to a specific group. For advanced protection, combine the label with a conditional access policy that requires a compliant device before the page can be opened.