SharePoint site sensitivity labels let you apply Microsoft 365 sensitivity labels to SharePoint sites to enforce data governance. These labels control site access, sharing policies, and conditional access settings directly from the label. This guide explains how to enable sensitivity labels for SharePoint sites, configure them in the Microsoft Purview compliance portal, and apply them to sites through the SharePoint admin center. You will learn the exact steps to set up labels, assign them to existing sites, and manage label policies across your tenant.
Key Takeaways: Applying Sensitivity Labels to SharePoint Sites
- Microsoft Purview compliance portal > Sensitivity labels: Create and publish labels with site-level settings for privacy, external sharing, and access control.
- SharePoint admin center > Active sites > Policies: Assign a sensitivity label to one or multiple sites at once.
- PowerShell cmdlet Set-SPOSite -SensitivityLabel: Apply labels programmatically to bulk sites or automate label assignment.
What Are Sensitivity Labels for SharePoint Sites?
Sensitivity labels in Microsoft 365 are tags that classify and protect data. When extended to SharePoint sites, a label controls site-level settings such as privacy (public or private), external sharing permissions, and conditional access policies. For example, a label named “Confidential” can restrict external sharing and block access from unmanaged devices. The label applies to the entire site, not individual documents. Before you can use sensitivity labels on SharePoint sites, you must enable the feature in the SharePoint admin center and publish the labels from the Microsoft Purview compliance portal.
Prerequisites for using sensitivity labels on SharePoint sites:
- Microsoft 365 E3 or E5 license (or equivalent standalone plan)
- Global admin or SharePoint admin role
- Azure Information Protection (AIP) unified labeling client or built-in labeling in Office apps
- Sites must be group-connected (Microsoft 365 group) or communication sites
How to Enable Sensitivity Labels for SharePoint Sites
- Turn on the feature in SharePoint admin center
Sign in to the SharePoint admin center with your admin account. In the left navigation, select Policies and then Sharing. Under Sensitivity labels for SharePoint sites, check the box labeled Let users apply sensitivity labels in SharePoint and OneDrive. Click Save. This setting enables the label picker on site settings pages. - Create a sensitivity label in the Microsoft Purview compliance portal
Go to the Microsoft Purview compliance portal. Navigate to Information protection > Labels. Click Create a label. Give the label a name, tooltip, and description. In the Define the scope step, select Items and Groups and sites. Under Groups and sites, check SharePoint sites. Complete the remaining steps to configure privacy, external sharing, and device access settings. - Publish the label to users
In the Purview portal, go to Label policies and click Publish labels. Select the label you created and choose which users or groups can use it. For SharePoint sites, you typically target all site owners or all users. Complete the policy settings and publish. - Apply the label to a SharePoint site
In the SharePoint admin center, select Active sites. Click the site name to open its properties. On the Policies tab, find Sensitivity label. Click Edit, choose the label from the dropdown, and save. The site now enforces the label settings.
How to Apply Sensitivity Labels to Multiple Sites at Once
- Use the SharePoint admin center bulk edit
In Active sites, check the boxes next to the sites you want to update. Click Bulk edit in the toolbar. Under Sensitivity label, select the label and click Save. All selected sites receive the label. - Use PowerShell
Install the SharePoint Online Management Shell. Connect usingConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. RunSet-SPOSite -Identity https://yourtenant.sharepoint.com/sites/sitename -SensitivityLabel "LabelGUID". To find the label GUID, useGet-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/sitename" | Select SensitivityLabel. Loop through a CSV file to apply labels to many sites.
Common Mistakes When Using Sensitivity Labels on SharePoint Sites
Sensitivity label does not appear in the site settings
If the label picker is missing on a site, the feature is not enabled in the SharePoint admin center. Go to Policies > Sharing and verify that Let users apply sensitivity labels in SharePoint and OneDrive is checked. Also confirm that the label is published to the user who owns the site. Labels not published to the site owner will not show in the picker.
Label changes do not take effect immediately
After applying a label, it can take up to 24 hours for the settings to apply to the site. To speed up the process, you can use PowerShell to force a sync. Run Set-SPOSite -Identity <SiteURL> -SensitivityLabel <LabelGUID> again. The label GUID must match exactly. Check the label GUID in the Purview portal under the label properties.
External sharing settings conflict with the label
If the label restricts external sharing but the site has a more permissive sharing policy, the label overrides the site-level setting. However, if the label does not specify a sharing policy, the site-level sharing setting remains. Always configure the external sharing option in the label to avoid unexpected behavior. For example, set the label to Only people in your organization to block external sharing entirely.
Conditional access policies do not apply
Conditional access policies on labels require Azure AD Premium P1. If the label includes conditional access settings but they do not apply, verify that the site has the label assigned and that the user accessing the site is in scope. Also check that the label policy is published to the user. Conditional access policies for SharePoint sites work only when the label is applied at the site level, not at the document level.
Sensitivity Label Site Settings vs Document Settings
| Setting | Site-Level Label | Document-Level Label |
|---|---|---|
| Scope | Entire SharePoint site | Individual files |
| Privacy control | Sets site to public or private | No effect on site privacy |
| External sharing | Restricts sharing for the whole site | Only affects the file |
| Conditional access | Applies to all site visitors | Applies to users opening the file |
| Label inheritance | Does not apply to documents | Does not affect the site |
Use site-level labels to enforce governance at the container level. Use document-level labels for granular protection on sensitive files. Both label types can exist on the same site without conflict.
Conclusion
You can now enable sensitivity labels for SharePoint sites and apply them through the admin center or PowerShell. Start by creating a label in the Microsoft Purview compliance portal with the appropriate site scope. Publish the label to your users and assign it to any group-connected or communication site. For large deployments, use PowerShell to apply labels to multiple sites in one operation. Remember that conditional access policies require Azure AD Premium P1 and that label changes can take up to 24 hours to propagate.