As a SharePoint site owner, you need to protect sensitive business data stored in your site. Sensitivity labels let you classify and protect content based on its confidentiality level. This article explains what sensitivity labels are, what you need to set them up, and provides a practical checklist to apply and manage labels on your SharePoint sites. By following this guide, you will be able to restrict access, apply encryption, and prevent data leaks from your site.
Key Takeaways: Sensitivity Labels for SharePoint Site Owners
- Microsoft Purview compliance portal > Sensitivity labels: Create and publish labels with encryption and marking settings before applying to a site.
- SharePoint admin center > Active sites > Policies > Sensitivity: Assign a label to a site to enforce access control and content protection.
- Site Settings > Sensitivity label: Site owners can change the label from the site itself if permissions allow.
What Sensitivity Labels Do for SharePoint Sites
Sensitivity labels are tags that apply protection settings to content. In SharePoint, a label can enforce encryption, restrict who can access the site, add headers or footers, and prevent copying or forwarding of documents. Labels are created and managed in the Microsoft Purview compliance portal by a compliance administrator. Once labels are published, SharePoint site owners and administrators can assign them to sites.
Before you can use labels, your organization must have Microsoft 365 E3 or E5 licenses. Azure Information Protection (AIP) must be enabled, and the unified labeling client must be configured. Labels must be published to a label policy that includes the groups or users who will apply them. Site owners do not need special permissions to apply a label, only the ability to manage the site.
Prerequisites for Applying Sensitivity Labels
Ensure these conditions are met before you start:
- Your tenant has Microsoft 365 E3 or E5 licenses or equivalent standalone plans.
- Sensitivity labels are created and published in the Microsoft Purview compliance portal.
- The label policy includes the site owners and members who will apply the label.
- SharePoint sites are modern team sites or communication sites (classic sites do not support labels).
- You have at least site owner permissions on the target SharePoint site.
Checklist: Apply and Manage Sensitivity Labels on a SharePoint Site
Use this checklist to apply a sensitivity label to your SharePoint site. Each step is mandatory for the label to work correctly.
- Confirm label availability in your tenant
Go to the Microsoft Purview compliance portal at compliance.microsoft.com. Navigate to Information protection > Sensitivity labels. Verify that the label you want to use exists and is published to your organization. If no labels appear, contact your compliance administrator. - Check that the label supports container actions
In the label properties, under Define the scope for this label, ensure that Items and containers is selected. Then under Choose protection settings for containers, select Container types and choose SharePoint sites. This setting allows the label to be applied to a site. - Open your SharePoint site in a browser
Navigate to the site you want to label. You must be a site owner or have full control permissions. - Access site settings
Click the gear icon (Settings) in the top right corner, then click Site information. The site information panel opens on the right side of the screen. - Locate the sensitivity label setting
In the site information panel, scroll down to the Sensitivity label section. If no label is applied, it shows No sensitivity label assigned. Click the drop-down arrow to see available labels. - Select the appropriate label
Choose the label that matches the classification of your site content, for example Confidential or Highly Confidential. The list shows only labels that are published and scoped for SharePoint sites. - Save the label assignment
After selecting the label, click Save. The site information panel updates to show the assigned label. The label now applies to the site and all content within it. - Verify label enforcement
Open a document in the site library. Check for any header, footer, or watermark that the label applies. If the label includes encryption, attempt to share the document with an external user to confirm that access is blocked. - Communicate the label to site members
Send an email or post an announcement on the site explaining the label and its restrictions. Members must know that documents inherit the label and that they cannot remove it individually.
Things to Avoid When Using Sensitivity Labels
Common mistakes can break label enforcement or confuse users. Avoid these pitfalls.
Applying a label that does not include SharePoint scope
If a label is not scoped for SharePoint sites, it will not appear in the site settings drop-down. Always verify the label scope in the Purview portal before attempting to apply it.
Changing labels frequently
Switching labels on a site can cause delays in protection enforcement. It can also confuse users who rely on the label to understand content sensitivity. Plan your labeling strategy before assigning labels.
Assuming labels apply to existing documents immediately
When you apply a label to a site, new documents inherit the label. Existing documents may not be automatically labeled unless the label is set to auto-labeling. Use a PowerShell script or a manual bulk update to apply labels to existing files if needed.
Forgetting to check external sharing settings
A sensitivity label can restrict external sharing, but the site-level sharing settings still apply. If both are configured, the more restrictive setting takes effect. Review both settings to avoid unexpected access.
Sensitivity Label vs SharePoint Site Sharing: Key Differences
| Item | Sensitivity Label | Site Sharing Settings |
|---|---|---|
| Purpose | Classify and protect content with encryption, marking, and access control | Control who can share the site and with whom |
| Scope | Applies to the entire site and all content | Applies to the site only, not to individual documents |
| Administration | Managed in Microsoft Purview compliance portal | Managed in SharePoint admin center or site settings |
| User visibility | Visible in site information panel and document headers/footers | Visible in site permissions and sharing dialogs |
| Enforcement | Can block external access, restrict editing, and apply watermarks | Can allow or block sharing with people outside the organization |
Use sensitivity labels when you need to enforce data classification and document-level protection. Use site sharing settings when you only need to control who can access the site and how they can share links.
Now you can apply sensitivity labels to your SharePoint sites using the checklist above. Start by verifying that the label you need is published and scoped for container use. Then assign the label from the site information panel. For advanced protection, combine labels with conditional access policies in Microsoft Entra ID. This approach ensures that even if a user is outside your network, they cannot access sensitive content.