You want to protect sensitive business data stored in SharePoint sites without slowing down your team. Sensitivity labels let you classify content and enforce protection rules at the site level. This article explains how to set up and apply sensitivity labels to SharePoint sites. You will learn the prerequisite steps, the labeling workflow, and common pitfalls to avoid.
Key Takeaways: Sensitivity Labels for SharePoint Sites
- Microsoft 365 compliance center > Information protection > Labels: Create labels that include site-level settings for external sharing and private access.
- SharePoint admin center > Active sites > Settings > Sensitivity: Apply a published label to an existing site or a site template.
- Azure AD conditional access: Enforce additional protections like device compliance or multi-factor authentication when a labeled site is accessed.
How Sensitivity Labels Work for SharePoint Sites
Sensitivity labels in Microsoft 365 are classification tools that apply protection policies to content. When you enable labels for containers, they can be assigned to SharePoint sites, Microsoft 365 groups, and Teams. A label on a site can control external sharing, private or public membership, and access from unmanaged devices.
The feature extends Azure Information Protection and Microsoft Purview compliance capabilities. Labels are created in the Microsoft Purview compliance portal and published through label policies. Once published, site owners or administrators can assign the label to a site from the SharePoint admin center or through PowerShell.
Prerequisites
Before you start, confirm these requirements:
- You have a Microsoft 365 subscription that includes Azure Information Protection (Plan 1 or Plan 2) or Microsoft 365 E5 compliance features.
- You are assigned the Compliance Administrator or Security Administrator role.
- You have enabled sensitivity labels for containers. This setting is found in the Microsoft Purview compliance portal under Labels > Label policies.
- All users who will apply or view labels need a license that includes sensitivity labeling.
Steps to Create and Apply Sensitivity Labels for SharePoint Sites
Follow these steps to create a sensitivity label that includes site-level settings and then apply it to a SharePoint site.
Method 1: Create a New Sensitivity Label with Site Settings
- Sign in to the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and select Information protection from the left navigation. Then choose Labels. - Create a new label
Click Create a label. On the Name your label page, enter a display name like “Confidential – Finance” and a description. Click Next. - Define the label scope
On the Define the scope for this label page, select Items and Containers. The Containers option enables site and group settings. Click Next. - Configure container settings
On the Choose protection settings for containers page, select Configure site and group settings. Click Next. - Set site and group options
On the Configure site and group settings page, choose Privacy to set the site as Public or Private. Under External sharing, pick a level such as “Only people in your organization” or “Specific people.” Under Access from unmanaged devices, select Block access or Allow limited access. Click Next. - Publish the label
After the wizard completes, go to Label policies and click Publish labels. Select the label you created, choose the users or groups who will see it, and publish. Wait up to 24 hours for the label to appear in SharePoint.
Method 2: Apply the Label to an Existing SharePoint Site
- Open the SharePoint admin center
Go to https://admin.microsoft.com/SharePoint and sign in with an administrator account. - Select the target site
Under Active sites, find the site you want to label. Click the site name to open its details panel. - Assign the sensitivity label
In the details panel, select the Settings tab. Scroll to the Sensitivity section. Click the pencil icon to edit. From the dropdown, choose the label you published (for example, “Confidential – Finance”). Click Save. - Verify the label is applied
Return to the Active sites list. The site row now shows the label name in the Sensitivity column. Users with access to the site will see the label in the site header area.
Common Mistakes and Limitations with Sensitivity Labels on Sites
Even with the correct setup, you may run into issues. Here are frequent problems and how to avoid them.
Label Does Not Appear in the SharePoint Admin Center
If your label is not listed in the Sensitivity dropdown in SharePoint admin center, check these items:
- The label must have the Containers scope enabled. Without it, the label will not show for sites.
- The label must be published to at least one user or group. Even if you publish to “All users,” it takes up to 24 hours to propagate.
- The site must be a group-connected team site or a communication site. Classic SharePoint sites do not support sensitivity labels.
Label Cannot Be Changed After Assignment
Once a label is applied to a site, you can change it to another label only if both labels have the same container settings. For example, if the current label sets privacy to Private, the new label must also set privacy to Private. To change incompatible settings, remove the label first, then apply a new one.
External Sharing Settings Overridden by the Label
When a sensitivity label is applied to a site, the label’s external sharing setting takes precedence over the site’s individual sharing setting. If the label blocks external sharing, users cannot share the site externally even if the site’s setting allows it. Plan your label hierarchy carefully to match your organization’s sharing policies.
Sensitivity Label vs SharePoint Permission Level: Key Differences
| Item | Sensitivity Label | SharePoint Permission Level |
|---|---|---|
| Scope | Site-level classification and policy enforcement | Item-level or library-level access control |
| Controls | External sharing, privacy, unmanaged device access | Read, contribute, edit, full control |
| Management | Microsoft Purview compliance portal | SharePoint site settings or PowerShell |
| User visibility | Shown in site header and compliance reports | Not visible; determined by assigned permissions |
| Dependency | Azure Information Protection license | Standard SharePoint Online license |
Now you can create, publish, and apply sensitivity labels to SharePoint sites. Start by defining your label hierarchy in the Microsoft Purview compliance portal. Then apply the label to a test site and verify that external sharing and privacy settings match your requirements. To go further, combine sensitivity labels with conditional access policies for device compliance checks.