Hi@JSlei : You are correct: The onboarding controls are there for just such a case. Making sure you are onboarding only the specified users. And I understand why you ask, since the article isn't really clear on this (just says that other users won't be able to protect). I haven't tried this for a while but last time I did this the users who were not in the onboarding policy would still see the protection templates, but would not be able to apply. If they selected a template, they would see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator. And it didn't matter if it was a scoped policy or not. The labels however should be hidden. And if you want to be sure, you could publish only to the pilot group.