General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites

Published Jun 30 2020 08:40 AM 26.8K Views

Ensure secure collaboration in scalable way with Microsoft Information Protection


Microsoft Information Protection is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. Microsoft Information Protection provides a unified set of capabilities to know your data, protect your data, and prevent data loss across Microsoft 365 apps (e.g. Word, PowerPoint, Excel, Outlook) and services (e.g. Teams, SharePoint, and Exchange).


Microsoft Information Protection’s sensitivity labels are central to how your business-critical data is protected, in a persistent way, throughout its lifecycle. Labels can be applied to protect documents (e.g. to encrypt an Excel file) and to containers (e.g. to restrict access to a confidential team or site from unmanaged devices).


We recently announced the general availability of both manual labeling in Office apps across all platforms and of automatic labeling for documents stored in SharePoint and Teams.


Today, we are excited to announce the general availability of sensitivity labels for Teams, SharePoint sites, and Microsoft 365 Groups. You can now associate a sensitivity label with policies related to privacy, external user membership, and unmanaged device access.


With users constantly creating and sharing sensitive data in Teams and on SharePoint sites, this capability allows for holistically securing sensitive content whether it is in a file or in a chat by managing access to these containers. This powerful capability, along with manual and auto-labeling of documents on SharePoint and Teams, helps you scale your data protection program to meet the proliferation of data and the challenge of secure collaboration while working remotely.


The first step to securing sensitive content in teams, sites and groups is to create sensitivity labels with policies. For example, you can create a sensitivity label called “Confidential” and specify that any team, site, or group created with this label will be private, that even a team or site owner cannot add users external to the organization and that unmanaged devices will be allowed web access only.


Figure 1: Admin specifying access policies during label creationFigure 1: Admin specifying access policies during label creation


Now a user creating a team, or a site can choose from your published labels, and all the underlying policies will apply automatically to that team or site. For example, if a user selects the “Confidential” label during a team creation, this new team will automatically restrict access to approved members in the organization and prevent addition of people external to the organization.


Figure 2: When team owner applies “Confidential” label, team and associated site are automatically set as privateFigure 2: When team owner applies “Confidential” label, team and associated site are automatically set as private


After a user creates the team, this “Confidential” label will appear in the upper-right corner of all channels within this team. Now, if users visit the SharePoint site associated with this team, they will also see the “Confidential” label, and all applied policies.


This capability enables you to protect sensitive content in a team or SharePoint site by managing people and device access to these containers. If you want to apply label-based encryption to protect individual documents stored in a team or SharePoint site, you can use auto-labeling or manual labeling. Together these powerful Microsoft Information Protection capabilities enable organizations to scale their data protection programs across a vast amount of data.


We are continuously expanding the capabilities of Microsoft Information Protection. You can see in this recent blog a summary of some of the investments we’ve made in the last two months. To learn more about the capability covered in this blog:

  • Read our online documentation with instructions to opt-in, configuration details, and links to a webinar with demos.
    • If you are using AAD classification, read this documentation for next steps
    • To see which apps and services support this capability, read this documentation page. To apply these labels on OneDrive, start here
  • This capability is included with Microsoft 365 E3 and Office 365 E3 plus AAD Premium P1 and above. Learn more about required licensing. If you are new to Microsoft 365, learn how to try or buy a subscription.
  • Please note that auto-labeling individual documents stored in team or SharePoint site requires either Microsoft 365 E5 or Compliance E5 or Information Protection & Governance E5 add-on SKU.

As you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site.


We’re here to help in any way we can.


Thank you!


Sesha Mani, Principal Group Program Manager, Microsoft 365 services


Tony Themelis, Principal PM Manager, Microsoft Information Protection


Occasional Contributor

Thank you. 


"To see which apps and services support this capability, read this documentation page". - The link is broken and receiving "forbidden"


@Mohan Seenippandian  - the link is updated now, it is here, thank you for pointing that out.


@Sesha  I m in the middle of implementation au-labeling for SharePoint and Onedrive in our organization.  The following are the requirements. 

  1. Documents must be classified automatically when a user uploads a document to the SharePoint site- Can do with Auto-labeling , already test 
  2. Content marking - any document classified must stamp with watermarks, as my understanding, we cannot do with auto-labeling. Any way to achieve this?  or even why when a user downloads the auto-classified document to the computer the user cannot see watermarks that we have defined under labels? is this because auto labeling not opening the document when its stamp with the label? 
  3. To overcome the 2nd issue I have tried with word templates, but then auto-labeling doesn't work with .doctx, will you be able to share a reference for all document types that support by the auto-labeling. Seems to be pdf also not supporting.


Occasional Visitor

Thanks for the great description, this will be very useful for sites / teams handling confidential data. 

For restricting access to unmanaged devices using sensitivity label, does this require this feature to be enabled at the SPO access control level? Or it can be controlled at individual site, group or team level now?

Senior Member

Do you need a corresponding Session Control Conditional Access policy (Application enforced restrictions) for the unmanaged device settings to work?  


@Amit_Dobhal and @Chris_Clark_Netrix - Thank you for your compliment. For unmanaged device access policy, yes, this needs to be enabled at the SPO Access Control level to be permissive i.e. Full Access, which will automatically create a conditional access policy in AAD. Then, you can control at the individual site level by using this Sensitivity Label.


Refer to this documentation for the further instructions on enabling unmanaged device policy in SharePoint:


@Nip17 - thank you for your questions. On content marking, yes it is the current behavior that auto classified documents won't have content marking. We will take this feedback into consideration for future versions of the auto classification feature. For file types supported in auto labeling and additional details about this auto classification with sensitivity labels feature, please refer to this article:



Can you please tell me the license requirement for Auto- labeling.  On the last Microsoft session, I have attend mentioned only a couple of M/O E5 license and all other users required only M/O E3. 

What Microsoft has mentioned is this auto-classification is an engine within admin control, would not necessarily end-user license

Can please help me urgently.




We have a customer (lawyer office) concerned about employee downloading files from TEAMS and OneDrive and uploading it to their personal email address (@Yahoo, @gmail and etc).


Is there a way to restrict that labeled files to be used only on corporate computers??? Like and encryption where even the user copying to home he cannot be handle it.


Any help is appreciated.

Not applicable

@Sesha @Tony Themelis  Thanks for the information. I have come across a problem when testing out the new container labels to Teams and SharePoint sites.


The issue arises as there is a common process to manage container and content labels. Any MIP labels you set up to specifically manage Teams sites to control guest access are visible when you apply labels to content e.g. on Work or Outlook.


For example for a client I was testing out two MIP labels to manage their content Public and Private. Public was a just a label with a footer and Private had encryption with a footer. These were added to a label policy where the default label was Private.


I then created two new labels to manage the guest access in Teams Internal and External. Internal would block guest access and External would allow guest access. I did not want to provide any controls to manage content. These two labels were created was under a separate label policy so I could set the default label to Internal.


When I created a new Team all was well as the Internal MIP label was set as default and I could only see the two options Internal and External.


However when I went to apply an MIP label in a Office Doc or Outlook when I selected the sensitivity icon I was presented with 4 labels, Public, Private , Internal & External. Internal & Externa had nor controls and were set up just to manage Teams guest access yet the users could inadvertently select the label Internal and think that the system would provide relevant controls on the content which it would not do,


It is possible to combine the labels sets and reduce to three :

  1. Public - add footer to content plus block external access in Teams
  2. Private/Internal - add footer and encrypt content plus block external access in Teams
  3. Private/External- add footer and encrypt content plus allow external guest access in Teams

This still increases the choices for an end user from 2 to 3 when labeling content and if the client already have existing labelling in place then this an additional change the client will need to make.  


I have heard that Microsoft are looking to split content and container MIP labeling to mitigate this issue. Any ideas on timelines or any other advice we can use in the short term






I have heard that Microsoft are looking to split content and container MIP labeling to mitigate this issue. Any ideas on timelines or any other advice we can use in the short term

Yes you will be able to select the scope when you are creating the label as shown below. Can expect to see this  before end of this year I guess. As always @Sanjoyan Mustafi  has done a brilliant session yesterday about this , sorry I can't find the link to the session. 




It is possible to combine the labels sets and reduce to three :

  1. Public - add footer to content plus block external access in Teams.  Why do you want to stop external access on Public label?  Normally Public label will allow external access. I hope you mean public - all internal staff except guest, if so you can as below


2. Private/Internal - add footer and encrypt content plus block external access in Teams - yes you can as below 


3. Private/External- add footer and encrypt content plus allow external guest access in Teams - yes you can as below 



If I create these label I will create as follow

1. Public - allow all staff + guest ( Public - anoyone in the organisation + Let O365 group owner to add gues in to the group)

2. Internal - allow all staff  ( Public - anoyone in the organisation )

3. Confidential - Allow  only dedicated staff ( Private- only members can access the site )

If you really want something like dedicated staff + dedicated guest , I would recomend to go with a sub label.


Hope didnt misunderstand your question 





@Renato Pereira 

Could you please explain a bit your business requirement, not the solution?

If your requirement is to stop unauthorised access your data

  1. Use unified labelling (AIP) to make sure only authorised person can use the data
  2. Use DLP to prevent users from sharing confidential data with unapproved stakeholders or third-party
  3. If you want to stop accessing data from untrusted locations, then use conditional access policy.


If you really want to stop staff uploading documents into yahoo or google and then they download into their personal computer later date to use the data, then assuming the user is not allowed to access O365 org data beyond the org n/w- if yes

solution – use AIP this will prompt to authenticate when the user opens the document and use conditional access policy to stop accessing data beyond your org n/w


Please check AIP +DLP + conditional aces policy for unmanaged devices and untrusted locations. If possible MCASB will give you a greater monitoring and control capability.




Hi @Nip17,


the customer concern is:

* Some employees uses laptop and some a PC;

* for both cases users should be able to handle .DOCX files on their daily basis routine.


If we use Exchange MAILFLOW RULES, we can detect some 'strange behavior' like users sending files as attachment to their personal e-mail address (,, and etc) and then quarentine or just block and etc. Sometimes users just create a new e-mail on the MS Outlook windows app and then add those files as attachment but do not send - just 'save and hold'; during the night at home they can access his accounts via and then download the files.

I know that we can access and create a new policy/rule for some file share, but the problem is if they upload/attach that files to their personal e-mail address using the web browser (gmail website for example). Since their credentials is still valid, they can save locally at their home computer, open the file for edit and etc. But and about the copy saved on the local 'downloads' folder??? How to ensure that thoses files will be deleted after work??? Is there a way to limit user 'logon/authentication' for non business hours?


How to limit upload using webbrower? As I know the only way is to use antivirus with DLP rules or even PROXY/FW with DLP.

If these employes has access to 'datastore' like pendrive or even his mobile phone with USB cable, how to prevent they to copy files? As I know we must block USB datastore using Antivirus.


Is there a way to limit on what 'device' they can manage those files? If we use encrypt solution, only allowed devices (with install key/certificate) can be able to open/handle those files.


Few months ago I created a support ticket with MS O365 team about how to limit OneDrive app to be unable to sync personal accounts because we found some guys copying from OneDrive CORP account disk folder to OneDrive PERSONAL account disk folder - they sent instructions about GPO and .ADMX files for that, but since that customer doesn´t have local AD, we asked for more options and they send REG KEYS to be used for that situation.


>>> As you can see, 'begginers' employees can copy data based on senior employee effort!!!


* We also have a similar situation about protect corporate data, where a customer has CAD project files to protect (Autodesk Powermill and Machine Strategist files).



If someone reading this needs, about OneDrive app blocking sync personal account, I´ll share information:



  1. Download the OneDrive Deployment Package (
  2. Win > Run "%systemroot%\policyDefinitions" , drag & drop OneDrive.admx to this location.

Go to "%systemroot%\policyDefinitions\en-us" and put OneDrive.adml

  1. Press Win & R key,  Run GPEDIT.MSC
  2. Click User Configuration > Administrative Templates > OneDrive > Prevent Users from synchronizing personal OneDrive account.
  3. Set it to Enabled.


Once it is completed, users can't sync personal OneDrive. For those users who have synced personal OneDrive previously, unlink personal OneDrive, they will not see the OneDrive-personal icon on File Explorer either.


Hi @Nip17 ,


I don't know why my reply was lost.


With 'conditional' access, can we limit user accounts to be used only on corp devices? The main concern is users using account on non protected devices and also sync corp data.


How to protect and avoid users to be able to upload documents to gmail/hotmail websites?


@Renato Pereira 


Yes you can use conditional access policy to check IP address as well as the device is managed or not. 


How to protect and avoid users to be able to upload documents to Gmail/Hotmail websites? 

as I have mentioned previously I dont think you need to worry that much on this if your documents are protected with AIP. When they email in to them self and try to open the document form unmanaged device the CAP will kicked in and blocking the access. Furthermore if you are using Intune you can use MAM and MDM to protect your applications such as Teams, SharePoint etc. You can define stop copy content from Teams to unmanaged applications such as note pad, etc.





Hi @Nip17, tks for quick reply.

The concern is also with files not from Office where users can upload online to MegaUpload, Dropbox and etc.

Can Intune handle this DLP on upload process or should we use AV solution for that?



.3DM for Rhino;

.IGS for Rhino exported to Machine Strategist; 
.MCO ou .MSA for Machine Strategist or .PRG exported to CNC format).


Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: