General availability of automatic classification with sensitivity labels in Microsoft 365 services

Published 05-28-2020 08:52 AM 17.2K Views


Microsoft runs on trust. With digital data growing exponentially, online threats becoming very sophisticated, and remote work necessary, it is more important than ever to safeguard your corporate data.


At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection, we are building a unified set of capabilities for classification, labeling, and protection across Microsoft 365 apps (Word, PowerPoint, Excel, Outlook) and productivity services like OneDrive, SharePoint, Teams, and Exchange.


Sensitivity labels are central to how your business-critical data can be protected using Microsoft Information Protection. You can create a sensitivity label and associate it with protection like encryption and visual marking. Label-applied protection will persist with the file wherever it goes.


You can start by empowering your users to manually label documents and emails in Office apps across a wide range of platforms (e.g. Windows, Mac, iOS, Android and online). Learn more here on how to enable this manual classification. However, users may forget to label manually or label sensitive data inaccurately. Relying on users alone to manually classify corporate data using labels is not sufficient. The scalable approach is to automatically discover, label, and protect sensitive data. To help you achieve that, we are excited to announce the general availability of automatic classification with sensitivity labels in SharePoint, OneDrive, and Exchange.


You can create an auto-labeling policy with rules tailored for your organization’s sensitive data, targeting specific locations in your enterprise. A policy can either be in simulation or active mode. You can run the policy first in simulation mode and if the results satisfy your organization’s needs then you can proceed and publish the policy.


Figure 1. Auto label policy across two modes: simulation and active modesFigure 1. Auto label policy across two modes: simulation and active modes


With our 100+ out-of-the-box sensitive information types and ability to create custom ones, you have the flexibility to tailor the auto-labelling policy to specific sensitive information types. You can also scope the policy to a specific SharePoint site or OneDrive account or Exchange mailbox.


Policy Simulator provides insight into policy effectiveness and enables you to simulate in your production environment with real data with no impact on end users until the policy is published.


Figure 2. Auto labelling policy simulation mode resultsFigure 2. Auto labelling policy simulation mode results


Auto classification with sensitivity labels, along with Policy Simulator, is a powerful capability that enable organizations to automatically designate eligible Excel, PowerPoint, Word files, and emails as sensitive in a scalable way.


Your users can search for content within these protected documents, coauthor using Office web apps and be assured that the protection will persist even after the documents are downloaded. This way your security needs are in harmony with your user’s productivity needs.


Figure 3. Document library experience in SharePoint showing files automatically labelledFigure 3. Document library experience in SharePoint showing files automatically labelled


Getting Started


As a Microsoft 365 customer, you can turn on this feature in Microsoft 365 compliance center. To learn more about this feature, please read our online documentation. This advanced capability is included with Microsoft 365 SKUs (E5, E5 Compliance and E5 Information Protection & Governance) and Office 365 E5 SKU. You can learn more about our licensing here.


If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.


As you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site. We’re here to help in any way we can.


Thank you!


Sesha Mani, Principal Group Product Manager, Microsoft


Tony Themelis, Principal PM Manager, Microsoft

Established Member

How will this work when users have different M365/O365 licenses with/without AIP add-ons; some with just AIP-P1 and other's with AIP-P2 ?

Senior Member

Aside from the Policy Simulator (which is pretty cool) this sounds like exactly what AIP Plan 2 was before it was discontinued as a standalone sku in April. Or am I missing something?

Senior Member

Ou, AIP P2 was discontinued? I missed that, @jeffcer do you by any means have link?

Occasional Contributor

Congratulations, was waiting for this over a year. Good job.

Senior Member

We are looking forward to have this feature included in E3

Valued Contributor

Really helpful, are we able to setup regular expression or our own custom policy?

Sometimes tricks like pressing space , underline , etc. would bypass this policy.

I remember, there have been many test and improvements. 

Occasional Contributor

@bthestorageguy Office 365 version 1910 or later contains per default an AIP integration with no addon installation necessary and AIP label consumption can be done without AIP P1 licence. As well having AIP P2 users with automatic labeling options can be integrated in such scenario. Would be an advanced configuration but possible from my viewpoint.

New Contributor

Great feature that might be valuable to a lot of customers but it will be limited by the E5/add-on licensing requirement. Hard to justify a jump from E3 to E5 or even the E5 Compliance SKUs for just this one feature.

Occasional Contributor

I checked and found that when creating an "Auto-Label" rule we need to select the content-type i.e. Sensitivity Info Type. What to do if I want to label all the documents in a Sharepoint Site or OneDrive account irrespective of content. 

Senior Member

@dipendas1979  Use the IRM for it (Information rights management).
Check the docs article linked below:

SharePoint in Microsoft 365 and OneDrive: IRM Configuration

Occasional Contributor

Ist es möglich nur die Dokumente mit "Auto-labelling" zu versehen und die Emails nicht?

Occasional Contributor

Hi @Sophie_Bruehl Du kannst das Auto Labeling einschränken auf nur bestimmte Sharepoint Sites. Am besten testet du dies in der Simulation.

Occasional Contributor

Hi @pheeeling , danke für den Tipp! Allerdings braucht mein Kunde die Vertraulichkeitsbezeichnungen immer. Besonders im Hinblick auf neue Teams, die zur Projektarbeit mit Externen erstellt werden. Hier wäre es zu aufwändig, wenn jemand den Prozess verfolgen würde und dann jedes Mal die Vertraulichkeitsbezeichnung darauf anwenden müsste. Ich habe auch eine Lösung gefunden Azure-RMSDocs/ at master · MicrosoftDocs/Azure-RMSDocs (github... - die funktioniert und in Outlook wird kein Label mehr per default angewendet. Aber jetzt lassen sich die Client Apps von Word, excel und PPT nicht mehr öffnen.... :\ Hast du hierzu auch eine Idee? :flushed:

Occasional Contributor

Hi @Sophie_Bruehl 
Super mit der "Excempt Outlook Messages" Lösung. Ich glaube aber nicht, dass diese Einstellung irgendwie Probleme mit der Native App von Word, Excel, PPT etwas macht. Hast du AIP Client installiert oder versucht du dies via Standard Plugin zu lösen? Im Standard Plugin wird mandatory labeling nicht unterstützt. Du brauchst den AIP Client Azure Information Protection_UL wenn du keine Preview Funktionen verwenden willst.
Vielleicht liegt es ja am Plugin, probiere es mal aus.



Occasional Contributor

Hi @pheeeling, vielen Dank für Deine Hilfe! :flushed:


Ich habe alles nochmal rückgängig gemacht und die Richtlinie von Neuem eingerichtet. Auch Office neu installiert^^ Seitdem funktionieren die Apps wieder.

Ich hatte den Client auch beim letzten Mal installiert und dieses Mal damit einen Tag gewartet. Die Richtlinie hat tatsächlich überall auch ohne Client gegriffen, aber das Power Shell Script nicht. 

Jetzt habe ich den Client installiert und ich konnte Outlook von dem Label befreien. Die Apps öffnen sich auch wieder. 


Vielen Dank nochmal für deine Unterstützung! 

Occasional Contributor

Hi Zusammen, muss das leider wieder zurücknehmen. Nachdem ein Tag vergangen ist, werden die Apps wieder blockiert. Hat irgendjemand dasselbe Szenario bei sich angewendet und Erfahrung damit?


LG, Sophie

Version history
Last update:
‎May 11 2021 02:00 PM
Updated by: