Microsoft Purview - Paint By Numbers Series (Part 2c) – Default Labels
Published Mar 08 2022 04:51 PM 1,403 Views



Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community



This document is not meant to replace any official documentation, including those found at  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.


Target Audience

The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.


Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the following:

  • Create a Default label
  • Publish a Default label

It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy.  For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. 



This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Information Protection (creating a basic label)
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Overview of Advanced eDiscovery (AeD)
  • Reports and Analytics available in Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing.


If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog.  That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.

Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Te...

Overview of Document

  1. Create a Default label
  2. Publish a Default label


Use Case

  • You wish to apply a “default” label to all newly created files/emails in you tenant.  This is done without the user needed to perform any action.



  • Sensitivity Label – a metadata tag
  • Publish Label – making the metadata tag available to your tenant.  This is also how a Sensitive label policy is created.
  • Default Label – a Sensitivity label that is applied to a file/email automatically.



  • Default labels are not the same things as Required labels.  Default labels, simply put, place a baseline Sensitivity label on all new files/emails.  Default labels take the initial labeling if files/emails out of the hands of the end user and automate them.  On the other hand, required labels “force” users to apply a label to any a file/email before it can be saved or sent.


  • After a Sensitivity label is created and published, it should be visible within a few minutes, but can take up to 24 hours depending on what else is going on inside your test tenant.


  • Tip – It is recommended that you should never have more than 1 “default” Sensitivity label and it should always be set at an “Order” of 0 in your policy list (meaning a baseline or lowest possible labeling policy for files/emails).  These two things are recommended to avoid possible labeling conflicts of this particular type of label



  • You have create a Sensitive Information Type (SIT) in Part 1 OR an Exact Data Match (EDM) in Part 1a of this blog series.



Create Default Label

We now will create our Default Label.


  1. Go to your Compliance console


  1. Navigate to your Information Protection -> Labels and click Create a Label.






  1. Name & Description - Give the Label a name (ex. “Default Label”) and click Next.







  1. Scope - Select only Files & emails and click Next.





  1. Files & Emails - File related settings will be disabled.  Click Next.


  1. Under Choose Protection for settings for Files and Emails, check the box to Mark the content of files.  Click Next.






  1. On the next Content Marking, turn on Content marking and under a Watermark, select Add a header.





  1. For the custom text, enter the name “Default Label”.







  1. Click Save and then Next.


  1. You will now come to the section labeled Auto-labeling for files and emails.  Accept the default of disabled and click Next.




  1. The next step in the wizard is Define protection settings for groups and sites.  Since we are not working with groups of sites, this page will be disabled.  Click Next.






  1. Azure Purview (preview).  This feature is not in General Availability yet.  Leave this disabled.  Click Next.





  1. Now you will review your label settings. 





  1. When you are satisfied, click Create Label.


  1. You are not ready to publish your label.



Publish Default Label

We will now publish our Default Label.


Publishing a Default label. 


  1. Click Publish Labels





  1. Select Choose Sensitive labels to publish and select your labels from above.





  1. Select your Default label and click Add.  Then click Next.





  1. Select which users and groups this will apply to.  We will accept the default of All for this test.  Click Next.





  1. For Policy Settings select User must provide a justification to remove a label or lower its classification.  As this option says, this will force the user to justify their change to the default label.  This will also be logged as part of the activity.  Click Next.





  1. Now you will arrive at Apply default label to documents.  From the drop down, select the Default label you just created.  Click Next.






  1. Now you will arrive at Apply default label to emails.  From the drop down, select the None or Same as Document.  We will select None as we are not testing email at this time.  
    1. Note – We will not be requiring users to apply a label to their emails at this time.
    2. Click Next.







  1. Now you will arrive at Apply default label to Power BI Content.  Accept the default of None and click Next.





  1. Name and describe your policy.







  1. Now review the settings and when you are ready, click Submit.





  1. You have now published your Default label of use.


  1. Before proceeding to Testing this Default label, please wait up to 24 hours for the Label to be published into your test tenant.  Note however, this could be as quick as an hour.






After waiting for the Default Label to be published, we can now test that it is applied to a new file.  For our test here, we will use Microsoft Word.


  1. Open a Word document on your Windows test Tenant





  1. Create a new Blank Document





  1. In the top right of the ribbon, you should see the Sensitivity dropdown.





  1. In the drop-down you should see the Default Label selected.





  1. You should see a Header in the file similar to the one below. 






  1. If you want, you can now enter some text if you want and Save.


  1. You are now done with testing your Default Label.



Appendix and Links




Version history
Last update:
‎Nov 03 2022 10:00 AM
Updated by: