Automatically apply Sensitivity Labels to files and libraries – Microsoft Pureview

There are a couple of ways to enable an automatic classification of files in SharePoint. The first one, more complete from a customization point of view, is to use a File Policy in Defender for Cloud Apps. The second one (the newer and less recommended one, to be fully released Q3/Q4 2022) is to use a Default Sensitivity Label in SharePoint Online.

If you are looking at how to enable file monitoring and file policies, follow this guide:

File Policy in Defender for Cloud Apps

To create a policy that automatically matches and labels files in the root folder and the subfolders, follow the steps below:

  • Open the MDCA portal.
  • Create a new file policy.
  • Create a broad filter. I’ve set it as “App equals SharePoint Online” for this example.
  • Under “Apply to”, specify the root folder where the policy should start to apply.
  • Apply the governance action “Apply sensitivity label”, and select your label. Check the box below if you wish MDCA to override all user-defined labels. This will override older labels set on docs in the site and new ones defined at document creation.
  • Save the policy

Suppose you would like a policy to automatically apply labels to all the files and subfolders recursively from a root folder onward in SharePoint or OneDrive. In that case, you might think you can use the “Files matching all of the following” filter. Unfortunately, this won’t work, as it will not match recursively on the files contained in the subfolders.

Default Sensitivity labels in Sharepoint Online

Once you enable SharePoint to process labels, you can configure a default label for document libraries. This will ensure that any new or newly modified files get the specified label.

The feature will not apply to documents not opened since setting the default label or if the file has a higher priority label applied. Therefore, I would recommend, for the moment, using PowerShell or MDCA (as shown above) before setting the default label.

The feature will also not work if you have “User access to content expires” set anything other than Never or if you use Double Key Encryption.

Also, please note that PDFs are not currently getting labelled using this method, but I expect this to change before Q4 2022. Please refer to the docs for further updates, depending on when you are reading this:

Configure a default sensitivity label for a SharePoint document library | MS Docs

Here you can find a cool summarization table, taken from the official Docs:

Existing labelOverride with library default label
Manually applied, any priorityNo
Automatically applied, lower priorityYes
Automatically applied, higher priorityNo
Default label from policy, lower priorityYes
Default label from policy, higher priorityNo

If you wish to enable this feature:

  • Go to Information Protection | Pureview
  • Click on Labels, then “Turn on now” under “Your organization has not turned on the ability to process content in Office online files that have encrypted sensitivity labels applied and are stored in OneDrive and SharePoint. You can turn on here, but note that additional configuration is required for Multi-Geo environments.”
  • Open your SP document library, then on the top right corner click settings (the “gear” icon), then “Library settings“.
  • Select your default label, then click “Save“.

Allow some time between enabling the feature and looking for the library setting, as you probably won’t find the feature right away; you’ll have to wait up to 24 hours.