How to create a sensitivity label in Microsoft Purview
Sensitivity labels in Microsoft Purview let you classify and protect documents and emails according to how sensitive they are, forming the foundation of any data governance strategy. Instead of relying on each person to decide what is safe, you define clear rules that travel with the file itself. This guide shows, step by step, how to create a sensitivity label in Microsoft Purview and publish it to your users, with a simple and repeatable example you can adapt to your organization.
Prerequisites
- An account with the Compliance Administrator or Information Protection Administrator role.
- A subscription that includes sensitivity labels (for example, Microsoft 365 E3 or E5).
- Access to the Microsoft Purview portal at
purview.microsoft.com. - Optional: the
ExchangeOnlineManagementmodule installed, for the PowerShell method.
Step 1: Open sensitivity labels
Sign in to the Microsoft Purview portal and open the Information Protection solution. In the side menu, select Sensitivity labels. This is the area where you create, edit and publish every label in the organization. If this is the first time, the list appears empty, which is perfectly normal.
Step 2: Create a new label
Click Create a label and give it a clear name, for example Confidential. The text that users see is the Display name, so choose something simple and recognizable. Add a short description that explains when to use the label, such as "For internal data that should not leave the company". A good description reduces doubt and prevents wrong classifications later, and it also makes future audits easier because anyone can see why a file was labeled.
Step 3: Set the scope and protection
For the label scope, choose Items to apply it to files and emails. Next, you can configure protection. For a first example, turn on content marking and add a footer with the text "Confidential". Avoid starting with strong encryption right away: begin with the essentials and add more advanced protection once the team is comfortable using labels every day.
Step 4: Publish the label with a policy
A label only becomes visible to users after it is published. Open Label policies and click Publish label. Select the Confidential label, choose the users or groups it applies to (you can start with a test group) and finish the wizard. Within a few minutes, the label starts to appear in the Office apps of the affected users. There is no need to reinstall anything, because the labels arrive through the existing Office sign-in.
Step 5 (optional): Create the label with PowerShell
If you prefer to automate, you can create the same label with Security & Compliance PowerShell. This method is handy for repeating the configuration across several environments without clicking through the portal.
Connect-IPPSSession -UserPrincipalName admin@aempresa.com
New-Label -Name "Confidencial" -DisplayName "Confidencial" -Tooltip "Dados internos sensiveis"
New-LabelPolicy -Name "Politica-Confidencialidade" -Labels "Confidencial"The New-Label command creates the label and New-LabelPolicy publishes it. You can then adjust the policy scope directly in the portal.
Verify the result
Open Word or Outlook with the account of a user included in the policy. On the Home tab, the Sensitivity button should appear, with the Confidential label available. Apply it to a test document and confirm that the "Confidential" footer shows up on the page. If the label does not appear right away, wait a few minutes and restart the app, because publishing can take time to propagate.
Conclusion
With a label created and published, you already have the foundation of data governance in Microsoft Purview. The next step is to define more levels, for example Public, Internal and Confidential, and later enable automatic labeling to classify files without relying on the user. Which sensitivity level would make the most sense as the default in your organization?