Enhancing Information Security in SharePoint with Sensitivity Labels

by Brett Lonsdale
Discover how sensitivity labels in Microsoft SharePoint enhance security, control sharing, and protect sensitive content. Learn how Data Access Governance helps identify unlabeled files and how DeliverPoint empowers Site Owners and Administrators to manage permissions effectively. Stay compliant and secure your data with Microsoft Purview Information Protection.
Blog
04/03/2025
0

Managing SharePoint permissions effectively is a complex challenge for both Site Owners and SharePoint Administrators. One critical yet often overlooked aspect is sensitivity labels, which play a key role in controlling external sharing, copying, printing, and downloading based on the sensitivity of the content.

As part of Microsoft Purview Information Protection, sensitivity labels in SharePoint help organizations classify and secure information based on its confidentiality level. When applied to documents and emails, these labels ensure that sensitive data remains protected, whether it’s stored internally or shared outside the organization.

For the latest details on licensing requirements for sensitivity labels, refer to Microsoft’s official documentation.

Benefits of Using Sensitivity Labels in SharePoint

Implementing sensitivity labels in SharePoint offers several advantages that enhance data security, compliance, and governance. Below are the key benefits:

  • Protects Sensitive Information
    Labels encrypt documents to prevent unauthorized access, even when shared externally.
    They restrict copying, printing, and downloading based on the label’s policy.
  • Enforces Access Control
    Sensitivity labels define who can access or edit documents in SharePoint.
    They restrict external sharing based on predefined security settings.
  • Improves Compliance with Regulations
    Labels help organizations comply with GDPR, HIPAA, ISO 27001, and other data protection laws.
    They ensure that sensitive data is classified and protected consistently across SharePoint.
  • Enhances Security for Sharing Links
    Labels control the default settings for sharing links, such as “view-only” access.
    They can block sharing with external users or allow sharing with specific domains only.
  • Provides Persistent Protection
    Labels follow the document even when it’s downloaded, copied, or moved to a different location.
    This ensures that sensitive content remains protected across Microsoft 365 services.
  • Enables Automatic Labeling
    Microsoft Purview can automatically apply sensitivity labels based on content detection (e.g., credit card numbers, confidential terms).
    Reduces reliance on manual classification, ensuring consistency and minimizing errors.
  • Helps Prevent Data Leakage in Microsoft 365 Apps
    Sensitivity labels apply protection across SharePoint, Teams, Outlook, and OneDrive.
    Labels work seamlessly with Microsoft Copilot, ensuring AI does not expose restricted content.
  • Increases Visibility and Governance
    Microsoft Purview Content Explorer helps identify unlabeled sensitive documents in SharePoint.
    Organizations can run reports on label usage and compliance adherence.
  • Seamlessly Integrates with Microsoft Security Features
    Labels integrate with Microsoft Defender for Cloud Apps and Data Loss Prevention (DLP) policies.
    They enhance threat detection and risk mitigation within SharePoint environments.
  • Reduces Security Risks Without Disrupting Productivity
    Users can work securely without needing to change their workflows.
    Organizations can implement granular controls while allowing necessary collaboration.

Data Access Governance (DAG) & Sensitivity Labels

Data Access Governance (DAG) in SharePoint provides administrators with the ability to monitor and manage sites where sensitivity labels have been applied, ensuring that sensitive information is appropriately protected and access is controlled.​

Reporting on Sites with Applied Sensitivity Labels

Administrators can generate reports to review sites with sensitivity labels applied to files, helping to monitor sensitive content across SharePoint.

Frequency and Duration of Reports

  • Scheduling: Reports can be generated as needed; however, each report can be run only once in 24 hours.
  • Processing Time: After initiating a report, it may take several hours for the report to be completed and available for review.
Creating sensitivity label reports using Data Access Governance.

Limitations

  • Site Inclusion: The downloadable CSV file from the report includes up to 10,000 sites. While this may cover many environments, larger organizations with extensive site collections may find this limiting. ​
  • Content Depth: These reports provide details at the site level but do not delve into specific items or files that might be overshared. Administrators may need to conduct further investigations to identify particular documents requiring attention.
Sample Data Access Governance Report showing sites with labelled files.

Running Reports

To generate a Data Access Governance report:​

  1. Access the SharePoint Admin Center: Navigate to the SharePoint admin center within your Microsoft 365 environment.
  2. Initiate the Report: Select the option to add a sensitivity label report, choose the desired sensitivity label, and run the report.​
  3. Processing: The system will process the report, which may take several hours.​
  4. Review Results: Once completed, download the report in CSV format to analyze the sites with applied sensitivity labels.​

Setting a Default Sensitivity Label for Document Libraries

SharePoint allows administrators to configure a default sensitivity label for document libraries, ensuring that all new files inherit the designated label automatically.​

Data Access Governance in SharePoint
Screenshot showing Data Access Governance and Option to run Data Access Governance Reports and Set Default Sensitivity Labels for Document Libraries.

Configuration Steps

  1. Navigate to the Document Library: Access the specific document library within your SharePoint site.​
  2. Library Settings: Click on the settings gear icon and select “Library settings.”
  3. Default Sensitivity Label: In the library settings pane, choose the desired sensitivity label to set as the default.​

Considerations

  • Scope: The default sensitivity label applies only to new files uploaded or created in the library. Existing files remain unaffected unless manually labeled.
  • Propagation: The default label is applied after the document is closed or, in the case of uploads, within a few minutes.​
  • Limitations: Certain label configurations, such as those requiring user-defined permissions or specific encryption settings, may not be suitable for default application in SharePoint document libraries.

By leveraging Data Access Governance reports and configuring default sensitivity labels, organizations can enhance their data protection strategies, ensuring that sensitive information within SharePoint is consistently and appropriately secured.

Restrictions and Considerations for Data Access Governance

  • Scope Limitations – Some tools may not support all file types, requiring tailored approaches for different data sources.
  • Labeling Constraints – While automatic labeling applies to Microsoft 365 services like SharePoint and Exchange, it may not extend to all third-party integrations.

How DeliverPoint Helps Administrators & Site Owners Report on Sensitivity Labels

DeliverPoint Reports for Sensitivity Label Management in SharePoint

DeliverPoint provides two powerful reporting options that enable Site Owners and Administrators to manage sensitivity labels effectively within SharePoint. These reports help identify unlabeled content, monitor labeled files, and take corrective actions to ensure data security and compliance.

1. Unlabeled Files Report

  • This report can be run contextually within a SharePoint site by a Site Owner to identify files that lack sensitivity labels.
  • Each file in the report allows for further investigation, such as:
    • Running additional reports to see who has access to the file.
    • Viewing what sharing links have been created for the document.
  • Actions can be taken directly within the report, such as removing permissions from certain users to restrict access to unlabeled sensitive content.
DeliverPoint showing Unlabelled files within a site on-demand
DeliverPoint showing Unlabelled files within a site on-demand

2. Include Sensitive Content in Discover Permissions Reports

  • This option allows users to see all files within a site that have a sensitivity label applied.
  • Site Owners and Administrators can review permissions for labeled content and take necessary actions to protect sensitive data.
  • Filter on the sensitivity labels within the report.
  • Permissions can be adjusted within the report, including:
    • Revoking access for unauthorized users.
    • Removing sharing links to prevent external exposure.
The Discover Permissions Report offers the option to include all files with sensitivity labels which can then be actioned or filtered.
The Discover Permissions Report offers the option to include all files with sensitivity labels which can then be actioned or filtered.

Report Scope

  • Site Owners can run these reports on individual sites, providing real-time insights into permissions and labeling gaps.
  • Administrators can execute these reports across multiple sites or multiple site collections allowing for ongoing governance and compliance enforcement.
Running the "Unlabelled Files" report across multiple site collections and then selecting files in order to run other access reports.
Running the “Unlabelled Files” report across multiple site collections and then selecting files in order to run other access reports.

With these reports, DeliverPoint empowers organizations to maintain a secure and well-governed SharePoint environment, ensuring that sensitivity labels are correctly applied and permissions are managed effectively.

Final Thoughts

Sensitivity labels in SharePoint are a vital part of an organization’s security strategy. By using Microsoft Purview for Data Access Governance and DeliverPoint for permissions management, organizations can ensure their information remains protected, properly classified, and accessible only to authorized users.

Learn more about DeliverPoint

Brett Lonsdale

More posts by Brett Lonsdale
Related Posts
Clear Filters
SharePoint & Power BI Visualize the List Deprecation
Visualise the list deprecated
SharePoint & Power BI Visualize the List Deprecation
Aggregation Blog Data Viewer Web Part SharePoint
By Brett Lonsdale
SharePoint & Power BI Visualize the List Deprecation

Microsoft has announced that the “Visualize the List” and “Visualize the Library” options in SharePoint will be retired next month (November 2025)! These built-in features gave users a quick way to create Power BI reports directly from their lists and libraries without leaving SharePoint.

Supercharging SharePoint Forms with External Data Lookups
SharePoint Form External Data Lookup
Supercharging SharePoint Forms with External Data Lookups
Blog
By Brett Lonsdale
Supercharging SharePoint Forms with External Data Lookups

SharePoint’s standard lookup column only lets you connect lists within the same site—useful, but limited. With the latest release of Lightning Forms and Forms Studio, you can now create lookup fields that pull data from external systems like SQL, JIRA, and Salesforce using Copilot Connectors. In this post, I’ll show you how we built a Helpdesk Issues form that pulls related issues directly from JIRA, and explain the difference between Lightning Forms and Forms Studio.

Add Comment