AD4.2 Designing Your Sensitivity Label Taxonomy

Why four labels, not more

The label dropdown appears every time a user saves a document or sends an email (if mandatory labeling is enabled). Every additional label increases decision time and decision error. Research on classification systems consistently shows that accuracy drops sharply beyond 4-5 categories for non-expert classifiers — and your users are not classification experts.

Four labels cover the entire sensitivity spectrum: content that can be shared publicly (Public), content that's for internal use only (Internal), content that's sensitive and needs protection (Confidential), and content that's extremely sensitive and needs maximum protection (Highly Confidential). There's no content that doesn't fit into one of these four categories.

If you're tempted to add sub-labels like "Confidential — External Allowed" or "Internal — Management Only," resist. Microsoft Purview's modern label architecture (rolled out to all tenants by March 2026) supports label groupings — but groupings should organize labels for display, not multiply the choices. The cognitive load of choosing between "Confidential" and "Confidential — External Allowed" is exactly the kind of decision that causes users to stop labeling. Instead, handle external sharing through DLP policies and sharing controls — the label defines the sensitivity, the policy enforces the sharing restriction.

Defining each label precisely

Each label needs three things: a name that's immediately understandable, a description that tells users "this is for content like X," and protection settings that enforce the classification.

Public. Content that has been reviewed and approved for external distribution. Not "anything that isn't confidential" — deliberately approved for public consumption. Users should choose this label only when they've confirmed the content is safe for anyone to see. This is the least-used label because most documents are internal, not public.

Internal (DEFAULT). Content for employees, contractors, and authorized internal users. This is the "normal" label — meeting notes, project plans, process documents, internal emails. Making it the default label means every new document starts here, and 80%+ of documents will correctly stay here without the user changing anything. The protection is visual marking only (header and footer saying "Internal") — no encryption, because internal documents need to be freely shareable within the organization.

Confidential. Content that would cause harm if shared outside the organization — financial data, client information, HR records, intellectual property, vendor contracts. The protection is encryption (only users within the organization can open the document) plus visual marking (watermark, header, footer). Users choose this label when they're working with content that's sensitive enough that external exposure would be a problem.

Highly Confidential. Content that would cause serious harm if shared beyond a small group — board papers, M&A discussions, security incident reports, employee salary data, legal matters. The protection is encryption with named-user access (only specific people can open the document) plus visual marking. This is the most restrictive label — used rarely, for genuinely sensitive content.

The 2-second test

Show a user a document and ask: "Which label?" If they can answer in 2 seconds, your taxonomy is good. If they hesitate, the labels are too similar or the descriptions aren't clear enough. Run this test with 5 users across different departments before publishing the labels — it catches taxonomy problems before they become adoption problems.

Test with these documents: a marketing brochure (Public — obviously for external distribution), a team meeting agenda (Internal — standard internal document), a client contract (Confidential — contains client-specific commercial terms), a board report with financial projections (Highly Confidential — restricted audience). If every user classifies all four correctly without hesitation, the taxonomy works.

Communicating the taxonomy to users

The taxonomy is only effective if users understand it. Create a one-page reference card that lives on the company intranet and is included in the rollout communication:

"How to classify your documents and emails"

"When in doubt, leave it as Internal (the default). If you're working with client data, financial figures, or HR records, change it to Confidential. You'll rarely use Public or Highly Confidential."

This reference card is the core of your user training. Don't build a 30-minute training deck — the reference card communicates everything a user needs to know in 30 seconds. Email it to all staff on the day labels are published. Pin it on the intranet. Include it in new employee onboarding.

Label colors and visual hierarchy

Label colors reinforce the sensitivity hierarchy visually. When users see the label dropdown, colors help them navigate faster than text alone. The recommended mapping: green for Public (safe/open), blue for Internal (standard/neutral), orange for Confidential (caution/sensitive), red for Highly Confidential (stop/restricted). This traffic-light-style color scheme is instantly intuitive — green means go, red means stop. Configure label colors during label creation in the Purview portal (AD4.3).

Label priority and what it controls

Labels have a priority order (0 = lowest, 3 = highest). Priority determines two things: the order labels appear in the dropdown (lowest at top, highest at bottom), and what happens when labels are changed.

A user can upgrade a label freely (Internal → Confidential) — this increases protection, so no justification is needed. A user can downgrade a label (Confidential → Internal) only with a justification — this decreases protection, and the justification is logged in the audit trail.

The priority also affects auto-labeling (if you upgrade to E5 later): when auto-labeling detects sensitive content in a document that already has a label, it only upgrades — never downgrades. A document labeled "Internal" that contains credit card numbers can be auto-upgraded to "Confidential." A document labeled "Confidential" that happens to contain no sensitive patterns won't be auto-downgraded to "Internal." This prevents auto-labeling from removing protection that a user deliberately applied.

Set your priorities during label creation: Public = 0, Internal = 1, Confidential = 2, Highly Confidential = 3. This ordering is permanent — changing priorities after deployment requires recreating the labels.

Writing effective tooltip text

The tooltip appears when users hover over a label in the dropdown. It's the micro-training that helps users choose the right label. Keep tooltips under 200 characters and make them action-oriented:

Public tooltip: "Approved for anyone — marketing materials, published specs, public communications." Internal tooltip: "For NE employees only — most documents use this label. It's the default." Confidential tooltip: "Sensitive data — client contracts, financial data, IP. Encrypts automatically." Highly Confidential tooltip: "Most sensitive — board papers, salaries, security incidents. You choose who can access."

Notice how each tooltip starts with what the label means and ends with what makes it different from the others. Users scanning the dropdown can distinguish between labels in under 2 seconds by reading just the first few words of each tooltip.