Sign In
In this module

AD4.3 Creating and Publishing Sensitivity Labels

5-6 hours · Module 4 · Free
Operational Objective
With your four-label taxonomy designed and approved, it's time to create the labels in the Microsoft Purview portal and publish them to your users. Label creation defines the label name, description, tooltip, and scope. Label publishing controls which users see the labels in their Office apps and when. After publishing, labels appear in Word, Excel, PowerPoint, and Outlook within 24 hours — but only if the publishing policy is correctly configured and assigned. This subsection walks through every click in the Purview portal for creating all four labels, creating the publishing policy, and verifying that labels appear in Office apps for your users.
Deliverable: Four sensitivity labels created in the Purview portal, a publishing policy assigning them to all users, and verified label appearance in at least one Office application.
Estimated completion: 35 minutes
LABEL CREATION AND PUBLISHING WORKFLOW 1. CREATE LABELS Purview portal Name, description, tooltip Scope: Files + Emails Protection settings per label 4 labels · 15 minutes 2. PUBLISH POLICY Select labels to publish Assign to all users Set default label: Internal Set mandatory labeling 1 policy · 5 minutes 3. PROPAGATION Wait 24 hours Labels appear in Office Sensitivity bar visible in Word, Excel, PPT, Outlook Automatic · No user action 4. VERIFY Open Word → check bar All 4 labels visible Default = Internal Tooltips show descriptions Test on your machine first

Figure AD4.3 — Label creation and publishing workflow. Create 4 labels in Purview (15 minutes), publish with a policy assigned to all users (5 minutes), wait 24 hours for propagation, verify labels appear in Office apps. Protection settings are configured during label creation.

Creating labels in the Purview portal — step by step

Navigate to purview.microsoft.com → Solutions → Information Protection → Labels. If your tenant has been migrated to the modern label scheme (March 2026), you'll see a green banner confirming the migration. The modern scheme uses labels and label groupings instead of the old parent-child model — this doesn't change how you create labels, but it does give you more flexibility to reorganize them later.

Click "+ Create a label" to create the first label.

Label 1: Public

Name: Public Display name: Public (this is what users see in the dropdown) Description for users: "Content approved for external sharing. Use for marketing materials, published documents, press releases, and other content intentionally made available outside the organization." Description for admins: "Lowest sensitivity. No protection applied. Visual footer only." Label color: Green (helps users quickly identify the sensitivity level) Label priority: 0 (lowest — a document can be upgraded from Public to Internal but not downgraded from Internal to Public without justification)

Scope: Select "Files & other data assets" and "Emails."

Protection settings: None. Public content doesn't need encryption or restrictions. Configure a content marking footer only: "Classification: Public" — this serves as a visual reminder, not a protection control.

Click "Create."

Label 2: Internal

Name: Internal Display name: Internal Description for users: "For employees and authorized internal users only. Use for meeting notes, project plans, procedures, and general internal documents. This is the default label — most documents should use this classification." Description for admins: "Default label. Visual marking only (header + footer). No encryption. Applied automatically to all new documents." Label color: Blue Label priority: 1

Scope: Files & other data assets, Emails.

Protection settings — Content marking:

  • Header: "Internal" (font size 10, color grey, positioned top-centre)
  • Footer: "Northgate Engineering — Internal Use Only" (font size 8, color grey, positioned bottom-centre)
  • No watermark (watermarks on every internal document create user fatigue)
  • No encryption (internal documents need to be freely shareable within the organization)

Click "Create."

Label 3: Confidential

Name: Confidential Display name: Confidential Description for users: "Sensitive content that must not be shared externally. Use for client contracts, financial reports, vendor pricing, intellectual property, and any content that would cause harm if disclosed outside the organization." Description for admins: "Encryption enabled — internal users only. Visual marking: watermark + header + footer." Label color: Orange Label priority: 2

Scope: Files & other data assets, Emails.

Protection settings — Encryption: Enable encryption. Under "Assign permissions now or let users decide," select "Assign permissions now." Under "User access to content expires," select "Never." Under "Allow offline access," select "Always." Under "Assign permissions," click "Add permissions" → Add "All members" (this means all authenticated users within your tenant can access the content, but nobody external).

Protection settings — Content marking:

  • Header: "CONFIDENTIAL" (font size 12, color orange, bold)
  • Footer: "Northgate Engineering — Confidential" (font size 8, color orange)
  • Watermark: "CONFIDENTIAL" (font size 48, color light grey, diagonal — visible when printed but doesn't obscure content)

Click "Create."

Label 4: Highly Confidential

Name: Highly Confidential Display name: Highly Confidential Description for users: "Extremely sensitive content restricted to specific individuals. Use for board papers, M&A documents, security incident reports, employee salary data, and legal matters. Only named users can access this content." Description for admins: "Maximum protection. Encryption with user-specified permissions. Watermark + header + footer." Label color: Red Label priority: 3 (highest)

Scope: Files & other data assets, Emails.

Protection settings — Encryption: Enable encryption. Select "Let users assign permissions when they apply the label." This prompts the user to specify who can access the document when they apply the label — only those named users can open it. Under "In Outlook, enforce restrictions equivalent to the Do Not Forward option" — enable this for email (prevents forwarding, printing, and copying of the email content).

Protection settings — Content marking:

  • Header: "HIGHLY CONFIDENTIAL" (font size 12, color red, bold)
  • Footer: "Northgate Engineering — Highly Confidential — Restricted Distribution"
  • Watermark: "HIGHLY CONFIDENTIAL" (font size 48, color light red, diagonal)

Click "Create."

Creating the publishing policy

Labels exist but users can't see them until you publish them. Navigate to purview.microsoft.com → Information Protection → Label policies → "Publish labels."

Name: "NE Sensitivity Labels — All Users"

Labels to publish: Select all four labels (Public, Internal, Confidential, Highly Confidential).

Users and groups: All users and groups (publish to the entire organization).

Policy settings:

  • Default label for documents: Internal (every new Word, Excel, and PowerPoint document starts with the "Internal" label)
  • Default label for emails: Internal (every new Outlook email starts with "Internal")
  • Require users to apply a label to their email and documents: Enable (mandatory labeling — users must choose a label before saving or sending. Since the default is "Internal," they only need to change it when the content warrants a different classification)
  • Require users to provide justification for removing a label or lowering its classification level: Enable (if a user changes a "Confidential" document to "Internal," they must provide a reason — this prevents accidental downgrade and creates an audit trail)

Click "Submit" to publish the policy.

Verifying labels appear in Office apps

Labels take up to 24 hours to propagate after publishing. To force a faster refresh, sign out of all Office apps and sign back in — this triggers a policy check. In Office 365 apps (Word, Excel, PowerPoint), look for the sensitivity bar below the ribbon — it shows the current label and lets the user change it.

In Outlook, the sensitivity button appears in the compose window — users select the label before sending. In Outlook on the web, the sensitivity label appears as a dropdown in the compose toolbar.

To verify via PowerShell that your labels are created and the policy is published:

Connect-IPPSSession
Get-Label | Select-Object Name, DisplayName, Priority, Disabled | Format-Table
Get-LabelPolicy | Select-Object Name, Labels, Mode | Format-Table

The Get-Label output should show your four labels with correct priorities. The Get-LabelPolicy output should show your publishing policy with all four labels listed and Mode set to "Enforce."

If labels don't appear in a user's Office app after 24 hours, check: is the publishing policy assigned to their account (user or group membership)? Is their Office version current enough to support sensitivity labels (Microsoft 365 Apps for Enterprise, version 16.0.11231 or later)? Is the Microsoft Purview Information Protection client installed (for older Office versions)?

Compliance Myth: "We should deploy labels to IT first for testing before publishing to all users"
Piloting labels with IT-only is a common approach, but it creates a problem: IT users don't create the same documents as finance, HR, or engineering users. IT testing validates that labels appear in Office apps and that protection settings work — both of which you can verify in 10 minutes with your own account. The real test is whether the taxonomy makes sense to non-IT users — which requires publishing to everyone and monitoring adoption. Publish to all users on day one with the default label set to "Internal." The risk is near-zero: the default label applies automatically with no user action, and the protection settings for "Internal" are visual marking only (no encryption that could break workflows). If a user picks the wrong label, it's easily correctable. The first week of organization-wide deployment tells you more about taxonomy fitness than a month of IT-only testing.
Decision point

After publishing labels, you notice that new documents created in Word automatically get the "Internal" label (as expected), but documents created in the SharePoint web interface don't show any label. A user creates a document in SharePoint → New → Word document and it has no label. What's happening?

Option A: SharePoint doesn't support sensitivity labels — labels only work in desktop Office apps.

Option B: SharePoint Online supports sensitivity labels, but the label may not apply to documents created through the web interface immediately. Check whether the label policy has fully propagated to SharePoint (can take up to 24-48 hours separately from Office app propagation). Also verify that the SharePoint site doesn't have its own default label that overrides the policy default.

The correct answer is Option B. SharePoint Online fully supports sensitivity labels in the web interface. The propagation delay can be different from the desktop app propagation — sometimes labels appear in desktop Word before they appear in SharePoint web editing. Additionally, SharePoint document libraries can have their own default sensitivity label (configured per-library), which may override or not yet be configured. Wait 48 hours from policy publication, then verify. If labels still don't appear in SharePoint, check the label policy scope and the SharePoint admin settings for information protection.

Connect-IPPSSession
Get-Label | Select-Object Name, Priority, ContentType | Format-Table
Get-LabelPolicy | Select-Object Name, @{N="Labels";E={$_.Labels -join ", "}} | Format-Table
Try it: Create your four labels and publish them

Navigate to purview.microsoft.com → Information Protection → Labels. Create each label following the specifications in this subsection. Take your time with the encryption settings for Confidential and Highly Confidential — these are the settings that enforce data protection.

After creating all four labels, create the publishing policy: publish all four labels to all users, set default to "Internal," enable mandatory labeling, enable justification for label downgrade.

After publishing, wait 1-2 hours (or sign out of Office and back in). Open Word and check the sensitivity bar. You should see four labels: Public, Internal (currently applied as default), Confidential, and Highly Confidential. Click each one and verify the tooltip shows your description.

Create a test document, apply the "Confidential" label, save it to OneDrive, and verify: does the watermark appear? Is the header showing? Can you share it externally? (The answer should be no — encryption restricts access to internal users only.)

Run the PowerShell verification:

You've published your four sensitivity labels with mandatory labeling enabled. A user creates a new Word document and immediately tries to save it to SharePoint without changing anything. What happens?
The save is blocked because the user hasn't manually chosen a label — Not quite. Mandatory labeling requires a label, but the default label ("Internal") is automatically applied. The document already HAS a label.
The document saves successfully with the default "Internal" label applied automatically — the user didn't need to do anything because the default label satisfies the mandatory labeling requirement — Correct. This is the key benefit of default labeling combined with mandatory labeling: every document is labeled from creation, most documents are correctly labeled as "Internal" without user intervention, and users only need to change the label for the minority of documents that are more or less sensitive than the default.
The user is prompted to choose a label from the dropdown before saving — Only if no default label is configured. With a default label set, the prompt doesn't appear because the document already has a label.
The document saves without a label because mandatory labeling only applies to emails — No. Mandatory labeling applies to both documents and emails when configured in the publishing policy.

When users see the labels in Office apps, the order matches the order you defined in the publishing policy. Put "Public" first and "Highly Confidential" last — this creates a natural escalation from least to most sensitive that matches how users think about document sensitivity. If the order is wrong, edit the publishing policy and reorder the labels. The change propagates within 24 hours.

Operational Artifact — Sensitivity Label Configuration Reference
Four labels created and published: Public (priority 0, no protection, green), Internal (priority 1, visual marking, blue, DEFAULT), Confidential (priority 2, encryption to internal users + watermark, orange), Highly Confidential (priority 3, user-assigned encryption + Do Not Forward on email + watermark, red). Publishing policy: all labels, all users, default "Internal," mandatory labeling enabled, downgrade justification required. Document the label GUIDs (from `Get-Label`) in your configuration register — you'll reference them when building DLP policies in AD4.7.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →