AD4.5 Default Labels and Mandatory Labelling

How default labeling works

When a user opens Word, Excel, or PowerPoint and creates a new document, the "Internal" label is applied automatically. The sensitivity bar shows "Internal" immediately — the user didn't click anything, didn't choose from a dropdown, didn't even notice. The document is classified from the moment of creation.

The user works on the document. If the content is a meeting agenda (internal), they save and close — the label is correct, no action needed. If the content is a client contract (confidential), they click the sensitivity bar, select "Confidential," and the protection settings (encryption + watermark) are applied. If the content is a marketing brochure (public), they change the label to "Public."

The key insight: most documents are internal. Meeting notes, project plans, procedures, task lists, presentation drafts — these are all "Internal" content. By making "Internal" the default, you eliminate the labeling decision for the majority of documents. Users only need to actively label the minority of documents that are more sensitive (Confidential, Highly Confidential) or less sensitive (Public) than the default.

For email, the same principle applies. Every new email in Outlook starts with "Internal." The user types the email, attaches files, and sends — the label is already applied. If they're sending a confidential document to internal colleagues, they change the label to "Confidential" (which applies encryption). If they're sending a marketing email externally, they change to "Public."

Handling legacy unlabeled documents

When a user opens an existing document that was created before labels were deployed, it has no label. With mandatory labeling enabled, the user is prompted to apply a label before they can save any changes. This is the "legacy catch-up" mechanism — over time, as users open and modify existing documents, each one gets labeled.

This creates a short-term friction point: users opening old documents see a prompt they haven't seen before. Communicate this during your label rollout: "When you open older documents, you may be asked to apply a sensitivity label. In most cases, 'Internal' is correct. If the document contains sensitive data (client contracts, financial data), select 'Confidential.' This is a one-time action per document."

You can also set the default label to apply to existing documents that don't have one. In the publishing policy, enable "Apply a default label to existing content" — this retroactively labels existing content in SharePoint and OneDrive with the default label ("Internal") without requiring the user to open the document. This is an E3 feature that provides bulk retroactive labeling without the E5 auto-labeling engine.

Configuring in the publishing policy

These settings are configured in the label publishing policy you created in AD4.3. Navigate to purview.microsoft.com → Information Protection → Label policies → select your policy → Edit.

Verify these settings:

• Default label for documents and emails: Internal
• Apply default label to existing content: Consider enabling (this retroactively labels unlabeled SharePoint/OneDrive content)
• Require users to apply a label: Enabled
• Require justification for label downgrade: Enabled

Save the policy. Changes propagate within 24 hours.

Setting default labels on SharePoint document libraries

Beyond the tenant-wide default label (which applies to new documents created in Office apps), you can set a default label per SharePoint document library. This catches documents uploaded to SharePoint from any source — including third-party applications, email attachments saved to SharePoint, and files uploaded via the web interface.

Navigate to the SharePoint site → select the document library → Settings (gear icon) → Library settings → Default sensitivity label → select "Internal."

Now every file uploaded to this library — regardless of how it was created — receives the "Internal" label if it doesn't already have one. This is particularly useful for document libraries that receive content from automated workflows, scanning devices, or LOB applications that don't support native labeling.

For sensitive libraries (HR documents, financial reports), set the default label to "Confidential" instead of "Internal." Every document saved to the HR document library gets encryption automatically — even if the user who uploaded it forgot to change the label from "Internal." This is a powerful safety net: the library enforces the minimum classification for its content.

Configure this via PowerShell for multiple libraries:

Connect-PnPOnline -Url "https://northgateeng.sharepoint.com/sites/HR" -Interactive

# Set default sensitivity label on the HR Documents library
$label = Get-PnPLabel | Where-Object { $_.Name -eq "Confidential" }
Set-PnPList -Identity "Documents" -DefaultSensitivityLabelForLibrary $label.Id

Monitoring label justification in the audit log

When a user downgrades a label (e.g., changes from "Confidential" to "Internal"), they must provide a justification — this is the setting you enabled in the publishing policy. These justifications are logged in the unified audit log and provide visibility into label changes.

Search the audit log for downgrade events:

Connect-ExchangeOnline
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
    -Operations "SensitivityLabelChanged" -ResultSize 100 |
    ForEach-Object {
        $data = $_.AuditData | ConvertFrom-Json
        [PSCustomObject]@{
            Date = $_.CreationDate
            User = $_.UserIds
            File = $data.ObjectId
            OldLabel = $data.SensitivityLabelEventData.OldSensitivityLabelId
            NewLabel = $data.SensitivityLabelEventData.SensitivityLabelId
            Justification = $data.SensitivityLabelEventData.Justification
        }
    } | Where-Object { $_.Justification } | Format-Table -AutoSize

A user who frequently downgrades Confidential to Internal without compelling justification may be circumventing data protection — investigate. A user who downgrades with consistent, reasonable justifications ("Reclassified after removing client data from the document") is using the system correctly. The audit log distinguishes between the two.

Measuring label adoption

After one week of deployment, check adoption. Navigate to purview.microsoft.com → Data classification → Overview. The dashboard shows: total labeled documents by label, labeling trends over time, and most-used labels. You should see "Internal" as the dominant label (70-80%+ of all labeled content), with "Confidential" in second place and "Public" and "Highly Confidential" as smaller segments.

What mandatory labeling looks like for users

Understanding the user experience helps you anticipate questions and prepare your helpdesk.

In Word, Excel, PowerPoint (desktop): When the user creates a new document, the sensitivity bar shows "Internal" immediately — no prompt, no popup. If they try to save a document that somehow doesn't have a label (e.g., they opened a file created before labels existed), they see a dialog: "You need to select a sensitivity label before saving." They choose a label and save normally. This happens once per unlabeled legacy document — after the label is applied, subsequent saves don't prompt.

In Outlook (desktop and web): New emails show "Internal" in the sensitivity dropdown. If the user removes the label and tries to send, Outlook blocks the send with: "A sensitivity label is required before sending this email." The user selects a label and sends. In practice, users never remove the default label — they either leave it as "Internal" or change it to "Confidential" for sensitive emails.

In Outlook mobile: The sensitivity label appears in the compose view. Behaviour is the same as desktop — default "Internal" applied, can be changed, can't be removed.

Edge case: replying to labeled email. When a user replies to an email labeled "Confidential," the reply inherits the "Confidential" label automatically. The user doesn't need to relabel the reply — the label carries forward through the conversation. If the user tries to downgrade the reply label to "Internal," they must provide a justification. This inheritance ensures that sensitive email threads maintain their classification throughout the conversation.

For a more specific adoption check, use PowerShell:

Connect-IPPSSession

# Check label usage statistics
Get-LabelActivityMetrics -Summary |
    Select-Object LabelName, DocumentCount, EmailCount |
    Format-Table -AutoSize

Track adoption weekly for the first month, then monthly. The target: 95%+ of documents and emails labeled within 30 days of deployment. With default labeling and mandatory labeling, this target is achievable without any user training — the labels apply automatically for most content.

If adoption is below 95% after 30 days, investigate: are some users on Office versions that don't support sensitivity labels? Are some users accessing documents only through SharePoint web (where label propagation may have different timing)? Are there specific departments not covered by the publishing policy?

When mandatory labeling is active, users see a yellow information bar in Word, Excel, and PowerPoint prompting them to apply a label before saving. The bar appears once — if the user dismisses it, the default label applies automatically. In Outlook, the prompt appears when sending an email without a label. The user experience is minimally disruptive: one prompt per document, dismissed in one click. Monitor the first week after enabling mandatory labeling through the label analytics in Purview — a spike in "default label applied" events is expected and indicates the feature is working correctly.