BLOG

Protect your data in Microsoft Teams with sensitivity labels

4 min read

In a previous article we discussed the advantage of using sensitivity labels to classify teams in Microsoft Teams. By using sensitivity labels, you enforce your governance policies. For this article, we are going to show you how you can classify and protect the data stored in your teams. Although people need to be added as a member to a team, to access the content, after that they basically can download the content and share with unauthorized people. We are going to show you how this can be prevented by working with sensitivity labels.

For this article, we are going to use a fictional company and business case. A company called Contoso is working on the development of their new console, codename Project Raven, and wants to protect the data related to the project.

Information classification policy

Before we dive deeper into the business case and the technology side of things, it is crucial that Contoso starts with defining their information classification policy. We use the following example with our customers:


These classifications are going to be the sensitivity labels. Once Contoso agreed upon the classification policy that works for their organization, it is time to create an information protection policy.

Information protection policy

This policy is aimed at deciding the appropriate configuration, such applying an encryption or watermark, for the content connected to the sensitivity labels. We added an example below:



The labels confidential and secret are going to use an encryption. This ensures only authorized people have access to the content. The encryption stays with the content, no matter the location where the content is stored.

Project Raven

Megan works as project manager for Contoso and is responsible for the project management of Project Raven. She wants to classify and protect (manually and automatically) all the data related to Project Raven. To support Megan, we are creating a new sensitivity label specifically for this important project.


The next step is defining the scope, we only want to apply the label to items:


After we defined the scope, we select our protection settings. We want to encrypt and mark the items:


After selecting the required protection settings, we need to configure the encryption settings. We are assigning all the members of Project Raven (this is a Microsoft 365 Group with Microsoft Teams) the co-owner permissions. This allows them to have complete control over the items:



For the content marking we only need a footer:


We want to detect Project Raven content in Microsoft 365 and automatically assign the label. The solution for this requirement? The auto label feature! We assign it to a sensitive information type (more about this later):


We are now done and publish the label to all the members of Project Raven.

Sensitive information type

The auto label feature detects content by connecting to a sensitive information type (SIT). What is this exactly? According to the official Microsoft documentation, a sensitive information type is a pattern-based classifier for sensitive content. For example:

  • Social Security Number
  • Passport Number
  • International Banking Number

We created a custom SIT for Project Raven. The SIT looks for keywords in items:


Is a keyword detected? The label is automatically applied. For example:


Megan, and her fellow project members, manually assign the label by using the Sensitivity button in the ribbon:


Megan is happy with this solution and feels safer collaborating with her colleagues.

Wrap it up!

We hope you seen the advantage and power of applying sensitivity labels in your teams. You offer an additional layer of protection for the sensitive files in your team. Before you start implementing sensitivity labels in your own organization, we advise to start with a pilot before an organization wide implementation. Find a department with a business case around data classification. Make sure the employees become familiar with sensitivity labels, do a lot of testing and when successful, move to the next department.
The following resources contain relevant and importing information about working with sensitivity labels:

If you want to learn more about keeping your data safe while managing Microsoft Teams and your other M365 services I highly recommend the following whitepaper: Data Access and Sharing Best Practices: Collaborate better across Microsoft 365. The whitepaper helps understanding the security challenges of sharing data in M365 and offers a guide on how to stay in control of the whole M365 environment while collaborating across M365 services.

Free Download

Jasper Oosterveld

Jasper Oosterveld is a Microsoft MVP and Modern Workplace Consultant from InSpark within the Netherlands. On a daily basis, he works with customers to implement the Modern Workplace with Microsoft 365. Jasper focuses on collaboration, governance and compliance. Jasper loves to share his expertise and love for Microsoft products with everyone who is willing to listen.