Your corporate and personal data in Microsoft 365 is exploding, and oversharing sensitive data happens on a daily basis. Your colleagues are using public generative A.I. apps in combination with your sensitive and stale data.
Microsoft 365 Copilot processes and shares this type of data with unauthorized people. Posing not only a data security risk but also negatively impacting overall Microsoft 365 Copilot adoption within your organization. These challenges seem difficult to overcome, there is hope on the horizon! Microsoft Purview is here to help. In the first part of this series, we focus on managing and monitoring your sensitive data with the help of sensitivity labels.
One of the challenges in implementing sensitivity labels is making a compelling business case for the stakeholders responsible for funding these types of projects. We have been in this situation before. That’s why we provide two business scenarios you can use to persuade your stakeholders.
Your employees must authenticate and be authorized to work with data stored in Microsoft 365. This also applies for your external partners. Once successfully authenticated, employees or external partners can download and share sensitive data with unauthorized people. Sensitivity labels add an additional layer of security (with encryption) to restrict the available actions to a specific groups of people. This option is available in the settings menu of your sensitivity label:
Figure 1: Select the appropriate permissions
Click here to learn more about the specific actions and the impact on your labelled data. After you select the required permissions, it is time to connect these with users or groups:
Figure 2: Select the specific audience
The permissions you select for your sensitivity label always stays with the data, no matter the location. This is not bound to Microsoft 365. This system guarantees that only authorized people have access to your sensitive data—whether it’s in email, PDF, or Office documents—until the owner removes the label.
Sensitivity labels are integrated with Microsoft 365 Copilot. This integration helps guide your employees to be aware of the sensitivity level of the results generated by their prompts. For example, when they ask a question that involves sensitive data:
Figure 3: Sensitivity labels per source
Your employees can see the sensitivity level of their results, ideally preventing them from sharing this information with unauthorized people. In the following articles, we dive into Data Loss Prevention and outline additional steps to detect and block unauthorized sharing. Another benefit of sensitivity labels is the auto labeling feature, which works in combination with Microsoft 365 Copilot in Microsoft Office. For example,
Figure 4: Labels and the output of Microsoft 365 Copilot
Both business scenarios show the power of sensitivity labels in reducing unauthorized access to sensitive content and preventing potential data leaks. This should provide you with enough ammunition to secure funding for your project.
We aren’t going to delve into the detailed configuration of sensitivity labels here. However, we need to discuss the foundation of your sensitivity labels: your data classification and protection policies. Each organization, regardless of its type or size, should have an overall data security policy covering these aspects. We provide our recommendations in the following paragraphs. Just don’t get to hung up about the names and descriptions. The policies should work for your organization and your data.
| Name | Description |
| Contoso |
|
| External |
|
The public option was excluded because it is not frequently used and is already covered in the Contoso classification. The classification provided has now been converted into a protection policy.
| Name | Description |
| Contoso |
|
| External |
|
Maybe you are a bit confused about the data is or isn’t protected of the protection policy. Don’t worry! The next paragraph clears it up. This is the translation of both policies into the sensitivity labels.
The table below shows the parent and child labels, based upon our data & protection policy.
| Parent | Child |
| Contoso |
|
| External |
|
We are now moving towards the overall management and monitoring once sensitivity labels are deployed in your Microsoft 365 tenant.
The following topics are essential for the effective management of your sensitivity labels:
A brief overview of these areas will be provided below.
Yes, you can manually assign labels to your data. The true power, and convenience for your employees, lies in the automation of assigning the correct label with its corresponding security controls. This fantastic feature stands or falls with the definition of your sensitive data. For example,
After defining the properties that will help you recognize your sensitive information, you can configure the auto label feature of the sensitivity label:
Figure 5: Connect your sensitive information
The following five tips can assist in identifying sensitive information:
Consult with stakeholders from each department or team.
Assess the impact of a potential data leak for each type of (sensitive) data.
Review your classification and lifecycle policy for details regarding sensitive information.
Reference Microsoft Purview examples.
One of the challenges around adopting and educating your employees is understanding the relationship between Microsoft 365 permission structure and sensitivity labels. Some organizations may want to use sensitivity labels as a permission mechanism in SharePoint and Microsoft Teams. This isn’t the intended business case or proper use. Below is a summary of the distinction between permissions and labels:
For effective education, we recommend organizing training sessions, either online or on-site. Unfortunately, Microsoft does not offer a wealth of training materials on this topic.
After you deployed your sensitive labels, to protect your sensitive data, it is crucial to monitor the usage of your labels. You need to know if you are successful and where current gaps reside. Microsoft Purview provides the following monitoring features.
One of the challenges with Microsoft features and services is the absence of centralized reporting and dashboard. It isn’t perfect but there is a reports section available. This displays the following information:
These reports are helpful in monitoring the adoption rate, and overall success, of your sensitivity labels.
Figure 6: Use the Activity Explorer to monitor your labels
Activity explorer enables you to monitor what's being done with your labeled data by providing a historical view of activities on your labeled data. The information is gathered from the Microsoft 365 unified audit logs, transformed, and displayed in the user interface. Unfortunately, the data only goes back up to 30 days. To preserve a longer timeframe, you have to export audit logs and use these in a dedicated analytics tool.
Figure 7: Find labels with the Data Explorer
Data Explorer allows you to find and, depending on your permissions, to view data with a specific sensitivity label.
For example,
Figure 8: View the content of data with the Data Explorer
Be aware: The ability to use the Data Explorer must be approached with care and responsibility. Once permissions are granted, you can access all content, which may include highly sensitive information. Privacy must be respected at all times. The Data Explorer should be used only for specific purposes, such as investigating potential data leaks. The following roles are crucial:
Unfortunately, even with the correct permissions, the source tab (to view the data) doesn’t always work. In case the Data explorer isn’t working for you, there is also the Content explorer. It provides similar features.
The active sites menu provides a filter for your sensitivity labels used for SharePoint Sites. For example,
Figure 9: View SharePoint Sites with specific labels
This allows you to quickly find sites with a specific label, or without a label. By selecting none, you see which sites are missing a label. Time to take action!
Last, but not least, the Microsoft Teams Admin Center contains a similar overview as SharePoint. For example,
Figure 10: View Teams with specific labels
How can Rencore monitor the usage of sensitivity labels in Microsoft 365 and beyond?
While Microsoft Purview excels at data security by protecting and managing the content inside documents, messages, and records, it doesn’t address the broader context in which that data lives. This is where Rencore Governance steps in, offering a crucial layer of service governance that Purview doesn’t cover.
Rencore monitors and manages the environment surrounding your data: how it's stored, shared, accessed, and used across Microsoft 365. A clean compliance posture in Purview doesn’t necessarily mean your Microsoft 365 environment is healthy. In fact, large enterprises often face three recurring challenges:
Thousands of Teams, SharePoint sites, and Power Platform assets accumulate over time, often with unclear ownership, outdated content, or unused resources.
Resources are gradually overshared with guests and external users, typically without regular review or revocation.
New Copilot Studio and SharePoint agents emerge without visibility or lifecycle controls, introducing risk and complexity. These issues fall outside Purview’s scope but directly impact security, cost efficiency, user experience, and AI readiness.
Rencore Governance provides deep visibility into how sensitivity labels are used across services, not just within documents, but across environments such as Teams, SharePoint, Copilot and Power Platform. It helps IT teams identify where sensitive data is exposed due to misconfigured services, excessive permissions, or orphaned resources.
By bridging the gap between data governance and service governance, Rencore ensures that your Microsoft 365 environment is not only compliant but also clean, secure, and optimized for future innovation.