Indrajit (Freddie) Bulsara - 08.11.2021

Sensitivity Labels (Auto-Labelling)

Once published users can apply them to content created in SharePoint Online, OneDrive and Exchange Online. The focus of this blog is to highlight some of the features and benefits of Auto-Labelling in M365.

Depending on the configuration of the Sensitivity Labels, there is an element of reliance upon end users to classify the content appropriately. Alternative options would be to either have a default label configured or use the Auto-Labelling feature. Since the default label will not always match the content being generated, it is a good idea to let M365 label the content based on the content created.

Auto-Labelling allows a user to focus on content creation. No end user training is required, and your organisation can be confident content is classified appropriately. Appropriate classification also helps to improve the security and compliance policies which can be implemented based on the label applied. Auto-Labelling will not override a user applied label unless it is of a lower priority than the one identified by M365.


There are couple of ways in which Auto-Labelling can be implemented. Notably Client-side and Service-side labelling. With client-side, a label can be recommended or automatically applied, however the user may choose to reject the recommended label and apply their own, providing flexibility.

The unified labelling client in Office applications like Word, Excel, PowerPoint, Outlook and Azure Information Protection, support the client-side Auto-Labelling feature. With emails, Auto-Labelling also comes in to play when a user replies to or forwards an email. The client side Auto-Labelling has no delays as the content is labelled even before it is saved or sent. It is worth noting not all the client-side applications support the Auto-Labelling feature.


Unlike client-side, the service-side labelling is applied by services rather than an application, so the user is unaware of the classification/ labelling process. It is configured by the IT Administrator and is applied organisation wide. Hence it does not matter which application or version of an application is in use by the end user.

There is no label recommendation feature with service-side Auto-Labelling as there is no client interaction. The service-side Auto-Labelling feature is applied to documents and emails in transit, i.e., as the documents are created and saved in SharePoint Online or OneDrive and in emails sent through Exchange Online. Service-side Auto-Labelling can be implemented retrospectively on documents stored in SharePoint Online and OneDrive only; however, they cannot be applied to existing emails in a user’s mailbox which haven’t previously been classified or labelled. The following table from Microsoft outlines the differences between client-side or service-side implementation of the Auto-Labelling feature in M365.

Feature or behaviourLabel setting: Auto-labelling for files and emailsPolicy: Auto-labelling
Application dependencyYes (minimum versions)No
Restrict by locationNoYes
Conditions: Exact Data Match for custom sensitive info typesYesNo
Conditions: Trainable classifiersYesNo
Conditions: Sharing options and additional options for emailNoYes
Conditions: ExceptionsNoYes (email only)
Recommendations, policy tooltip and user overridesYesNo
Simulation modeNoYes
Exchange attachments checked for conditionsNoYes
Apply visual markingsYesYes (email only)
Override IRM encryption applied without a labelYes, if the user has the minimum usage right of ExportYes (email only)
Label incoming emailNoYes

Limitations to keep in mind when using the auto-labelling feature:

  • 25,000 Auto-Labelled files per day in the tenancy
  • 1,000,000 matched files per Auto-Labelling policy
  • 100 Auto-Labelling policies per tenant

This information will hopefully make it easy to decide how the Auto-Labelling feature could be incorporated into your organisation.

Curious how the CIA Triad framework could be used to augment your security posture, check out this blog by my colleague Rahul Singh.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

Secure Jump Box in Azure

The announcement, Login to Windows virtual machine in Azure using Azure Active Directory authentication, has opened up some very interesting use cases for secure management

Read More »