Microsoft 365 Sensitivity Labels: A Complete, Step-by-Step Implementation for
Internal External Confidential High Confidential Finance

This guide shows you exactly how to design, build, and roll out the five labels—including default labeling, content markings, encryption, DLP blocking for externals, Conditional Access for compliant devices, and auto-labeling for financial data. It also includes a reusable concept/template for customer projects. [1]

What Sensitivity Labels Do (in one paragraph)

Sensitivity labels in Microsoft Purview classify and protect documents, emails, and even containers (Teams/Groups/Sites). They can apply encryption, headers/footers/watermarks, restrict actions (e.g., forwarding), and integrate with SharePoint/OneDrive, Exchange, DLP, and Conditional Access to enforce your data protection model across apps and devices. [1]

Prerequisites & Design Decisions

Licensing & apps: Ensure users have supported Microsoft 365 subscriptions; sensitivity labeling is built into Office apps and supported across desktop, web, and mobile (Exchange mailboxes must be in Exchange Online). [2]
Who can create/manage labels: Use the Microsoft Purview portal to create labels and publish them via label policies to selected users/groups. [3]
Default label support: Purview provides default labeling options via label policies, which can pre-apply a default label to new docs/emails. [4]
Content marking behavior: Labels can add headers, footers, and watermarks; header/footer placement can be adjusted (e.g., right-aligned header for “top-right” visual marking). [5]
Auto-labeling & SITs: You can auto-label content in Exchange/SPO/OneDrive based on sensitive information types (e.g., Credit Card Number). [6]
DLP & labels together: DLP rules can use “Content contains sensitivity label” conditions for Exchange, SharePoint, OneDrive, and devices—ideal to block external sends when an “Internal” label is present on mail or attachments. [8]
Require compliant devices: Enforce compliant (Intune-managed) devices with Microsoft Entra Conditional Access; connect CA to SharePoint via authentication context, or scope per site/label. [10]
Endpoint DLP (optional): Block copying labeled files to USB, personal cloud, or network shares on endpoints. [12]

Label Objectives (what each must do)

Internal: Default for new docs/emails; block external sending; orange “Internal” marking top-right.
External: Blue “Public” marking top-right; allowed to send externally.
Confidential: Red “Confidential” top-right; only a specific Entra ID group may set/open; enforce via encryption scoped to that group.
High Confidential: Red “High Confidential” top-right and bottom-left; only a specific Entra ID group may set/open; content not available offline; access only from compliant, managed devices; emails must be encrypted.
Finance: Gray “Finance” top-right; only Finance group may set/open; emails must be encrypted; auto-label when account/credit card info is detected.

Note on “top-right” visual: Office “watermark” renders across the page (diagonally); to achieve a discrete “top-right” mark use a Header content marking aligned right (color per requirements).

Step-by-Step Implementation

Create the Entra ID groups

Create mail-enabled security groups (or Microsoft 365 groups) for Label-Confidential-Users, Label-HighConfidential-Users, and Label-Finance-Users. You will use these to (a) publish labels only to people who can apply them, and (b) assign encryption permissions.

Tip: If you also plan to govern Teams/SharePoint privacy/external sharing with container labels, enable sensitivity labels for Groups & Sites and sync labels to Entra using PowerShell (EnableMIPLabels). [15]

Create the labels in Microsoft Purview

Go to Purview portal ? Solutions ? Information Protection ? Sensitivity labels ? + Create a label. Repeat this for all 5 labels.

Configure each label

1) Internal

Scope: Items (Files & Emails). No encryption.
Content Marking: Header, align Right, color Orange, text: Internal.
Block external sends: Create a DLP policy for Exchange.
Condition: Content contains sensitivity label ? Internal AND Recipient is outside organization.
Action: Block and show policy tip.

2) External

Scope: Items. No encryption.
Content Marking: Header, align Right, color Blue, text: Public.
Sending externally: Allowed.

3) Confidential

Encryption: Enable Assign permissions now to the Label-Confidential-Users group.
Content Marking: Header, align Right, color Red, text: Confidential.

4) High Confidential

Encryption: Assign to Label-HighConfidential-Users. Set Allow offline access to Never.
Content Marking: Header (Right) AND Footer (Left), color Red, text: High Confidential.
Device Compliance: Create a Conditional Access policy that requires device compliance for SharePoint/OneDrive.

5) Finance

Encryption: Assign to Label-Finance-Users.
Content Marking: Header, align Right, color Gray, text: Finance.
Auto-labeling: Configure label to auto-apply when Credit Card Number SIT is detected.

Publish the labels

Create a label publishing policy. Include all five labels. Crucially, set the Default label to Internal for documents and emails. This ensures baseline protection for all new content.

Create the DLP Policy

In Data loss prevention ? Policies, create a policy for Exchange email:

Conditions: Content contains Label "Internal" AND Recipient is outside organization.
Actions: Block (reject) and Show policy tip.

Validate and Pilot

Test the markings in Word. Try to send an "Internal" email to a Gmail address (it should block). Try to open a "High Confidential" file while offline (it should fail).

Key Configuration Snippets

Encryption (High Confidential)

When editing the label ? Control access ? Assign permissions now. Set Allow offline access to Never. This forces the user to authenticate with the server every time the file is opened, allowing you to revoke access instantly by disabling their account.

Conditional Access for Compliant Devices

Create a CA policy: Users = High Risk Groups, Cloud apps = SharePoint/OneDrive, Grant = Require device to be Compliant. Use SharePoint authentication context to apply this policy only when specific sensitive sites (labeled sites) are accessed.

Reusable Customer Template

1) Taxonomy & Visuals

Internal: Header “Internal” (orange). Default.
External: Header “Public” (blue).
Confidential: Header “Confidential” (red). Encrypted.
High Confidential: Header/Footer “High Confidential”. Encrypted. No offline.
Finance: Header “Finance” (gray). Encrypted. Auto-label.

2) Enforcement Matrix

DLP: Block "Internal" from going external.
Auto-label: Credit Card Number ? Finance.
Conditional Access: Require Compliant Device for High Confidential sites.
Endpoint DLP: Block USB copy for High Confidential.

3) Rollout Strategy

Publish all labels tenant-wide (scoped to groups for sensitive ones).
Set Internal as Default.
Educate users on the "Sensitivity" button in the Ribbon.
Monitor "Activity Explorer" in Purview for 2 weeks before strictly enforcing blocks.

FAQ & Field Notes

Q: Why use DLP instead of a mail flow rule for “Internal not external”?
A: DLP is label-aware. It checks if the email or any attachment has the label. Transport rules are broader and generally don't see inside encrypted attachments.

Q: Can we really block offline access for High Confidential documents?
A: Yes. By setting the encryption option Allow offline access to Never, the user must have an active internet connection and valid token to open the file.

Q: What detects credit card data for the Finance auto-label?
A: The built-in Sensitive Information Type (SIT) Credit Card Number looks for valid checksums (Luhn algorithm), reducing false positives.

Microsoft 365 Sensitivity Labels