SharePoint Online to Apply Default Sensitivity Labels to Modified Documents

Fills Gap in Current Implementation

Message center notification MC393822 (18 June – Microsoft 365 roadmap item 93209) informs tenants about an important change to the way sensitivity label policies apply default sensitivity labels. Up to now, if you define a default label in a policy to apply to documents (Figure 1), SharePoint Online and OneDrive for Business assign the label to new documents created in sites that come within the scope of the policy.

Selecting a default sensitivity label for a policy
Figure 1: Selecting a default sensitivity label for a policy

Change Applies to Modified Files

The change Microsoft is rolling out in public preview from mid-June is to make sure that when people edit unlabeled (existing) Word, PowerPoint, or Excel files, SharePoint and OneDrive stamp the default label on the file. The functionality already works for the Office web applications and is now extending to Office on Windows and macOS.

Obviously, this is a good change for organizations that want to ensure that all documents have at least a default sensitivity label. Until now, the default label guaranteed that new documents received sensitivity labels, but this left a huge gap in terms of all the files created prior to the implementation of sensitivity labels.

Auto-label policies help close the gap because background processes can scan sites for documents and apply labels to the files if they don’t already have a label. The problem is that auto-label policies are a premium feature. However, if you have the necessary licenses, auto-label policies are a good way to achieve coverage of a large number of preexisting files.

Another change that’s coming soon is the ability to configure a default sensitivity label for a document library, much like you can do with retention labels. Again, this is a premium feature and it’s likely to require Office 365 E5 or Microsoft 365 Compliance E5 licenses.

API to Bulk Apply Sensitivity Labels

One missing piece in the puzzle is the lack of an API to allow organizations and ISVs to create applications to apply sensitivity labels in bulk. Microsoft’s AIP Scanner is an example of such an application. The scanner can apply sensitivity labels to protect information found on file shares or SharePoint on-premises sites. Other use cases include tenant-to-tenant migrations where the need might exist to apply sensitivity labels to a set of documents inherited from a tenant belonging to a company being acquired. There’s nothing off-the-shelf that can handle such a scenario today, and the prospect of having to apply labels manually is unattractive.

Apparently, an API is coming, but it will be a paid-for consumption-based API like that available for Teams Export. In other words, you’ll be able to build an application to apply sensitivity labels to a bunch of files (probably throttled at a certain level to reduce strain on the service), providing you have an Azure subscription to pay the bills.

Making Sensitivity Labels Mainstream

Sensitivity labels are still relatively uncommon inside Office 365 tenants. Microsoft is the only source that can definitively say what percentage of tenants use sensitivity labels or how much of their content have labels. Changes to allow tenants apply sensitivity labels more effectively by default, or to spread sensitivity label support more widely (like the work done to make it easier to protect PDFs) help to encourage more organizations to consider sensitivity labels to be a mainstream part of their overall information protection strategy. However, it’s still going to take time before sensitivity labels become the norm inside Microsoft 365.


Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.