Frontrow Technology
← All insights & guides
Guide

Data & Governance

A working playbook for Microsoft Purview sensitivity labels

The labels pilot that works in the first 90 days: label taxonomy, publishing, auto-labelling, and the change-management moves that stop staff from resenting it.

Simon Aspinall · 22 April 2026 · 10 min read

Microsoft Purview sensitivity labels are the highest-leverage control in the Microsoft 365 security stack. They're the bridge between data classification, data loss prevention, encryption, and Copilot readiness. They're also the control most often deployed as a half-configured tenant-wide broadcast that nobody uses.

This is the playbook we use on Purview engagements. It's designed to land a labels program that survives contact with reality — real users, real data, and a real-world change-management window.

A four-label taxonomy. No more.

The classic mistake is a ten-label taxonomy designed by a working group. Users don't pick the right label from ten options — they pick the default, every time. Start with four labels. We recommend:

  • Public — intended for public release. No encryption, no restriction.
  • Internal — the default for day-to-day work. Not for external sharing without review.
  • Confidential — sensitive business, commercial or HR content. Encryption on, external sharing restricted.
  • Highly Confidential — regulated, legally privileged, or board-level content. Encryption enforced, recipient list controlled.

Four labels is the most users will reliably distinguish. You can add sub-labels later once the program has adoption momentum — never on day one.

Publish to a pilot group first

Label policy scope decides who sees the labels in Office, Outlook and the web apps. Scope your first policy to a pilot group of 30–50 users, not the tenant. Include the execs who sponsored the program. Exclude service accounts.

Watch the sign-in logs for label application rate and the unified audit log for DLP rule matches. Two weeks of telemetry will tell you whether the labels are being applied, where, and to what kinds of documents.

Turn on auto-labelling in simulation mode

Auto-labelling is where Purview earns its keep — but switched on blindly, it's also where Purview causes the first major user-trust incident. Use simulation mode for at least 30 days.

The default sensitive info types (Australian TFN, credit card, driver's licence, passport) are good enough to start. Add custom types for your own data (project codenames, client identifiers, internal account numbers). In simulation you get the full match report without changing a single file.

Read the simulation report like a threat hunter. It'll show you where sensitive data lives that you didn't expect, which business units are most exposed, and which document libraries need the most remediation before labels go live.

Try it

Check your Purview licence coverage

Not all Purview features are in every M365 SKU. Use the M365 Usage Tool to map which Purview capabilities your current licence covers.

Step 1 of 4

How big is your organisation?

We'll use this to estimate your total spend and scale the recommendations. Change the seat count if you know it exactly.

Encryption policies on the 'Confidential' labels

Labels without encryption are just metadata. Labels with encryption are a control. Apply usage rights to your Confidential and Highly Confidential labels — VIEW, EDIT, PRINT, FORWARD controls per group. Restrict external sharing.

Test the encrypted labels thoroughly before publishing. Encrypted files behave subtly differently in Outlook, Teams, OneDrive and third-party apps. The one that bites most often: encrypted files sent to external recipients who use Gmail on mobile. Document the user journey for that scenario before your first exec sends a 'confidential' quote externally.

Tenant-wide rollout with a training burst

Only once the pilot is stable do you scope the policy to the full tenant. Pair the rollout with a focused comms burst: a two-minute video from the exec sponsor, a one-pager with the four labels and when to use each, a lunch-and-learn per business unit.

The change-management single point of failure is the manager cohort. If mid-level managers don't understand the taxonomy, staff will copy whatever their manager uses — and that's usually wrong in the first 30 days. Brief managers first. Not alongside. Before.

Metrics and quarterly review

  • Label application rate by business unit (target >80% of new documents labelled within 30 days).
  • Auto-label accuracy (target <5% user override of auto-applied labels).
  • DLP policy matches trending down over 90 days (as users learn).
  • External sharing of 'Confidential' labels trending to zero.
  • Quarterly review of taxonomy, auto-label rules, and sensitive info types.

Sensitivity labels aren't a one-off deployment. They're a governance program with a tool attached. But if you sequence the first 90 days the way we've laid out above, you'll get adoption, coverage and audit evidence — the three things that actually move the Essential Eight and Copilot readiness needles.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chat1300 012 466