Free tool · 5 minutes · Information protection
Sensitivity labels alone don’t protect data. The stack is file labels + container labels + DLP + auto-labelling + the SharePoint / Copilot data boundary. Score where you sit across all five — and where Privacy Act 2026 expects you to be.
10 questions · 5 domains
Sensitivity labels alone don't protect data. The stack is labels (file + container) + DLP + auto-labelling + the SharePoint/Copilot data boundary. Score where you sit across all five — and where Privacy Act 2026 expects you to be. Pick the option closest to your tenant today.
Domain 1
Whether sensitivity labels are deployed, used by humans, and enforced where required.
Do you have a published sensitivity label taxonomy in use?
Source: Microsoft Learn: Get started with sensitivity labels.
What percentage of new documents are labelled (per Purview Activity Explorer)?
Source: Microsoft Learn: Activity explorer in Microsoft Purview.
Domain 2
Whether SharePoint sites, Microsoft 365 Groups and Teams have sensitivity labels applied at the container level — controlling membership, sharing and unmanaged-device access.
What proportion of SharePoint sites have a container sensitivity label applied?
Source: Microsoft Learn: Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups and SharePoint sites.
Do your container labels actually constrain external sharing and unmanaged-device access?
Source: Microsoft Learn: Configure sensitivity labels for SharePoint sites; Block download from SharePoint sites for unmanaged devices.
Domain 3
Whether DLP policies cover Exchange, SharePoint, OneDrive, Teams and endpoint, are out of audit-only mode, and are tied to label conditions where appropriate.
Which workloads do your DLP policies cover?
Source: Microsoft Learn: Microsoft Purview Data Loss Prevention; Get started with Endpoint DLP.
What mode are your DLP policies in?
Source: Microsoft Learn: Plan a Data Loss Prevention deployment.
Domain 4
Whether sensitive content is auto-labelled at rest in SharePoint and OneDrive, and at send-time in Exchange, using built-in or trainable classifiers.
Is auto-labelling enabled for content at rest in SharePoint and OneDrive?
Source: Microsoft Learn: Apply a sensitivity label to content automatically.
Is auto-labelling enabled for outbound email in Exchange Online?
Source: Microsoft Learn: Apply a sensitivity label to content automatically; Exchange Online client-side and service-side labelling.
Domain 5
Whether Restricted SharePoint Search is configured, oversharing is detected, and the Copilot data boundary respects sensitivity labels.
Have you assessed SharePoint oversharing in the context of Microsoft 365 Copilot?
Source: Microsoft Learn: Restricted SharePoint search; Microsoft 365 Copilot data security and compliance.
Does the Copilot data boundary in your tenant respect sensitivity labels for grounding and citations?
Source: Microsoft Learn: Microsoft 365 Copilot data security and compliance; Sensitivity labels and Microsoft 365 Copilot.
This is an indicative self-assessment. It is not a substitute for a tenant-level Information Protection review. For verified results Frontrow Technology offers an in-tenant IP stack assessment with Purview audit data.
The five layers
Layer 1
Sensitivity labels apply to individual files and emails. Deployment is one thing — adoption is another. Frontrow finds tenants with a label taxonomy published 18 months ago and a 4% application rate. The stack matures when labels are mandatory on the highest-sensitivity templates, encryption is enforced on those labels, and label usage is reported.
Layer 2
Container labels are the second leg of the stack. A container label on a SharePoint site can block external sharing, restrict access to managed devices only, and force the privacy setting on the underlying Group. Most tenants apply file labels but not container labels — leaving a sensitive site fully shareable even when its files are correctly labelled.
Layer 3
DLP is the enforcement layer. Most tenants leave DLP policies in audit-only mode for years, so policies surface incidents nobody triages. Mature DLP runs on label conditions ("contains content labelled Confidential and shared externally") with user notifications and override paths, plus a small set of strict block-without-override rules for the highest-sensitivity content.
Layer 4
Manual labelling tops out at 30-40% adoption. Auto-labelling (E5 / E5 Compliance) closes the gap — it labels content at rest based on built-in sensitive information types (TFN, ABN, credit card, healthcare identifier) and trainable classifiers (custom document categories). Most AU tenants either don't have the licence (Business Premium hits a ceiling here) or have the licence and haven't turned it on.
Layer 5
M365 Copilot inherits SharePoint permissions and respects sensitivity labels. If your tenant has oversharing problems, Copilot will surface oversharing problems at scale. Restricted SharePoint Search is the Microsoft mitigation: it constrains Copilot to a curated allowlist of sites until oversharing is remediated. Mature tenants run Restricted SP Search as a transitional control while remediating, with a documented exit plan.
Frequently asked questions
Sensitivity labels alone don't protect data. A label is just metadata. The stack is what makes the metadata enforceable: container labels (which constrain whole sites and Teams), DLP (which enforces policy when content moves), auto-labelling (which closes the manual-adoption gap), and the SharePoint search / Copilot data boundary (which constrains AI grounding). Frontrow finds tenants who deployed labels two years ago and have a 4% application rate. The label program is fine. The stack around it isn't.
A file label applies to a single file or email. A container label applies to a SharePoint site, Microsoft 365 Group or Teams team. Container labels control the membership policy, sharing settings, default privacy and (with the right configuration) whether unmanaged devices can access the content. Most tenants apply file labels and never apply container labels — leaving a sensitive site fully shareable even when its files are correctly classified. The fix is enabling container labels via PowerShell and assigning them at site creation.
Privacy Act amendments require organisations to take 'reasonable steps' to protect personal information. The interpretation has hardened — tribunals now point at sensitivity labelling, DLP and access controls as baseline expectations for any organisation handling personal data. The OAIC's NDB report shows breaches involving personal information are rising. An organisation that processes personal information without a working IP stack is exposed both to the breach and to the post-breach regulatory finding that the controls weren't reasonable. This tool's scoring includes a Privacy Act 2026 alignment indicator on the result.
Auto-labelling applies sensitivity labels automatically — at rest in SharePoint and OneDrive, at send-time in Exchange — based on built-in sensitive information types (TFN, ABN, Australia Driver's Licence, Medicare, credit card) and trainable classifiers. It requires E5 / E5 Compliance licensing. You need it if you are above 50 seats handling personal information at scale, because manual labelling tops out at 30-40% adoption regardless of training. Auto-labelling is what gets you to the 80%+ coverage that the Privacy Act standard implies.
Restricted SharePoint Search is a Microsoft mitigation for tenants with oversharing problems who have or are deploying Microsoft 365 Copilot. It constrains Copilot grounding to a curated allowlist of SharePoint sites — preventing Copilot from surfacing oversharing patterns at scale while remediation is in flight. Mature deployments use it as a transitional control with a documented exit plan, not a permanent state. Permanent restriction defeats the value of Copilot.
Yes — Copilot respects label-based access control (a user can't ground on encrypted content they don't have rights to) and label inheritance (Copilot output inherits the highest sensitivity label of any source it grounded on). The caveat is that label inheritance only works if labels are widely applied, and label-based access only bites if encryption is configured on the label. The IP stack tool scores both sides of this.
Every scoring threshold cites a primary source: Microsoft Learn for Purview Information Protection, sensitivity labels, DLP, auto-labelling, restricted SharePoint search and Copilot data security; Privacy Act 1988 (as amended through 2026 reforms); OAIC guidance. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
Quarterly review of label taxonomy, label adoption rates and DLP outcomes. Auto-labelling policy tuning. Container label rollout to net-new sites. Restricted SharePoint Search management with exit-plan tracking. Copilot data boundary verification. Privacy Act 2026 alignment evidence pack for the board. Monthly delta report for the IT lead.
