Free tool · 5 minutes · Microsoft Purview
Microsoft Purview sensitivity labels are the foundation of information protection — and the prerequisite for safe Copilot rollouts. Score your tenant across five domains: taxonomy, scope, automation, container labels and Copilot enablement.
10 questions · 5 domains
Score your Microsoft Purview sensitivity label posture across five domains. Designed for AU tenants either running Copilot or planning to. Pick the option closest to your current state.
Domain 1
A clear, business-aligned set of labels that staff actually understand and use — not the default Microsoft template.
Does the organisation have a documented sensitivity label taxonomy?
Source: Microsoft Learn — Sensitivity Label Strategy: 'design a sensitivity label taxonomy aligned to business needs'.
How is the taxonomy communicated to staff?
Source: Microsoft Learn — change management for sensitivity labels.
Domain 2
Labels deployed to all knowledge workers across all relevant Microsoft 365 services — not just the security team's pilot.
What scope are sensitivity labels deployed to?
Source: Microsoft Learn — sensitivity label policy scope.
Which Microsoft 365 services are covered by labels?
Source: Microsoft Learn — supported services for sensitivity labels.
Domain 3
Auto-labelling rules in Purview that classify content based on sensitive information types, plus client-side prompting where automation is uncertain.
Is auto-labelling configured for sensitive information types?
Source: Microsoft Learn — automatic labelling for files and emails.
Does the client prompt or recommend labels at save time?
Source: Microsoft Learn — recommended labels.
Domain 4
Sensitivity labels applied at the container level — SharePoint sites, Teams workspaces, Microsoft 365 Groups — controlling external sharing and access.
Are container labels (SharePoint sites, Teams, Groups) deployed?
Source: Microsoft Learn — sensitivity labels for containers.
Do container labels drive default file-level labels for content created inside?
Source: Microsoft Learn — default labels and container inheritance.
Domain 5
Labels integrated into the Copilot rollout — DLP exclusions, label-scoped access, Defender for Cloud Apps monitoring of Copilot interactions with sensitive content.
Are DLP rules configured to exclude high-sensitivity content from Copilot grounding?
Source: Microsoft Learn — Microsoft Purview Data Loss Prevention for Copilot.
Is Copilot interaction with sensitive content monitored?
Source: Microsoft Learn — Defender for Cloud Apps Copilot governance; Purview Insider Risk Management.
This is an indicative self-assessment, not a tenant-level Purview audit. For verified results Frontrow can review your label taxonomy, policy scope and auto-labelling rules directly against your tenant.
What the scorer covers
Domain 1
The single biggest reason label rollouts fail is taxonomy: too many labels, labels named in legal language, or labels that staff cannot tell apart at a glance. A working taxonomy has 4–6 labels, plain-English names, clear examples, and is grounded in the organisation's actual data classes (HR, finance, legal, customer, regulatory).
Domain 2
Labels that are only deployed to a subset of users mean unlabelled content keeps being created. The control needs scope across all knowledge workers, all relevant services (Word, Excel, PowerPoint, Outlook, Teams, SharePoint, OneDrive), and consistent default labels per scope.
Domain 3
Manual labelling alone fails for the ~80 percent of content that is already in the tenant before labels rolled out. Auto-labelling against sensitive information types (TFNs, Medicare numbers, credit card numbers, BSB/account numbers, AU passport numbers) catches the back catalogue. Client-side recommended labels prompt staff at point of save without forcing them.
Domain 4
Container labels enforce the privacy and external-sharing boundary at the workspace level, not just the file. They are a critical control because file-level labels fail when files are bulk-copied between containers. Container labels also drive default file-level labels on content created inside them.
Domain 5
For Copilot-safe tenants, labels need to drive Copilot behaviour: DLP rules that exclude Highly Confidential content from Copilot grounding, monitoring of which Copilot prompts touch labelled content, and a feedback loop that surfaces oversharing risk discovered through Copilot use.
Frequently asked questions
Microsoft 365 Copilot grounds responses in the asking user's accessible content. If sensitive content is unlabelled and over-shared in SharePoint, Copilot will surface it to the user — completely legitimately, because the permissions said yes. Sensitivity labels are how you mark which content is high-stakes, drive DLP rules that limit what Copilot can ground on, and drive container privacy that limits what gets accidentally shared in the first place.
Four to six. The most common Australian taxonomy is Public, General (Internal Use), Confidential, Highly Confidential, and optionally a Personal/Customer Data label. More than six labels is the single most reliable predictor of failed adoption — staff cannot tell them apart and stop using them. Plain-English names beat policy-language names every time.
Yes — automatic labelling for files and emails requires Microsoft 365 E5, the Microsoft 365 E5 Compliance add-on, or Office 365 E5 in some configurations. Manual labelling and recommended client-side labels are available in lower SKUs. For Australian midmarket pursuing Copilot at scale, the E5 Compliance add-on is usually the right call.
A container label is a sensitivity label applied to a SharePoint site, Microsoft 365 Group, or Microsoft Team — not just to a file. Container labels enforce privacy and external-sharing settings for the entire workspace, drive default file-level labels for content created inside, and survive bulk file moves between containers. They are a critical control for Copilot-safe tenants because file-level labels alone do not stop oversharing at the workspace level.
Frontrow's standard pattern is six to eight weeks: week 1–2 taxonomy workshop and policy design, week 3 pilot deployment to a champions group, week 4–5 organisation-wide deployment with comms, week 6–7 auto-labelling and container labels enabled, week 8 monitoring and tuning. Rushing the taxonomy phase is the most common cause of having to redo the rollout.
