Enterprise Mobility Information Protection

Creating New Sensitivity Labels with a PowerShell

Read Time: 3 minutes

Sensitivity Labels can be used to apply the information security classification for your organization to files & emails (and other areas) within Microsoft 365. Specifically to files inside of SharePoint Online, Microsoft Teams, OneDrive and all of your emails in Exchange.

Sensitivity Labels are created and managed within the Compliance Center in M365 and are available to both M365 E3 and M365 E5 licensed organizations.

One of the key advantages to using Sensitivity Labels over legacy methods to apply a classification is the label is not merely metadata, but we can automate and enforce classification standards on our files & emails.

We can use the user friendly user-interface in the Compliance Center, or we can build our own PowerShell script which will allow us to add configuration items otherwise not available to us. In additional to gaining access to additional features (e.g., providing a multilingual experience), PowerShell scripts allow us to build and test our Sensitivity Labels deployment in a structured and repeatable method. This reduces risk as it removes opportunity for human error and ensures the staging environment deployment will be identically deployed in our production environment.

1. PowerShell Pre-requisites

In order to create and configure our Sensitivity Labels, we need to install the Exchange Online Management Shell if we don’t have it using PowerShell ISE (Run as Admin).

Import-Module ExchangeOnlineManagement

2. Connect to the Security & Compliance PowerShell

Using Exchange Online Management module, we must connect to the Security & Compliance PowerShell.


3. Create the Label

In order to create the Label at its most basic level, we will run the New-Label command, and identify three (3) fields for the label

  1. DisplayName: The display name is what is seen by end users and can be updated based on business needs (in the event it must)
  2. Name: The name cannot be changed and is generally considered to be a unique value in your tenant. The name is what will be displayed in the Audit Log and various administrative consoles.
  3. ToolTip: The tool tip field should include language which communicates the sensitivity of the file which has the applied label.

In this case, we will create a label called “public” with an identical display name and a description of whom the file can be distributed to.

New-Label -DisplayName "Public" -Name "Public" -ToolTip "This content can be freely shared with the public."

With that simple line we created a Sensitivity Label which can be furthered configured from the Compliance Centre or with the Set-Label command.

Now that we have created the label, we will use PowerShell to apply the following (in future posts):

  • Multilingual Support
  • File & Email settings
    • Header, footer, and watermark markings
    • Encryption Settings
    • Default Share and Permissions Scope
  • Groups & Sites settings
    • Public and Private options for MS Teams membership
    • external access

Following completion of configuring our labels, we will create a Sensitivity Label Policy (or two).

Enterprise Mobility Information Protection

Co-authoring with MIP Encrypted Document

Read Time: 2 minutes

Co-authoring on Word, Excel, and PowerPoint document which are encrypted using Microsoft Information Protection (MIP) is now generally available.

This enhancement allows organizations various improvements, like the end-user productivity of collaboration on sensitive documents, or adding to their security posture overall, by encrypting a larger portion of their sensitive documents without restricting co-authoring.

Specifically, the change allows for MIP Protected files to be encrypted to specific end-users, while allowing them to edit the documents with their applications, as they would any other file.

Organizational Change Management

Co-authoring MIP encrypted files provides a benefit to the end-users, as such it should be communicated with them to understand how it is for their benefit, for the organization to realize the value of the feature.

For example, end-users can now share “need-to-know” files with specific individuals in an appropriate information repository, and collaborate on the document as they would any other document. They can rest assured their file is appropriately protected, while storing the file where it should reside, as opposed to using unauthorized or transitory workspaces such as OneDrive.

Technical Preparation

  1. Ensure Office has the latest updates deployed (either Current Channel or Monthly Enterprise Channel)
  2. Update any Azure Information Protection (AIP) unified labeling clients (version
  3. Enable the feature within the Compliance Center (Compliance Center)

Additional Reading

    Enterprise Mobility Information Protection

    Getting Started with Sensitivity Labels for Files and Emails

    Read Time: 3 minutes

    All information is not equal.

    Some documents or emails have private financial or health information and others have plans for lunch.

    Sensitivity Labels within Microsoft 365 provides end-users the ability to classify their documents and emails to ensure a certain level of information protection to both their and the organization’s content.

    Sensitivity Labels for files and emails allow staff to identify specific documents as more or less sensitive than others.

    For example, a briefing note to senior leadership could be tagged as ‘confidential’, which would then add a “confidential” watermark added to the document and restrict it from being shared externally. Compliance officers would also be able to filter reports on documents marked as confidential.

    Applying labels is easy.

    Once Sensitivity Labels are created and published, individuals can choose to tag content directly within the application, providing them a seamless and low friction experience.

    Emails can be tagged with their “sensitivity” when being drafted, and documents anytime they are opened. These features are available in both the installed applications and online browser based versions.

    Sensitivity Labels allow individuals to mark files and emails with both different controls (e.g. allow internal access only) or using an existing information classification adopted or published by the organization (e.g. Protected A).

    Options for controls are:

    • restrict/provide access to appropriate roles (and individuals)
    • create a watermarks, header, and/or footer on the document to communicate the document’s sensitivity.

    Planning Sensitivity Labels

    When planning Sensitivity Labels, it is important to consider certain key factors to ensure successful implementation and adoption.

    • Align to existing information security classification schemas where available
    • Leverage a cross-functional team to build the label business and technical requirements
    • A clear and concise set of details will ensure labels are used correctly, rather than providing too many options with language requiring a reference guide or training course
    • Ensure alignment, approval from all key stakeholders (not just IT or Cybersecurity), Sensitivity Labels can mark documents (potentially impacting existing templates) and more importantly can effect the ability to collaborate (restricting documents to internal only or subsets of internal users).


    • Pilot the labels with a small group and collect feedback prior to implementation
    • If introduced into an active environment, consider a phased approach – avoid restricting access in bulk to focus on training and adoption, to build a cultural practice within the organization without impacting day-to-day activities


    Learn about Sensitivity labels (Microsoft Docs)

    Thank you for Reading

    Questions? Comments? Feel free to reach out.