Sensitivity Labels for Microsoft Copilot: Setup Guide

Sensitivity Labels for Microsoft Copilot: The Complete Setup Guide

Microsoft 365 Copilot retrieves content based on user permissions, but permissions alone do not indicate content sensitivity. A document shared with the entire marketing department might contain routine campaign materials or confidential customer acquisition costs. Without sensitivity labels, Copilot treats both documents identically—and happily includes confidential pricing data in a response to any marketing team member who asks the right question.

Sensitivity labels are the bridge between permissions (who can access content) and classification (how sensitive that content actually is). In every Microsoft 365 Copilot deployment I have led—across healthcare systems, financial institutions, and government agencies—sensitivity labels are the single most impactful security control. Organizations with 80%+ label coverage before Copilot deployment experience 74% fewer data exposure incidents compared to those that deploy without labeling.

This guide covers the complete sensitivity label setup for Copilot, from taxonomy design through auto-labeling and ongoing governance.

Why Sensitivity Labels Are Non-Negotiable for Copilot

Microsoft 365 permissions answer one question: "Can this user see this content?" Sensitivity labels answer a different question: "Should this content be included in an AI-generated response?"

These are fundamentally different questions. A senior VP of sales might have permission to access the entire Sales SharePoint site, including quota attainment reports, compensation plans, and pipeline forecasts. When that VP asks Copilot to "prepare talking points for the all-hands meeting," Copilot will pull from every document the VP can access. Without sensitivity labels, the generated talking points might include compensation data that should not be shared in an all-hands context.

The Label Coverage Gap

In our assessments of 500+ Microsoft 365 tenants preparing for Copilot:

• Average label coverage: 12% — 88% of documents have no sensitivity label
• SharePoint sites with zero labels: 67% — Two-thirds of sites have never had labels applied
• Confidential content without labels: 40% — Based on content scanning, 4 in 10 sensitive documents are unlabeled
• Auto-labeling configured: 8% — Less than 1 in 10 organizations use auto-labeling policies

These numbers represent a massive exposure gap for Copilot. Every unlabeled document is treated as unrestricted content that Copilot can freely retrieve and include in responses.

Designing Your Label Taxonomy for Copilot

A well-designed label taxonomy balances security with usability. Too few labels and you cannot differentiate between sensitivity levels. Too many labels and users are overwhelmed, leading to mislabeling or no labeling at all.

Recommended Four-Tier Taxonomy

Tier 1: Public

• Content approved for external distribution
• Copilot can freely include in any response
• No encryption or access restrictions
• Examples: published blog posts, marketing materials, public-facing documentation

Tier 2: Internal

• Content for internal use only
• Copilot can include in responses to any internal user
• DLP prevents external sharing of Copilot responses containing Internal content
• Examples: internal announcements, standard operating procedures, training materials

Tier 3: Confidential (with sub-labels)

• Content restricted to specific groups
• Copilot includes only in responses to users in authorized groups
• Encryption enforced, access restricted to defined users/groups
• Sub-labels:
  • Confidential - HR: Employee records, performance reviews, compensation data
  • Confidential - Finance: Budget data, financial forecasts, audit reports
  • Confidential - Legal: Contracts, legal opinions, litigation materials
  • Confidential - Strategy: M&A documents, competitive analysis, board materials

Tier 4: Highly Confidential (with sub-labels)

• Most sensitive organizational content
• Excluded from Copilot retrieval entirely (or restricted to named individuals)
• Encryption with do-not-forward and no-copy restrictions
• Sub-labels:
  • Highly Confidential - Executive: C-suite communications, board packages
  • Highly Confidential - Regulated: HIPAA PHI, PCI data, ITAR content
  • Highly Confidential - M&A: Active deal documents, due diligence materials

Label Priority and Inheritance

Configure label priority so that higher-sensitivity labels cannot be downgraded without justification:

1. Users can upgrade labels freely (Internal to Confidential)
2. Downgrading requires business justification (Confidential to Internal)
3. Removing labels requires admin approval
4. Child documents inherit parent label by default in SharePoint libraries

Step-by-Step Label Configuration in Microsoft Purview

Step 1: Create the Label Taxonomy

Navigate to Microsoft Purview > Information Protection > Labels.

Create each label with these settings:

| Label | Scope | Encryption | Content Marking | Copilot Restriction | |---|---|---|---|---| | Public | Files, emails | None | Footer: "Public" | None | | Internal | Files, emails | None | Footer: "Internal Use Only" | Block external sharing of responses | | Confidential | Files, emails, groups | AES-256 | Header + Footer | Restrict to authorized groups | | Highly Confidential | Files, emails, groups | AES-256 + DRM | Header + Footer + Watermark | Exclude from Copilot retrieval |

Step 2: Configure Label Policies

Label policies determine which users see which labels and set default labeling behavior.

Policy configuration:

1. Navigate to Microsoft Purview > Information Protection > Label Policies
2. Create a new policy for each department/business unit
3. Assign the full label taxonomy to all users
4. Set default label for new documents: "Internal" (prevents unlabeled document creation)
5. Require justification for label removal or downgrade
6. Enable mandatory labeling for all new documents and emails

Step 3: Deploy Auto-Labeling Policies

Auto-labeling is essential for retroactive coverage of existing content.

Service-side auto-labeling (content at rest):

1. Navigate to Microsoft Purview > Information Protection > Auto-labeling
2. Create policies for each sensitive information type:
   • Documents containing SSNs → "Confidential - HR"
   • Documents containing credit card numbers → "Confidential - Finance"
   • Documents containing medical record numbers → "Highly Confidential - Regulated"
3. Run in simulation mode for 2 weeks
4. Review simulation results and adjust confidence thresholds
5. Enable automatic labeling after validation

Client-side auto-labeling (content during creation):

1. Configure auto-labeling within each sensitivity label
2. Set conditions based on sensitive information types
3. Configure as "recommend" (user approves) rather than "automatic" for client-side
4. Users see a recommendation bar in Word, Excel, and PowerPoint

Step 4: Configure Copilot-Specific Label Restrictions

This is the step most organizations miss. Labels alone are not enough—you need DLP policies that enforce label restrictions during Copilot interactions.

For each label tier, create a corresponding DLP policy:

• Confidential content: DLP policy restricts Copilot from including Confidential-labeled content in responses to users outside the authorized group
• Highly Confidential content: DLP policy blocks Copilot from retrieving or including Highly Confidential content in any response
• Encrypted content: Copilot respects encryption boundaries—users without decryption rights cannot receive Copilot responses containing encrypted content

Auto-Labeling Strategy for Copilot Readiness

Achieving 80% label coverage before Copilot deployment requires a multi-pronged approach:

Phase 1: Service-Side Auto-Labeling (Weeks 1-4)

Deploy Purview auto-labeling policies to scan existing SharePoint and OneDrive content:

• Configure 15-20 auto-labeling policies based on sensitive information types
• Target high-volume content first: SharePoint document libraries, shared drives, project sites
• Expected coverage: 40-50% of total documents labeled automatically
• Review and approve auto-labeling results before applying

Phase 2: Default Labeling for New Content (Week 2)

Set default labels so all new content is automatically labeled:

• Default label for new documents: Internal
• Default label for new emails: Internal
• Mandatory labeling: Users must select a label before saving or sending
• This prevents the label coverage gap from growing while you address existing content

Phase 3: User-Driven Labeling Campaign (Weeks 3-6)

Drive manual labeling of content that auto-labeling cannot classify:

• Identify the top 100 SharePoint sites by content volume
• Assign site owners to review and label content in their sites
• Provide a labeling guide with examples for each label tier
• Track progress through Purview data classification dashboard
• Expected additional coverage: 20-30%

Phase 4: Gap Closure (Weeks 6-10)

Address remaining unlabeled content:

• Run content explorer reports to identify unlabeled sensitive content
• Apply bulk labeling to document libraries with consistent content types
• Escalate sites with low label coverage to department leadership
• Target: 80%+ overall label coverage before Copilot enablement

Measuring Label Effectiveness for Copilot

Track these metrics to ensure sensitivity labels are protecting Copilot interactions:

| Metric | Target | Measurement Tool | |---|---|---| | Overall label coverage | 80%+ | Purview Data Classification | | Auto-labeling accuracy | 95%+ | Simulation mode results | | User labeling compliance | 90%+ of new docs | Purview Activity Explorer | | Label downgrade rate | Below 5% | Purview Audit Logs | | Copilot DLP incidents | Declining trend | Purview DLP Dashboard |

Our readiness assessment includes a complete label coverage analysis with gap identification and a prioritized labeling roadmap.

Common Sensitivity Label Mistakes with Copilot

Mistake 1: Over-Labeling Everything as Confidential

If 80% of your content is labeled Confidential or Highly Confidential, Copilot becomes nearly useless because it cannot retrieve most content. Accurate classification matters more than maximum restriction.

Mistake 2: Not Configuring Default Labels

Without default labels, every new document created after your labeling campaign adds to the unlabeled gap. Set "Internal" as the default for all new content from day one.

Mistake 3: Skipping Auto-Labeling Simulation

Auto-labeling in production without simulation results in mislabeled content, user complaints, and loss of trust in the labeling system. Always run simulation for at least 2 weeks.

Mistake 4: Ignoring Label Inheritance in SharePoint

When a document library has a default label, new documents inherit that label. Configure library-level defaults for SharePoint sites with consistent content types to accelerate coverage.

Start Your Sensitivity Label Deployment

Sensitivity labels are the foundation of secure Microsoft 365 Copilot deployment. Without them, Copilot treats all accessible content as equally available, creating data exposure risks that increase with every user who receives a Copilot license.

Our Copilot deployment service includes complete sensitivity label taxonomy design, Purview configuration, auto-labeling deployment, and ongoing label governance. We have achieved 80%+ label coverage for organizations with 500,000+ documents in under 8 weeks.

Schedule a sensitivity label assessment to measure your current coverage and build a Copilot-ready labeling strategy.