How to apply confidentiality labels to Microsoft 365 documents

Last update: 28/01/2026
Author Isaac
  • Confidentiality labels classify and protect documents, emails, meetings, and containers in Microsoft 365 with encryption and persistent content tagging.
  • They are created and managed from the Microsoft Purview portal, grouped into tag policies, and published to users and groups with defined priorities and scopes.
  • Users can apply labels manually, or receive automatic recommendations and applications based on detected sensitive content and configured policies.
  • The labels integrate with Teams, SharePointPower BI, eDiscovery and Copilot, extending data protection and access control beyond Office documents.

How to use the Microsoft 365 health dashboard

Protecting sensitive information in Microsoft 365 It's no longer an option; it's an absolute necessity for any organization that shares documents and emails daily. Data travels between devices, clouds, applications, and internal and external users, and it's crucial that this information does so with a "seal" indicating its sensitivity level and, if necessary, applying automatic protection.

Microsoft Purview Information Protection confidentiality labels They are the key to achieving this: they allow you to classify, visually mark, and encrypt content, as well as extend protection to Teams, SharePoint, Power BI, Copilot, and many other services. Throughout this article, you will see, in great detail and using clear language, what these tags are, what they can do, how to configure them in the Microsoft Purview portal, and, above all, how to apply them to Microsoft 365 documents and emails.

What exactly are confidentiality labels in Microsoft 365?

A confidentiality label is, in practice, a digital “seal”. which applies to documents, emails, meetings and other types of content to indicate their sensitivity level (e.g., Public, Internal, Confidential or Highly Confidential) and, optionally, activate protection measures such as encryption, watermarks or usage restrictions.

These labels are fully customizable For each organization: names, descriptions, colors, and levels (e.g., Personal, Public, General, Confidential, Highly Confidential) are defined based on internal security and compliance policies. These are then managed and published through the Microsoft Purview portal, within Information Protection.

The great strength of labels This is because they are stored as metadata in unencrypted text within the file or email itself. This allows third-party applications and services to read the tag and apply additional actions (for example, controls in a DLP or on a proxy). At the same time, if the label applies encryption, that encryption is linked to the configuration defined in the label itself.

Another key characteristic is its persistenceBecause they are embedded in the metadata, the tags travel with the content wherever it is copied, downloaded, or forwarded, both inside and outside the organization. This persistence is what allows protection policies to be maintained even when the file leaves the Microsoft 365 "territory."

For the end user, the labels are highly visible. In Office applications: these tags are displayed in the title bar, the Confidentiality/Sensitivity bar or button, and are integrated into the normal workflow. Users from other organizations can see the name of the tag applied to content they receive, but they will not see the complete catalog of tags configured by the sending organization.

What happens when you apply a confidentiality label?

When you apply a confidentiality label to a file or emailThis classification information is saved to the item and is retained when moving it between devices, Office applications, SharePoint, OneDrive, Teams, and even certain third-party services. From that point on, depending on how the label was configured, automatic changes to the content may occur.

A label can apply encryption through Information Rights Management. (IRM or Microsoft Purview Information Protection, see Azure Information ProtectionThis means that only authorized people or groups will be able to open the content and perform certain actions (read, modify, print, forward, copy text, etc.). These permissions are defined within the label itself, either fixed by the administrator or by allowing the user to choose who can access it.

It is also possible that content tags will be inserted such as headers, footers, or watermarks visible in WordExcel, PowerPoint, and, in some cases, Loop components. The text of these content tags is defined by the administrator (for example, “Confidential – Internal Use Only”). You can see examples in Word forms with controlled content.

In addition, dynamic watermarks can be used These tags incorporate information about the user or the document itself (such as the recipient's name, email address, or file name). These dynamic tags enhance traceability and prevent information leaks, because it's clear who is viewing the document at any given time.

Depending on the application and platform, the exact behavior may vary slightly.Not all versions of Office (desktop, web, mobile) support exactly the same markup and encryption capabilities. However, the tag itself always accompanies the content, and protection measures are applied as consistently as possible across all environments.

Where and how do labels appear in Office applications?

In the desktop versions of Word, Excel, and PowerPoint for WindowsThe current confidentiality label is usually displayed in the title bar, next to the file name. Hovering your mouse over the label icon will show you the name and, often, a brief description with instructions for using that classification.

The Privacy bar or button is also available in Office for Windows. (on the Home tab, usually under the name “Confidentiality” or “Sensitivity”). From there, the list of labels published for that user is displayed, and you can select or change the label applied to the file.

  What is stalkerware or spouseware and how to protect yourself

In Office for the web (Word, Excel, PowerPoint online)The label is also displayed at the top of the window as an icon or text. Although the detailed permissions view is not yet available in the web version, the encryption and marking settings applied from the desktop or cloud are respected.

In Outlook, labels are applied to emails and meeting invitations. From the Confidentiality/Sensitivity button on the ribbon. The user selects the appropriate label and, if it applies encryption, the message is sent protected with the defined restrictions (for example, do not forward, do not print, read only, etc.). If the label applies encryption or usage restrictions, the message is automatically protected upon sending (see How Defender for Office 365 protects email and files).

En mobile devices (Android, iOS, iPadOS)The interface changes, but the concept is the same: in Word, Excel, and PowerPoint, tabs are accessed from the Home tab (or from the More options menu represented by the three dots). The active tab is displayed at the top and can be changed from those menus.

Ways to apply confidentiality labels to Microsoft 365 documents

Confidentiality labels can be applied manually, by recommendation, or automatically.This depends on how the administrator has configured it. For users to apply these changes, they must sign in to Microsoft 365 with their corporate or educational account and have the appropriate licenses assigned.

Manual application from within the application itself

The most common way to label a document In Word, Excel, or PowerPoint (desktop), use the title bar or the Privacy button:

  • From the title barClick in the label area next to the file name and select the appropriate label from the list (e.g., General, Confidential, etc.).
  • From the Confidentiality/Sensitivity button: go to tab Home and click on ConfidentialityA dropdown menu will open with all the tags available for your user, and you can choose the most appropriate one for that content.

When you save a new file, in some environments A Save dialog box may appear, offering the option to choose the label before saving. This ensures the document is correctly classified from the start.

If your organization has established mandatory labelingYou'll see messages like "Select a tag" or indicators that a tag is missing in the title bar. In that case, you won't be able to save or continue working without applying at least one tag to the file (although you can open the document in read-only mode if you don't want to tag it).

Application from Outlook to emails and meetings

In Outlook for desktop and for the webThe procedure is very similar: when composing a new message or a meeting invitation, use the Confidentiality/Sensitivity button on the ribbon. Clicking it displays the list of available labels, and you simply choose one.

If the label applies encryption or usage restrictionsThe message is automatically protected upon sending. For example, a "Confidential" or "Highly Confidential" label can prevent forwarding, copying, printing, or even replying to the email; in addition, an expiration date can be applied so that the content becomes inaccessible after a certain time.

Mobile application

On Android phones and tabletsLabeling is usually done from the tab Home, selecting the option Confidentiality and then the desired label. In some cases, on phones with smaller screens, you'll first need to tap an additional three-dot menu to access the option.

En iPhone y iPadThe tagging application works similarly: you can access Confidentiality From the Home tab or the More options menu (the three dots at the top). Clicking it will show you the labels and allow you to change the one already applied.

Automatic, recommended, and default labeling

In addition to manual labeling, the administrator can configure rules. so that Microsoft 365 can automatically detect sensitive information (such as credit card numbers, social security numbers, or other regulated data) and apply or recommend a specific label.

  • Automatic labelingIf the content meets certain conditions, a specific tag is applied automatically without user intervention. The user will see a notification below the ribbon indicating that the file has been automatically tagged.
  • Recommended tagsIn this case, the system suggests a label when it detects sensitive information, but leaves the final decision to accept or reject the recommendation to the user. The suggestion also appears as a notification below the ribbon.
  • Default tagsYou can define a default label for new documents, emails, meetings, or even SharePoint document libraries. When you create a new file without a label, it will be assigned the default label the first time you save it (or as soon as you open it after implementing the policy).

It is important to understand that automatic labeling does not override user decisions.Microsoft 365 will not apply an automatic label if the file already has a manually set label or if the existing label has a higher level of confidentiality than the one you intend to apply automatically.

Change and justification of label changes

Many organizations require justification for changes to less restrictive labels.If you try to lower the confidentiality level (for example, from "Highly Confidential" to "General"), a dialog box may appear where you must select a reason or enter an explanation. This justification is recorded in the activity logs for audit purposes.

It is also possible to prevent the label from being completely removed. When mandatory tagging is enabled, you can switch to another tag, but you can never leave the file unclassified.

  How to Use Files with Copilot: Complete Step-by-Step Guide

What can confidentiality labels do besides classify?

Labels are not just for "sticking a sticker" to the documentbut they are the core of many other security and compliance capabilities within Microsoft 365 and Microsoft Purview.

Access control and encryption

A label can include very detailed encryption rules that specify who can open a file or email and what actions they can perform: view, modify, copy, print, forward, save as, etc. You can define permissions for users and groups inside or outside the organization, set expiration dates, or prevent access from unmanaged devices.

In some cases, the tag allows user-defined permissionsWhen this type of tag is applied, the user tagging the file chooses which specific people are granted access, and with what level of permissions. It is especially useful for highly sensitive documents that should only be seen by a small group of people.

Content marks: headers, footers, and watermarks

Labels can insert visual content markers such as headers, footers, and watermarks. It's a simple way for anyone opening the file to quickly understand that they are dealing with sensitive information (for example, a large diagonal "CONFIDENTIAL" message).

These content tags support dynamic variables such as the tag name, document name, or user. This allows you to create templates that automatically adapt to the file's context without having to edit the text each time.

Container protection: SharePoint Teams, Groups, and Sites

Confidentiality labels can also be applied to containers as teams of Microsoft TeamsMicrosoft 365 groups, SharePoint sites, and Loop workspaces. In this case, the label doesn't categorize each individual file, but rather controls how that container can be accessed and shared.

For example, a label for a highly confidential project team It can block access from external guests, prevent use from unmanaged devices, and restrict how channels are shared with other teams. This way, everything within that container benefits from stricter security rules.

Extension to Power BI, Purview, and third-party services

Confidentiality labels are also integrated with Power BIso that reports and datasets can be tagged and remain protected even when exported or consumed outside the main service.

In the Microsoft Purview Data MapLabels can be extended to structured data resources such as SQL, Azure Synapse, Azure Cosmos DB, or AWS RDS. This provides consistent classification between Office files and more technical data assets.

Thanks to the Microsoft Information Protection SDK, third-party applications and services (e.g., solutions from storage such as Box or Dropbox, or specialized SaaS applications) can read and apply tags, as well as respect associated encryption settings.

Integration with eDiscovery, DLP and Copilot

Confidentiality labels are used as a condition in eDiscovery searchesIn a litigation case, a search can be limited to items labeled "Highly Confidential" or exclude those labeled "Public." This greatly simplifies the legal filtering of information.

In the field of Artificial Intelligence with Microsoft 365 Copilot In Microsoft 365 Copilot Chat, labels are respected by agents: when combining data from different sources, the highest priority (most restrictive) label is used as a reference and it is checked whether the user has permission to extract content (EXTRACT right) before returning information in the responses.

Tag categories and real-world usage examples

Each organization designs its own catalog of labelsHowever, there is usually a fairly consistent pattern of levels, ranging from public information to highly sensitive data. A typical example might be:

  • Staff: user's personal content, without corporate data.
  • PublicInformation that can be shared without restrictions outside the organization.
  • Internal: documents for internal employee use, not for external distribution.
  • Confidential: sensitive information with restrictions on printing, forwarding or copying.
  • Highly confidential: maximum level of protection, with strong encryption, expiration, mandatory watermarks, etc.

A very illustrative example is the diagram of an institution with labels such as “CFE Public”, “CFE Internal”, “CFE Confidential” and “CFE High Confidentiality”. Each one has specific associated restrictions: preventing printing, copying, forwarding emails, setting a document expiration date, or adding permanent watermarks and footers that cannot be removed.

These policies allow you to adjust protection according to the actual risk of the content.A commercial brochure may be labelled as Public, while a strategic contract is classified as Confidential or High Confidential, with much stricter controls on who can see it and what they can do with it.

How to create, configure, and publish tags in Microsoft Purview

From an administrative point of viewThe entire lifecycle of the tags (creation, configuration, publication and modification) is managed from the Microsoft Purview portal, in the section of Information Protection.

Prerequisites and permits

To create and manage confidentiality labels You need specific permissions in Purview or the Security and Compliance Center (depending on the environment). Typically, roles related to information protection or compliance management have access.

Creating and configuring a label

The process of creating a tag on the Purview portal It usually follows these steps:

  1. Log in to the Microsoft Purview portal and access Solutions > Information Protection > Confidentiality Labels.
  2. Select “Create > Label” to launch the setup wizard for a new tag.
  3. Define the scope of the labelFiles & other data resources, Emails, Meetings and/or Groups & sites. The combination of scopes determines which settings can be applied and on which types of items the label will appear.
  4. Configure protection options: encryption, content tags, automatic or recommended tagging, container settings (Teams privacy, external sharing, access from unmanaged devices, etc.).
  5. Repeat the process for as many labels as needed., maintaining a logical and clear structure for the user.
  How to insert screenshots in Word without leaving the document

To improve management, tags can be grouped into tag groups. (formerly known as primary tags and sub-tags). These groups organize tags into two levels: a general group (e.g., Confidential) and sub-tags with specific settings (e.g., “Confidential – All Employees”, “Confidential – Trusted Persons”).

The order of the labels mattersIn the Purview list, labels are ordered from lowest to highest priority. Typically, the least restrictive label (Public) is at the top and the most restrictive (Highly Confidential) at the bottom. This priority is taken into account, for example, when justification is required for lowering the sensitivity level or when a conflict arises in automatic labeling.

Publishing labels using directives

Once created, tags do not automatically appear in applicationsIt is necessary to publish them through one or more labeling guidelinesEach directive defines:

  • Which tags are published in that directive.
  • To which users and groups does it apply? (security groups, Microsoft 365 groups, distribution groups, etc.).
  • What policy configuration prevails?: default label for documents, emails, meetings, groups and sites, mandatory labeling, require justification for changes, custom help link, etc.

The priority of the directives also mattersIf a user belongs to several groups and therefore receives several policies, any configuration conflicts are resolved by applying the policy with the highest priority (the one lowest in the Purview list).

After creating or modifying a policyChanges can take up to 24 hours (and in some cases 48) to fully propagate. It's advisable to wait that long before troubleshooting label visibility issues.

Advanced use with PowerShell

For advanced scenarios or large environmentsIt is very common to use cmdlets for PowerShell Security and compliance, such as Set-Label y Set-LabelPolicy, to automate the creation and maintenance of labels and directives.

For example, you can configure the localization of names and descriptions. for different languages ​​using the parameter LocaleSettingsso that users see the tag names in their Office interface language (French, Italian, German, etc.). Advanced built-in tagging options that are not directly visible in the graphical interface can also be adjusted.

Removing or deleting labels and their impact

During testing phases it is common to have to remove labels from a directive or even remove labels from the environment, but it is important to fully understand the consequences of each action.

If you remove a tag from a publishing directiveThat label will no longer be available to users when the policy is updated, but documents and containers that already have it applied will retain the label in their metadata. In other words, the content is not automatically declassified; it simply means that the label can no longer be selected for new items.

If you remove a label completely From Purview, the effect is more profound:

  • If the label encrypted contentThe protection template is archived so that users can still open historical documents, but you will not be able to create another new tag with the same name that simply reuses the template.
  • In SharePoint and OneDrive documents with tags enabledWhen opening them in Office for the web, the label name may no longer be displayed, and encryption may even be removed if the service is able to process that content. The same behavior applies to many actions (download, copy, move, open in desktop client).
  • In documents and emails outside of SharePoint/OneDriveThe tag information remains in the metadata, but applications can no longer translate the tag identifier to a display name, so the user will see the content as if it had no tag (or will see internal GUID-type references in auditing tools).
  • In containers such as Teams and SharePoint sitesRemoving the label causes the settings that the label imposed (privacy, sharing, access from unmanaged devices, etc.) to stop being applied, although this process can take between 48 and 72 hours to complete.

Therefore, in production environments it is recommended to adjust or remove directive labels.before removing labels unless the impact is very clear and a plan has been made for how to handle historical content.

Taken together, the confidentiality labels in Microsoft 365 They offer a powerful framework for identifying, protecting, and controlling the use of corporate information across documents, emails, meetings, websites, devices, and data resources, both within and outside the Microsoft cloud. A well-designed tag catalog, effective internal communication, and intelligent use of manual, automatic, and mandatory tagging options allow for a balance of security and productivity without overwhelming the user, enabling the organization to meet its legal and regulatory obligations without sacrificing daily agility.

purview
Related articles:
How to Use Microsoft Purview: A Comprehensive Guide to Protecting and Governing Your Data