Default sensitivity label in SharePoint document libraries, now also at rest

Microsoft has for several years had a very useful feature in SharePoint where you can set a default sensitivity label on a document library so that new files automatically get the correct label. Until now, this has been a semi automation, because existing files were only labeled when they were edited.

Now a change is coming (soon...!) that closes one of the biggest gaps in practice. Microsoft is rolling out a feature that can automatically label existing files in SharePoint, meaning data that is at rest, so that they match the default label that is set on the library. Roadmap ID 559105 describes this as auto labeling of existing SharePoint files that match the library’s default label.

In this guide, I walk through the entire chain from zero to finished. I include the most common pitfalls, and how you can verify that everything is enabled in the correct order.

Before you begin

You'll need:

• Access as a SharePoint admin, global admin, or compliance admin, depending on which steps you're taking.

• Microsoft Purview Information Protection with labels published to users

• Updated version of the SharePoint Online Management Shell

Step 1: Sync labels to Entra for groups and sites

This step applies to container labels, i.e. labels that can be used on Microsoft 365 Groups, Teams and SharePoint sites. Many tenants have not activated this, and then you often see symptoms such as missing labels in site settings or that labels do not appear where you expect them. I include it here because many want a comprehensive classification on both containers and files.

In short, the tenant must have activated MIP labels for groups. Many do this via Entra and directory settings. Once this is in place, labels with scope Groups and Sites can be used on teams and sites.

Connect-IPPSSession 
Execute-AzureAdLabelSync 

If you don't use container labels at all, you can skip ahead. The default library label for files is primarily about labels with scope Files & other data assets.

Step 2: Enable sensitivity labels for SharePoint and OneDrive

This is a crucial step. Without this, SharePoint will not be able to process labeled content and you will miss UI features, including default labeling on libraries. Microsoft describes this as an opt-in at the tenant level. [learn.microsoft.com]

Option A: Enable in the Purview portal

In Purview, you can enable this from Information Protection, and Microsoft claims this takes up to 15 minutes, in reality it takes up to 24 hours..🥸

Option B: Enable with PowerShell

Often faster!

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com

Set-SPOTenant -EnableAIPIntegration $true

(Get-SPOTenant).EnableAIPIntegration

Step 3: Turn on PDF labeling

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
Set-SPOTenant -EnableSensitivityLabelforPDF $true
(Get-SPOTenant).EnableSensitivityLabelforPDF

Step 4: Create sensitivity label in Purview

Now you can actually create labels.

For the default label on a document library, the label must:

• Include scope Files & other data assets

• Be published to the users who will be able to select it in the library

Step 6: Set the default sensitivity label on a document library

Now the icing on the cake, here's where the magic happens ⭐

Go to the document library:

• Open the library in SharePoint

• Click the gear, then library settings

• Select Default sensitivity labels

• Select the label from the list and save

Default labeling on document libraries is one of the most practical governance moves you can make in SharePoint. You get classification built in from the start, without relying on users to always remember to label.

With the change in Roadmap 559105, this becomes even more useful. Now you can finally close the gap for data that is already at rest, and have a library that actually delivers consistent labeling over time.

Bjørnar&AI