Introduction

In this blog post, we will understand how to configure a default sensitivity label for document libraries in SharePoint and OneDrive, and in this post via the UI. We will also discuss limitations, prerequisites, and how to extend permissions to downloaded documents.

Why configure a default Sensitivity Label?

Configuring a default sensitivity label for a document library means that all files uploaded or edited in the library automatically receive this label, unless they already have a higher-priority label. This is particularly useful in scenarios where all documents in a library are sensitive, preventing users from forgetting to manually label files. When a library is configured with a default label, SharePoint ensures that all new Office files saved or uploaded to the library and that do not have a label or have a low-priority label, are automatically labeled with the configured library label.

How does it work?

When a default sensitivity label is configured for a document library in SharePoint, the label is automatically applied to new and edited files. This happens without inspecting the content of the files, meaning all files in the library receive the same level of protection. It’s important to note that if an uploaded file is manually labeled, it will not be changed. Additionally, existing documents in the library will not be affected unless a user edits the file. The label is applied asynchronously after the document is uploaded, which means there may be a delay of a few minutes before the label is visible.

Configuring default Sensitivity Labels in SharePoint

Steps to configure a default sensitivity label in SharePoint:

1. Navigate to the document library in SharePoint.
2. Go to Settings > Library settings.
3. In the library settings flyout menu, select Default sensitivity labels and choose a label from the dropdown menu.

Configuring default Sensitivity Labels in OneDrive

For OneDrive, there is no user interface to set a default sensitivity label. This limitation exists because Microsoft has not prioritized building this functionality in the UI. Feedback has been shared suggesting that admins should have the option to configure a default label for the entirety of OneDrive. For now, labels must be set programmatically. Read more here on how to do this.

Real-World Example: Finance Sector

Finance Sector:
One of our customers created a dedicated Microsoft 365 team, which automatically generates an M365 group. The customer configured a sensitivity label for files in the document library, ensuring that only team members could open files using encryption. The default sensitivity label was set in the document library to ensure all files automatically inherit the label, maintaining strict security protocols for sensitive financial data.

Limitations and Prerequisites

Limitations:

• Sensitivity labels cannot be applied to PDF files unless the administrator has enabled PDF support. Read more.
• Up to 25,000 documents can be labeled using this feature. If the limit is exceeded, consult Microsoft support or documentation for guidance.

Prerequisites:

• You must have created and published sensitivity labels that include label scope for files and other data.
• Sensitivity labels must be enabled for Office files in SharePoint and OneDrive.

Extending Permissions to Downloaded Documents

When SharePoint is configured with a sensitivity label, you can extend existing permissions to documents when they are downloaded from the library. This means that previously unlabeled files from the library continue to be protected with the current SharePoint permissions for the user, even if the files have left the original SharePoint boundary.

Conclusion

Configuring a default sensitivity label in SharePoint document libraries is an effective way to ensure that all documents in the library have a basic level of protection. By understanding the limitations and prerequisites, you can better manage and protect sensitive information in your organization.

Thank you for reading!
/Simon