Create an Microsoft Information Protection label

Have you ever received an email and noticed that it was protected or marked sensitive? To do that, a user selects a sensitivity label – which are created by an administrator using Microsoft Information Protection . In this post, we’ll provide step by step instructions on how to configure a Information Protection label.

First, it’s worth mentioning that it seems that Azure Information Protection (AIP) and M365 labels are being somewhat merged to become unified labeling, although AIP labels can still co-exist. The proper product to use is unified labeling (through the Microsoft 365 security center). In the Azure Information Protection docs, it is even self-referenced as the “classic” client. And yet you can use the Azure Information Protection pane to create unified labels, although they’ll have less features than the M365 security center created labels. Microsoft couldn’t make it more confusing if they tried!

So in short summary – Azure Information Protection was previously the go-to method for information protection labeling, but now they’re actively being replaced with unified labeling, which you should access through Microsoft 365 security center. Let’s begin!

Start by heading to

Microsoft 365 security center

On the left hand side, select Classification > Sensitivity labels and click + Create a label:

Sensitivity labels

In the fly out menu, type in a Name and Description:

Name & Description

Then, you can select the scope of the label (where it CAN be applied to). Here I selected Files & emails.


Then under the Files & emails section, you can select what the label will do. Once you select these options, new sub options will let you define further. I selected both encryption and content marking.

Files & emails

First under encryption, select the encryption settings desired:

Encryption settings

Then define the content marking:

For the last option, we can define WHEN this label will apply automatically. Leave auto-labeling off. This setting works as expected – you can have Office 365 automatically label emails & files (label them with your label) based on a condition that you specify (like credit card information, SSN, or other sensitive info). You can also use this to suggest labels automatically rather than apply them.


For Groups & Sites, leave both options unchecked and click next. If you’re wondering why they’re greyed out, it’s because I haven’t configured/enabled labeling for OneDrive and SharePoint (click here for more info)

Groups & Sites

And click create!

Finish screen

Now you’ll see a confirmation that the label was created:

Label confirmation

Like it says in next steps, now we need to publish this label to users so they can see it. Click Publish labels:

Publish label button

Select the label we just created:

Select label for publishing

In the flyout, first we’ll select which users will see the label:

Users & Groups

Then we can select if this label is applied by default, if it can be removed, etc. If you leave this screen blank, users will be able to select the label as an option (it will not be applied by default).

Policy Settings

Then we provide a name & description for the label publishing policy:

Publishing policy name

And click submit!

Review settings

Great! Now users will see the label we just created in their Office apps (although this can be a bit complicated with coexistance with the Azure Information Protection clients, for more information refer to this docs article). For example, when I create a new email in Outlook, I now see a Sensitivity dropdown and the name of the label I just created:

Sensitivity label in Outlook

Selecting this label also shows it applied to the email:

Outlook email labeled

When I receive an email, it will show as encrypted and with the label I applied:

Protected email

And that’s it! Now you are able to apply sensitivity labels and information protection policies onto your files and stay secure. Happy protecting! 🚀

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *