Practical Microsoft 365 governance guidance from IT Master Services.
Most SharePoint data leaks do not come from a hacker. They come from oversharing — a site set to "anyone with the link," a guest who was never removed, or a document library open to the whole company that should have been limited to a single team. Over years of "just share it so we can get work done," permissions quietly sprawl, and no one has a clear picture of who can see what.
Microsoft Purview sensitivity labels give you a way to bring that sprawl back under control — and to enforce consistent rules automatically instead of relying on every site owner to remember them.
Why this matters more than ever: Microsoft 365 Copilot can surface anything a user already has access to. If your sites are overshared today, Copilot doesn't create a new problem — it makes the existing one instantly searchable. Fixing oversharing is a prerequisite for a safe Copilot rollout.
Two Kinds of Sensitivity Labels
Before you start, it is important to understand that "sensitivity label" refers to two related but different things. For controlling oversharing at the site level, you want container labels.
| Label Type |
Applies To |
What It Controls |
| Container label |
SharePoint sites, Microsoft 365 Groups, and Teams |
External sharing level, guest access, unmanaged-device access, and site privacy (public or private). |
| File / content label |
Individual documents and emails |
Classification, visual markings, and optional encryption that travels with the file wherever it goes. |
This article focuses on container labels to stop site-level oversharing, with a note on default file labels at the end. The two work best together: container labels set the boundary of the site, and file labels protect the documents inside it.
What You'll Need
- A Microsoft 365 plan that includes Purview Information Protection — Microsoft 365 Business Premium, or E3 / E5.
- Microsoft Entra ID P1 (included in Business Premium and E3/E5) for the unmanaged-device access condition, which relies on Conditional Access.
- Admin roles: Compliance Administrator (or Global Admin) to create and publish labels in Purview, and SharePoint Administrator to apply labels across sites.
Step 1: Turn On Sensitivity Labels for Containers
By default, sensitivity labels only apply to files and emails. You must enable them for containers (sites, Groups, and Teams) once at the directory level before a label can control a SharePoint site.
This is a one-time tenant configuration that sets the directory property EnableMIPLabels to True and then synchronizes your published labels so they become available to containers. Microsoft's current step-by-step commands are linked in the References section below, because the exact PowerShell module for this has changed over time. Once enabled, the label scope option "Groups & sites" becomes available in Purview.
Step 2: Create a Container Label in Microsoft Purview
In the Microsoft Purview portal, go to Information Protection → Sensitivity labels → Create a label. Give it a clear, business-friendly name such as Confidential – Internal Only or Restricted – Named Members.
When you reach the scope screen, select Groups & sites. This is what turns the label into a container label. On the following screens, configure the controls that actually stop oversharing:
| Setting |
Recommended for a "Confidential" site |
| Privacy |
Private — only approved members can access the site's content. |
| External user (guest) access |
Prevent Microsoft 365 Group owners from adding guests. |
| External sharing from the SharePoint site |
Only people in your organization — no anonymous or guest links. |
| Access from unmanaged devices |
Allow limited, web-only access (or Block) — no downloading to personal devices. |
You will typically create two or three container labels — for example a permissive General label, a Confidential label, and a locked-down Highly Confidential label — so site owners can choose the right level without guessing at individual settings.
Step 3: Publish the Label
A label does nothing until it is published to users through a label policy. In Purview, go to Information Protection → Label policies → Publish labels, add your new container labels, and target the site owners and admins who will apply them. Optionally, set a default label for new sites so nothing is created without a classification.
Step 4: Apply the Label to a SharePoint Site
Once published, a label can be applied in three ways:
- Site owners can set it from Settings → Site information → Sensitivity on the site itself.
- SharePoint Admins can set it in the SharePoint admin center under Active sites.
- At scale, use PowerShell — ideal when you need to label dozens or hundreds of existing sites.
Applying a label to a single site with the PnP PowerShell module:
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/Finance" -Interactive
Set-PnPSite -SensitivityLabel "Confidential - Internal Only"
To find which sites have no label yet — the ones most likely to be oversharing — run a quick governance report against the tenant:
Connect-PnPOnline -Url "https://contoso-admin.sharepoint.com" -Interactive
Get-PnPTenantSite |
Where-Object { -not $_.SensitivityLabel } |
Select-Object Url, Title |
Sort-Object Url
Step 5: Add a Default Label on Document Libraries
Container labels secure the site; a default file label protects the documents inside it. In a document library's Library settings → Default sensitivity labels, choose a file label to apply automatically to new and edited documents. This ensures sensitive files carry their classification (and optional encryption) even if they are later downloaded or shared out of the site.
How This Supports a Safe Copilot Rollout
Microsoft 365 Copilot respects both the site boundaries and the file labels you configure. Container labels shrink the pool of content that can be externally exposed, while encrypting file labels prevent Copilot from summarizing or reusing content a user only has restricted rights to. Together they are a core part of Copilot readiness — you are shrinking the blast radius before you switch AI on.
Sensitivity labels are one layer. For a complete picture of who can access what, they pair with SharePoint Advanced Management's data access governance reports and access reviews. If you are preparing for Copilot, see our Microsoft Copilot Services page for how we assess and remediate oversharing before deployment.
Best Practices
- Keep the number of labels small — two or three tiers people can actually understand.
- Pilot new labels with one department before publishing tenant-wide.
- Set a default label for new sites so nothing is created unclassified.
- Remember that changing a container label's settings does not retroactively re-secure existing external shares — audit and clean up existing sharing links separately.
- Review unlabeled and externally shared sites at least quarterly.
Final Thoughts
Oversharing is rarely malicious — it is the natural result of years of convenience over caution. Sensitivity labels let you replace that ad-hoc sharing with consistent, enforced rules, applied once and inherited by every site that carries the label.
The goal is not to make collaboration harder. It is to make the safe choice the default one.
This work also strengthens your overall Microsoft 365 posture — it fits alongside identity controls like Conditional Access and the broader structure of the NIST Cybersecurity Framework 2.0.
Need help designing a label taxonomy or cleaning up existing oversharing? Our Microsoft 365 Services team can plan, deploy, and manage it for you.
Microsoft Learn References