Skip to content
MSP Security

Purview Sensitivity Labels for MSP Clients: The Label Project Is Not a Checkbox

Scopable Team12 min read
Purview Sensitivity Labels for MSP Clients: The Label Project Is Not a Checkbox

Purview sensitivity labels look like a small Microsoft 365 setup task. Create a few labels, publish a policy, tell users to pick the right one, done.

That is how MSPs end up with a labeled mess.

A label can classify data. It can apply encryption. It can follow a file. It can support DLP, eDiscovery, and Copilot controls. It cannot decide whether the client's SharePoint permissions are sane. It cannot teach the accounting team when a vendor spreadsheet is confidential. It cannot fix a stale link that exposes last year's payroll folder to the whole organization.

Quick answer: a Purview sensitivity labels MSP project should start with scope, not labels. The work is taxonomy design, Microsoft 365 permission cleanup, licensing review, pilot publishing, DLP tuning, user guidance, exception handling, and recurring review. If the client only buys "turn on labels," they are buying the easiest part and leaving the risky parts unowned.

What Purview sensitivity labels actually do

Microsoft describes sensitivity labels as a way to classify and protect content across Microsoft 365. Labels can apply visual markings, encryption, container settings for Teams and SharePoint, and metadata that stays with supported files and emails. Microsoft also notes that labels can be used for eDiscovery, DLP, Power BI, Copilot protection, and third-party integrations when the right features are configured.

That is useful. It is also easy to oversell.

For an MSP, the honest client explanation is simpler:

A sensitivity label tells Microsoft 365 how sensitive an item is and what protection rules should apply. It does not replace access control, data cleanup, or user judgment.

That distinction matters because most label projects fail before the first label is published. The client wants "Confidential" because it sounds safe. The tenant still has broad SharePoint sharing, ownerless Teams, stale guests, unlabeled legacy documents, and no agreement on which data types need protection.

The label is not the strategy. The label is the instruction Microsoft 365 follows after the strategy exists.

The MSP mistake: treating labels like a feature enablement

The bad scope sounds like this:

  • Create Public, Internal, Confidential, and Highly Confidential labels
  • Publish labels to all users
  • Enable a default label
  • Add a short training note
  • Close the project

That scope can be finished quickly. It also creates four problems.

First, users apply labels inconsistently because nobody tested the taxonomy against real client documents. If "Internal" and "Confidential" feel interchangeable, people guess.

Second, labels become a false signal. A labeled file in an overexposed SharePoint site is still overexposed to anyone who already has access.

Third, licensing gets discovered late. Microsoft says licensing requirements for sensitivity labels depend on the features used, and feature-level licensing lives in the Microsoft Purview service description. Manual labels, auto-labeling, encryption, DLP, endpoint coverage, and advanced governance do not all carry the same requirements.

Fourth, nobody owns exceptions. A client asks for external sharing, a vendor cannot open an encrypted file, a legacy workflow breaks, and the MSP has no decision path.

That is not a technical failure. It is a scoping failure.

The right order for MSPs

A clean sensitivity labels project has six phases. Do them in this order.

1. Define the data and business scope

Start with the data the client actually needs to protect.

For most SMB and mid-market clients, the first pass is not exotic:

Data areaTypical locationsBusiness owner to involve
HR and payrollSharePoint, Teams, OneDrive, email attachmentsHR or operations lead
FinanceAccounting folders, board packs, bank data, AP inboxFinance lead
Legal and contractsClient contracts, vendor agreements, MSA templatesOwner, legal, or operations
Regulated client dataHealthcare, financial, defense, education, or insurance recordsCompliance owner
Executive workLeadership Team, board files, acquisition notesExecutive sponsor

The goal is not to inventory every file. The goal is to identify which data classes justify controls and who can make decisions when the MSP finds messy access.

This is also where you decide whether the project is a label rollout, a data protection project, a Copilot readiness project, or a compliance remediation project. Those are not the same quote.

If the client already has SharePoint sprawl, start with a Microsoft Purview governance review before promising labels will clean it up.

2. Clean up permissions before labels

Sensitivity labels do not replace SharePoint and Teams permissions. They work alongside them.

That means the MSP should review high-risk sites before broad rollout:

  • sites using Everyone except external users
  • anonymous or organization-wide sharing links
  • disabled users still listed as owners
  • guests with stale access
  • Teams with no active business owner
  • folders with broken inheritance that nobody can explain
  • sensitive files sitting in general-purpose sites

Microsoft's SharePoint and OneDrive sensitivity label support can help services process labeled and encrypted Office and PDF files for coauthoring, eDiscovery, DLP, and search after the feature is enabled. That is good plumbing. It still assumes the right people have access to the right content.

If a confidential payroll file lives in a site open to the whole company, adding a label may make future movement safer. It does not make the current access model clean.

3. Design a small label taxonomy

Most clients do not need twelve labels. They need labels users can understand without calling the helpdesk.

A practical starting taxonomy:

LabelUse whenTypical control
PublicApproved for public useNo encryption
InternalNormal internal business contentNo encryption or light marking
ConfidentialSensitive business, client, HR, financial, or regulated contentMarking, restricted sharing, possible encryption
Highly ConfidentialHighest-risk data with limited audienceEncryption and strict access rules

The important part is not the names. It is the behavioral difference.

If users cannot answer "which label should this document get?" from the tooltip and two examples, the taxonomy is not ready. Microsoft recommends common names, short tooltips, and testing with the people who will apply the labels. Take that seriously. Bad labels create support tickets and bad evidence.

4. Check licensing before quoting enforcement

Do not quote label automation or DLP enforcement until you know the license state.

At minimum, check:

  • Microsoft 365 plan by user group
  • Purview features required for the desired label behavior
  • whether auto-labeling is in scope
  • whether encryption is in scope
  • whether endpoint DLP is in scope
  • whether SharePoint Advanced Management or governance features are part of cleanup
  • whether guests, shared mailboxes, or service accounts change the license conversation

Microsoft's guidance is clear that different per-user subscriptions support sensitivity labels, and the required license depends on the features used. For MSPs, that means the proposal should separate baseline label design from advanced controls.

A simple proposal structure works better:

  1. Assessment and scope: data classes, sites, licensing, risks, and recommendations.
  2. Label pilot: taxonomy, policies, user group, training, and feedback.
  3. Protection rollout: broader publishing, DLP simulation, encryption, and exception process.
  4. Ongoing review: reports, adoption, false positives, access cleanup, and roadmap work.

That prevents the classic problem where the MSP sells a basic setup, then absorbs weeks of compliance and user-adoption work for free.

5. Pilot before rollout

Labels are user-facing. A pilot is not optional.

Pick a small group that touches sensitive data but will give useful feedback. Finance, HR, operations, or the leadership admin team usually works. Publish the labels to that group first, then watch where users hesitate.

Pilot questions:

  • Can users explain the labels back in plain language?
  • Which document examples confuse them?
  • Are the tooltips short enough to read?
  • Do encrypted files break normal collaboration?
  • Do external users need a separate process?
  • Which labels are never used?
  • Which files get mislabeled repeatedly?

Do not treat confusion as user failure. Confusion is product feedback. Rename labels, adjust descriptions, narrow the taxonomy, or change the policy before full rollout.

6. Add DLP after the taxonomy is stable

DLP is where a label project can become real data protection. It is also where a careless rollout creates noise.

Microsoft Purview DLP can identify, monitor, and protect sensitive data across Microsoft 365 locations like Exchange, SharePoint, OneDrive, Teams, Office apps, endpoints, and other sources, depending on configuration. DLP can warn users, allow an override with justification, block sharing, or quarantine content.

That does not mean the first DLP policy should hard-block everything.

For most MSP clients, use this sequence:

  1. Run DLP in simulation or audit mode.
  2. Start with high-confidence data types like payment cards, bank account data, national identifiers, or health records.
  3. Review false positives weekly with the business owner.
  4. Add user notifications before hard blocks.
  5. Move to enforcement only after exceptions and owner signoff are documented.

A DLP policy without a tuning process is just a support queue with better branding. A tuned policy is evidence the MSP can show in compliance, insurance, and QBR conversations.

The project scope MSPs should sell

Here is the scope I would put in front of a client.

WorkstreamMSP deliverableClient decision needed
Data scopeList of sensitive data classes, systems, and business ownersWhich data matters first
Permission cleanupHigh-risk SharePoint and Teams access findingsRemove, keep, or accept risk
Label taxonomy3 to 4 labels with descriptions and examplesApprove user-facing language
Licensing reviewFeature requirements and license gapsApprove license changes or reduce scope
PilotPilot group, published labels, feedback summaryApprove rollout changes
DLP planSimulation policy, false-positive review, enforcement timelineApprove enforcement thresholds
TrainingShort user guide with examples by departmentRequire completion and manager reinforcement
ExceptionsDocumented exception process and ownerApprove risk acceptance path
Review cadenceMonthly or quarterly label, DLP, and permission reviewDecide who signs off

That table is the project. The label configuration is one row inside it.

If the client has compliance pressure, connect this to a shared responsibility matrix. The matrix should say who owns data classification, access approval, user training, exception approval, DLP tuning, and recurring review.

If the client is asking because of cyber insurance or Microsoft 365 security posture, pair the label project with the Conditional Access baseline. Labels protect data. Conditional Access protects the door. You need both conversations clean before anyone claims Microsoft 365 is controlled.

What to say to the client

Use this script when a client asks for "Purview labels" like it is a checkbox.

We can configure sensitivity labels, but the labels only work if the surrounding scope is clean. Before we publish anything broadly, we need to confirm which data classes matter, clean up high-risk permissions, check licensing, pilot the labels with real users, and decide how DLP and exceptions will be handled.

Otherwise we can create labels that look good in the portal but do not reduce risk.

Our recommendation is a short assessment and pilot first, then a rollout with DLP tuning and quarterly review.

That is the difference between an admin task and an MSP service.

How Scopable fits

Scopable is not a Purview replacement. It is where the MSP turns the Purview finding into client work that can be scoped, priced, approved, and reviewed.

A label project should produce roadmap items, ownership decisions, license changes, cleanup estimates, exception records, and follow-up reviews. If those decisions stay in a ticket thread, they disappear. If they land in the account plan, they become work the client can understand and fund.

That is the real opportunity for MSPs. Not "we turned on labels." The opportunity is: "we helped the client decide what data matters, who can access it, how it should be protected, and what cleanup they need to fund next."

If you want that assessment-to-roadmap motion in one place, join Scopable early access. Bring the tenant with messy SharePoint permissions. That is usually the honest one.

FAQ

Are Purview sensitivity labels enough to secure SharePoint?

No. Sensitivity labels can classify and protect content, but they do not replace SharePoint permissions, site ownership, guest access review, sharing-link cleanup, or business-owner signoff. Start with high-risk permissions before treating labels as the fix.

How many sensitivity labels should an MSP deploy first?

Most MSP clients should start with three or four labels: Public, Internal, Confidential, and sometimes Highly Confidential. Add more only when users can explain why the new label changes behavior.

Should MSPs use auto-labeling for sensitivity labels?

Sometimes, but not on day one for every client. Auto-labeling is useful when the data pattern is clear and the license supports it. Run policies in simulation first, review false positives, and keep a manual pilot in place so users understand the classification model.

Where do sensitivity labels fit with DLP?

Labels define how sensitive the content is. DLP defines what happens when sensitive content is shared, copied, uploaded, emailed, or moved in risky ways. For most clients, stabilize the label taxonomy first, then add DLP simulation and enforcement in stages.

How should MSPs price a Purview label project?

Price it as a scoped data protection project, not a one-time admin change. Separate assessment, pilot, rollout, DLP tuning, training, and ongoing review. If you need the commercial model, start with the MSP compliance pricing guide.

Sources

Ready to stop guessing?

Scopable automates quoting, roadmaps, and QBRs for MSPs. Join the alpha and help shape the platform you actually want.

Quote Your Next Project In Minutes

Get MSP insights weekly

No spam. Unsubscribe anytime.