Purview Sensitivity Labels for MSP Clients: The Label Project Is Not a Checkbox

Purview sensitivity labels look like a small Microsoft 365 setup task. Create a few labels, publish a policy, tell users to pick the right one, done.
That is how MSPs end up with a labeled mess.
A label can classify data. It can apply encryption. It can follow a file. It can support DLP, eDiscovery, and Copilot controls. It cannot decide whether the client's SharePoint permissions are sane. It cannot teach the accounting team when a vendor spreadsheet is confidential. It cannot fix a stale link that exposes last year's payroll folder to the whole organization.
Quick answer: a Purview sensitivity labels MSP project should start with scope, not labels. The work is taxonomy design, Microsoft 365 permission cleanup, licensing review, pilot publishing, DLP tuning, user guidance, exception handling, and recurring review. If the client only buys "turn on labels," they are buying the easiest part and leaving the risky parts unowned.
What Purview sensitivity labels actually do
Microsoft describes sensitivity labels as a way to classify and protect content across Microsoft 365. Labels can apply visual markings, encryption, container settings for Teams and SharePoint, and metadata that stays with supported files and emails. Microsoft also notes that labels can be used for eDiscovery, DLP, Power BI, Copilot protection, and third-party integrations when the right features are configured.
That is useful. It is also easy to oversell.
For an MSP, the honest client explanation is simpler:
A sensitivity label tells Microsoft 365 how sensitive an item is and what protection rules should apply. It does not replace access control, data cleanup, or user judgment.
That distinction matters because most label projects fail before the first label is published. The client wants "Confidential" because it sounds safe. The tenant still has broad SharePoint sharing, ownerless Teams, stale guests, unlabeled legacy documents, and no agreement on which data types need protection.
The label is not the strategy. The label is the instruction Microsoft 365 follows after the strategy exists.
The MSP mistake: treating labels like a feature enablement
The bad scope sounds like this:
- Create Public, Internal, Confidential, and Highly Confidential labels
- Publish labels to all users
- Enable a default label
- Add a short training note
- Close the project
That scope can be finished quickly. It also creates four problems.
First, users apply labels inconsistently because nobody tested the taxonomy against real client documents. If "Internal" and "Confidential" feel interchangeable, people guess.
Second, labels become a false signal. A labeled file in an overexposed SharePoint site is still overexposed to anyone who already has access.
Third, licensing gets discovered late. Microsoft says licensing requirements for sensitivity labels depend on the features used, and feature-level licensing lives in the Microsoft Purview service description. Manual labels, auto-labeling, encryption, DLP, endpoint coverage, and advanced governance do not all carry the same requirements.
Fourth, nobody owns exceptions. A client asks for external sharing, a vendor cannot open an encrypted file, a legacy workflow breaks, and the MSP has no decision path.
That is not a technical failure. It is a scoping failure.
The right order for MSPs
A clean sensitivity labels project has six phases. Do them in this order.
1. Define the data and business scope
Start with the data the client actually needs to protect.
For most SMB and mid-market clients, the first pass is not exotic:
| Data area | Typical locations | Business owner to involve |
|---|---|---|
| HR and payroll | SharePoint, Teams, OneDrive, email attachments | HR or operations lead |
| Finance | Accounting folders, board packs, bank data, AP inbox | Finance lead |
| Legal and contracts | Client contracts, vendor agreements, MSA templates | Owner, legal, or operations |
| Regulated client data | Healthcare, financial, defense, education, or insurance records | Compliance owner |
| Executive work | Leadership Team, board files, acquisition notes | Executive sponsor |
The goal is not to inventory every file. The goal is to identify which data classes justify controls and who can make decisions when the MSP finds messy access.
This is also where you decide whether the project is a label rollout, a data protection project, a Copilot readiness project, or a compliance remediation project. Those are not the same quote.
If the client already has SharePoint sprawl, start with a Microsoft Purview governance review before promising labels will clean it up.
2. Clean up permissions before labels
Sensitivity labels do not replace SharePoint and Teams permissions. They work alongside them.
That means the MSP should review high-risk sites before broad rollout:
- sites using Everyone except external users
- anonymous or organization-wide sharing links
- disabled users still listed as owners
- guests with stale access
- Teams with no active business owner
- folders with broken inheritance that nobody can explain
- sensitive files sitting in general-purpose sites
Microsoft's SharePoint and OneDrive sensitivity label support can help services process labeled and encrypted Office and PDF files for coauthoring, eDiscovery, DLP, and search after the feature is enabled. That is good plumbing. It still assumes the right people have access to the right content.
If a confidential payroll file lives in a site open to the whole company, adding a label may make future movement safer. It does not make the current access model clean.
3. Design a small label taxonomy
Most clients do not need twelve labels. They need labels users can understand without calling the helpdesk.
A practical starting taxonomy:
| Label | Use when | Typical control |
|---|---|---|
| Public | Approved for public use | No encryption |
| Internal | Normal internal business content | No encryption or light marking |
| Confidential | Sensitive business, client, HR, financial, or regulated content | Marking, restricted sharing, possible encryption |
| Highly Confidential | Highest-risk data with limited audience | Encryption and strict access rules |
The important part is not the names. It is the behavioral difference.
If users cannot answer "which label should this document get?" from the tooltip and two examples, the taxonomy is not ready. Microsoft recommends common names, short tooltips, and testing with the people who will apply the labels. Take that seriously. Bad labels create support tickets and bad evidence.
4. Check licensing before quoting enforcement
Do not quote label automation or DLP enforcement until you know the license state.
At minimum, check:
- Microsoft 365 plan by user group
- Purview features required for the desired label behavior
- whether auto-labeling is in scope
- whether encryption is in scope
- whether endpoint DLP is in scope
- whether SharePoint Advanced Management or governance features are part of cleanup
- whether guests, shared mailboxes, or service accounts change the license conversation
Microsoft's guidance is clear that different per-user subscriptions support sensitivity labels, and the required license depends on the features used. For MSPs, that means the proposal should separate baseline label design from advanced controls.
A simple proposal structure works better:
- Assessment and scope: data classes, sites, licensing, risks, and recommendations.
- Label pilot: taxonomy, policies, user group, training, and feedback.
- Protection rollout: broader publishing, DLP simulation, encryption, and exception process.
- Ongoing review: reports, adoption, false positives, access cleanup, and roadmap work.
That prevents the classic problem where the MSP sells a basic setup, then absorbs weeks of compliance and user-adoption work for free.
5. Pilot before rollout
Labels are user-facing. A pilot is not optional.
Pick a small group that touches sensitive data but will give useful feedback. Finance, HR, operations, or the leadership admin team usually works. Publish the labels to that group first, then watch where users hesitate.
Pilot questions:
- Can users explain the labels back in plain language?
- Which document examples confuse them?
- Are the tooltips short enough to read?
- Do encrypted files break normal collaboration?
- Do external users need a separate process?
- Which labels are never used?
- Which files get mislabeled repeatedly?
Do not treat confusion as user failure. Confusion is product feedback. Rename labels, adjust descriptions, narrow the taxonomy, or change the policy before full rollout.
6. Add DLP after the taxonomy is stable
DLP is where a label project can become real data protection. It is also where a careless rollout creates noise.
Microsoft Purview DLP can identify, monitor, and protect sensitive data across Microsoft 365 locations like Exchange, SharePoint, OneDrive, Teams, Office apps, endpoints, and other sources, depending on configuration. DLP can warn users, allow an override with justification, block sharing, or quarantine content.
That does not mean the first DLP policy should hard-block everything.
For most MSP clients, use this sequence:
- Run DLP in simulation or audit mode.
- Start with high-confidence data types like payment cards, bank account data, national identifiers, or health records.
- Review false positives weekly with the business owner.
- Add user notifications before hard blocks.
- Move to enforcement only after exceptions and owner signoff are documented.
A DLP policy without a tuning process is just a support queue with better branding. A tuned policy is evidence the MSP can show in compliance, insurance, and QBR conversations.
The project scope MSPs should sell
Here is the scope I would put in front of a client.
| Workstream | MSP deliverable | Client decision needed |
|---|---|---|
| Data scope | List of sensitive data classes, systems, and business owners | Which data matters first |
| Permission cleanup | High-risk SharePoint and Teams access findings | Remove, keep, or accept risk |
| Label taxonomy | 3 to 4 labels with descriptions and examples | Approve user-facing language |
| Licensing review | Feature requirements and license gaps | Approve license changes or reduce scope |
| Pilot | Pilot group, published labels, feedback summary | Approve rollout changes |
| DLP plan | Simulation policy, false-positive review, enforcement timeline | Approve enforcement thresholds |
| Training | Short user guide with examples by department | Require completion and manager reinforcement |
| Exceptions | Documented exception process and owner | Approve risk acceptance path |
| Review cadence | Monthly or quarterly label, DLP, and permission review | Decide who signs off |
That table is the project. The label configuration is one row inside it.
If the client has compliance pressure, connect this to a shared responsibility matrix. The matrix should say who owns data classification, access approval, user training, exception approval, DLP tuning, and recurring review.
If the client is asking because of cyber insurance or Microsoft 365 security posture, pair the label project with the Conditional Access baseline. Labels protect data. Conditional Access protects the door. You need both conversations clean before anyone claims Microsoft 365 is controlled.
What to say to the client
Use this script when a client asks for "Purview labels" like it is a checkbox.
We can configure sensitivity labels, but the labels only work if the surrounding scope is clean. Before we publish anything broadly, we need to confirm which data classes matter, clean up high-risk permissions, check licensing, pilot the labels with real users, and decide how DLP and exceptions will be handled.
Otherwise we can create labels that look good in the portal but do not reduce risk.
Our recommendation is a short assessment and pilot first, then a rollout with DLP tuning and quarterly review.
That is the difference between an admin task and an MSP service.
How Scopable fits
Scopable is not a Purview replacement. It is where the MSP turns the Purview finding into client work that can be scoped, priced, approved, and reviewed.
A label project should produce roadmap items, ownership decisions, license changes, cleanup estimates, exception records, and follow-up reviews. If those decisions stay in a ticket thread, they disappear. If they land in the account plan, they become work the client can understand and fund.
That is the real opportunity for MSPs. Not "we turned on labels." The opportunity is: "we helped the client decide what data matters, who can access it, how it should be protected, and what cleanup they need to fund next."
If you want that assessment-to-roadmap motion in one place, join Scopable early access. Bring the tenant with messy SharePoint permissions. That is usually the honest one.
FAQ
Are Purview sensitivity labels enough to secure SharePoint?
No. Sensitivity labels can classify and protect content, but they do not replace SharePoint permissions, site ownership, guest access review, sharing-link cleanup, or business-owner signoff. Start with high-risk permissions before treating labels as the fix.
How many sensitivity labels should an MSP deploy first?
Most MSP clients should start with three or four labels: Public, Internal, Confidential, and sometimes Highly Confidential. Add more only when users can explain why the new label changes behavior.
Should MSPs use auto-labeling for sensitivity labels?
Sometimes, but not on day one for every client. Auto-labeling is useful when the data pattern is clear and the license supports it. Run policies in simulation first, review false positives, and keep a manual pilot in place so users understand the classification model.
Where do sensitivity labels fit with DLP?
Labels define how sensitive the content is. DLP defines what happens when sensitive content is shared, copied, uploaded, emailed, or moved in risky ways. For most clients, stabilize the label taxonomy first, then add DLP simulation and enforcement in stages.
How should MSPs price a Purview label project?
Price it as a scoped data protection project, not a one-time admin change. Separate assessment, pilot, rollout, DLP tuning, training, and ongoing review. If you need the commercial model, start with the MSP compliance pricing guide.
Sources
- Microsoft: Learn about sensitivity labels
- Microsoft: Get started with sensitivity labels
- Microsoft: Create and publish sensitivity labels
- Microsoft: Microsoft Purview service description
- Microsoft: Enable sensitivity labels for files in SharePoint and OneDrive
- Microsoft: Learn about data loss prevention
- Microsoft: Automatically apply a sensitivity label to Microsoft 365 data


