Dealing with Document Sensitivity Label Mismatches in SharePoint Online

Sensitivity Label Support for SharePoint Online and OneDrive for Business

Updated August 15, 2022

Every Microsoft Purview sensitivity label has a priority order to indicate its level of sensitivity. A sensitivity label mismatch occurs when users assign a sensitivity label with a higher priority to an Office document or PDF than the container management sensitivity label assigned to the SharePoint Online where the file is stored.

Microsoft recently made support for sensitivity labels in SharePoint Online and OneDrive for Business generally available. This is an important step forward because it allows SharePoint to index content protected by encryption applied by sensitivity labels. The indexed content then becomes available to Data Loss Prevention policies, content searches, and so on.

The integration of sensitivity labels with SharePoint Online is optional and must be enabled for a tenant on an opt-in basis, Afterwards, users can apply, remove, or change sensitivity labels to documents using the SharePoint Online and OneDrive for Business browser interface or through the Office Online apps. Sensitivity labels can be applied by users or by assigning default labels in label publishing policies or as a default sensitivity label assigned to a document library.

Audit Events Captured

Events for these actions are captured by SharePoint Online and ingested along with other SharePoint events into the Microsoft 365 audit log. These events are:

• SensitivityLabelApplied: A label is applied to a SharePoint site.
• FileSensitivityLabelApplied: An Office Online app applies a label to an Office document.
• FileSensitivityLabelChanged: An Office Online app changed a label (upgrade or downgrade).
• FileSensitivityLabelRemoved: An Office Online app removed a label from a file.
• DocumentSensitivityMismatchDetected: A mismatch is detected because the sensitivity label applied to a document is higher than the level of sensitivity applied to the site where the document is stored. For instance, the site is labeled “Confidential” and a user uploads a document assigned the “Super Confidential” label to the site.

Currently, no events are captured when users apply sensitivity labels through other interfaces like Outlook or OWA.

Sensitivity Label Mismatch Email Notifications

When a mismatch occurs, SharePoint Online captures an audit record, and sends an Incompatible sensitivity label detected email notification to the person who uploaded the document and to the site owners. The notification contains details of the document which caused the problem and the label assigned to the document and to the site (Figure 1).

Although site owners can step in to downgrade the sensitivity label assigned to the highlighted document, resolving the issue should be left to the person who assigned an inappropriate label to the document. They should know the true sensitivity of its content and should be able to find a better sensitivity label to assign to the document.

Handling Confidential Material

Even if it leads to a sensitivity label mismatch, it’s entirely possible that it’s OK to store a highly sensitive document in a site labelled with a lower level of sensitivity. Labels created to protect highly sensitive content usually restrict rights to interact with documents to a limited set of users. It might be desirable to not allow some people with access to the site (like guest accounts) to access a document assigned with a highly sensitive label. However, this should be an exception. It’s good practice to only store documents in sites that are accessible to all members of the site unless good reasons exist to restrict access to some documents to a subset of site members. In these situations, it’s best to store the sensitive material in another site with restricted membership such as a site belonging to a private Teams channel.

---

Mastering the detail of what happens inside Office 365 is important for tenant administrators. Shouldn’t you subscribe to the Office 365 for IT Pros eBook?