Microsoft Cloud App Security and Sensitivity Labels

Reading Time: 6 minutes

This post walks thru an example of how to automatically apply a sensitivity label to files in SharePoint Online and OneDrive under certain conditions using an integration between Microsoft Cloud App Security (MCAS) and Azure Information Protection (AIP).

Note: To clarify, integration with AIP will leverage sensitivity labels if you have migrated your AIP labels to Sensitivity labels and published them in the Security & Compliance Center. Documentation currently refers to AIP.

Reference: How to integrate Azure Information Protection with Cloud App Security

I’m assuming if you’re reading this post, you already understand the importance of applying sensitivity labels to content across your environment. They can apply visual markings, encryption, and rights management to allow/prevent certain actions on a document (copy, print, etc.) all based on how you define sensitive information in your organization.

There are numerous ways to apply a sensitivity label ranging from manually applying one to utilizing some of the auto-apply capabilities available and coming to Office 365. Depending on the services available to you in Office 365 and whether or not an end-user has correctly labeled the content thru manual means, an additional “line of defense” may be required to automatically set it. For example, you may want to apply a certain sensitivity label under these conditions:

  • anything created by the CEO
  • anything created in the Board Team site’s library
  • anytime a customer # is detected in a file

MCAS is a very powerful tool in the Microsoft 365 toolkit, and there are many other things you can do with it to control and govern your environment including all 3 of the scenarios above, however I’ll walk thru the third example, apply a Customer sensitivity label whenever a customer # is detected in a file, to demonstrate an excellent use-case for this powerful tool.

License requirements for this functionality:

  • Microsoft Cloud App Security
  • Azure Information Protection Premium P1


For purposes of this post, I assume you have a custom sensitive information type configured in your tenant to identify when a customer # is used. In this example, the custom sensitive information type is called ABC Corp Customer Number and it is identified by a match on a regular expression to match AA-##### format near a keyword of “Customer”:

Custom Sensitive Info Type

I also assume you have the Customer sensitivity label defined and published to staff across your environment in a Label policy.

To integrate MCAS with AIP, you must select the Azure Information Protection option under Settings in MCAS:


In order for File Policies to inspect content in protected files across your environment, MCAS must be granted permissions to do this:

Grant permissions

To configure a file policy, you must enable file monitoring. You can do this in Settings…Information Protection…Files

Create File Policy

In the Policies page in MCAS, create a File policy:


Lots of information to enter for a file policy, however for this example, here are the key elements:

  • Policy name: Detect customer info
  • Filter: match on any access level other than private:

Filter for policy

  • Inspection method: select an inspection method of Data Classification Service and select the custom sensitive information type you’ve defined for your corporate customer #, ABC Corp Customer Number:

Alerts: You can also configure alerts for files matching your filter. Whether you do this or not will depend on the governance required over the file matches. For this example, I’ll create an alert and send myself an email:


In some scenarios, it would be a great idea to build a Flow using Power Automate to possibly do some follow-up actions on any alerts.

Assign the Sensitivity Label

Now the important part… in the File policy configuration, you can specify governance actions for both OneDrive for Business and SharePoint Online when a file match is found. For this example, I’ll select both of these and automatically apply a Customer sensitivity label:

*The yellow star above indicates a potential setting you may want to enable if you also don’t want this file to be shared externally.

Seed some Customer Files

For the test, I created 5 files with customer information across several Microsoft Teams without manually applying a sensitivity label. After a few minutes, 5 files showed up matching the file policy and all files had the Customer sensitivity label applied.

The Customer sensitivity label definition is encrypted which MCAS is aware of and applies the proper encryption with the label (shown is the file alert and the details logged for each):


Note: I had 1 file with customer information in it with a different sensitivity label and it was NOT overwritten by MCAS.

Here’s the email notification I received for each file found where it applied a sensitivity label:


Since the Customer sensitivity label was applied to the document and the rights management controls on it prevent copying, I could not take a screen-print of the document. Instead, I took a picture of the document on my laptop screen with my camera to prove the label was applied: 🙂


What about the auto-labeling capability for Sensitivity labels?

There are 3 other auto-labeling features for sensitivity labels in the Security & Compliance Center and they will also help manage content across a tenant by automatically detecting content and applying the correct sensitivity label.

Auto-labeling for Office apps: Each sensitivity label can be auto-applied or recommended based on sensitive information types right within the office apps.

Auto-labeling policies (preview): This will be able to apply a sensitivity label to a specific Exchange mailbox(es) for emails sent (in transit) or SharePoint and OneDrive site(s) content at rest based on rules defined (sensitive information types).

ML based automatic labeling (preview): This will auto-apply a sensitivity label to content at scale across your environment using machine learning classifiers. There are 6 built-in classifiers at the moment, however you can also build your own.

Over time, a combination of all of these will improve your overall coverage of sensitive data from the many ways content can come into and leave your environment.

Extra: Targeting a specific library

For the second example I had listed at the start of this post where you want to apply a sensitivity label to a specific document library in SPO, you can do that by setting the library option in the file policy. In the image below, I’m targeting the Shared Documents library in “Joanne’s Team site”:


My thoughts

Integrating MCAS capabilities with sensitivity labels takes the possibilities of what you can do with them to the next level. Even if an end-user forgets to apply a label and the auto-labeling capabilities above are either not configured or have not applied it, this can apply the label for them to accommodate your unique business scenario! The ability to have oversight on how much of your content is caught by this policy can also feed into your continuous improvement plan for securing and protecting your environment.

This post demonstrated 1 great way to improve your security and compliance posture across your Microsoft 365 environment with 2 very powerful tools coming together.

Thanks for reading.


Credit: Photo by from Pexels


  1. Hi Joanne,

    tried this out but it looks like MCAS does not apply Sensitivity Labels but Azure Information Protection labels. I noticed it showing the Sensitivity Label Column and when I try to open the file with the Office Webapps. Do you have any information about this?


    1. Hi Daniel, if you’ve migrated to sensitivity labels it will use them as I’ve done this in my own tenant. The MCAS feature still refers to AIP in the UI but it definitely will apply the sensitivity label. Do you see the activity getting logged in MCAS for the files?

  2. Hi Joanne,

    many thanks for the reply 🙂
    Very strange.. If It set the label with MCAS I cannot see use the webapps to view the content. Additional, when I show the column “Sensitivity” its empty.
    When I set a sensitivity label manually it works as expected. The column shows the Sensitivity Label Name and Webapps can open the file. Is there something wrong on my tenant?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.