Client-side versus Service-side Sensitivity Auto-labeling: Why You Should Care

Reading Time: 4 minutes

This post explains the key difference between the 2 automated techniques for applying Sensitivity Labels and why you (as an administrator) should care.

Why does this matter?

End-users can certainly apply a sensitivity label manually to an Office document within their editing session, but you shouldn’t rely on this method alone to consistently and accurately represent the sensitivity of the content within the document. We must employ automation to both ease the reliance on the end-user and increase the accuracy of the sensitivity label application.

In addition, if you are migrating thousands of documents into SharePoint and OneDrive, you need to ensure your organization’s sensitivity labels are intelligently applied to these documents in a similar manner to how they are being automatically applied for an end-user while they are working with their documents in their Office applications.

You can do both by using client-side AND service-side auto-labeling features!

Note: at the time of this writing there are limitations on the number of sites that can be included within the service-side auto-labeling feature. Over time, this limit should increase to address the need for applying your data classification at-scale across your data landscape. As of February 2021, the limitations are:

  • Maximum of 25,000 automatically labeled files in your tenant per day
  • Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive) 


From Microsoft: How to configure auto-labeling for Office apps

You can auto-apply a sensitivity label from the client (i.e. end-user’s) perspective. This is an “in-the-moment” behavior while an end-user is editing a document either in an Online version (Word Online) or the App version (Desktop Word). If information is entered in the document that triggers the condition you’ve configured in the auto-labeling settings, it will either automatically apply or recommend the sensitivity label (dependent on your configuration).

Client-side auto-labeling for a sensitivity label is configured in the Sensitivity Label’s setting in the Compliance Center under Files & emails. Below is an example of auto-applying (recommending) a Confidential sensitivity label:

The settings above will recommend the Confidential sensitivity label if a Canadian Social Insurance Number is detected in a document’s content while the end-user is editing the document and is demonstrated in the image below: (Word Online)

Once applied (by clicking Change now), the property is persisted with the document and it can be displayed as a Sensitivity property in the SharePoint document library view:


From Microsoft: How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange

What about applying this same set of rules and sensitivity labels to data at rest? For most organizations, it’s not sufficient to auto-apply net new and changed content with sensitivity labels… you ALSO need to apply a consistent set of rules to content sitting in existing SharePoint and OneDrive sites. i.e. data “at rest”

You can do this using Service-side Auto-labeling from within Information Protection in the Compliance Center:

Service-side auto-labeling is an important supplement to the client-side auto-labeling feature. You can define the same conditions as was done in the client-side auto-labeling feature to ensure the same sensitivity label will be applied. Below, I’ve configured service-side auto-labeling for the same condition as was done in the Client-side auto-labeling above:

Step 1: Define the condition(s)
Step 2: Select the Sensitivity Label to automatically apply
Step 3: You MUST run in simulation mode before enabling the policy


Once the simulation is done and you have verified the conditions are configured correctly, you can enable the service-side auto-labeling policy to automatically apply the Sensitivity label to content matching the condition(s) specified.

In the image below, 3 of the documents’ contents in the New Library contain a Canadian Social Insurance number so the Confidential sensitivity label was automatically applied. An end-user did not have to open/view/edit the document for the sensitivity label to be applied. Awesome.


Important Tidbits to know

  • When content has been manually labeled, that label will never be replaced by automatic labeling. However, automatic labeling can replace a lower priority label that was automatically applied.
  • Automatic labeling can overwrite the default sensitivity label if you have one set in your label policy

Thanks for reading. How are YOU applying sensitivity labels across your tenant? 🙂


Credit: Photo by Markus Spiske from Pexels


  1. This is awesome Joanne thanks. Sadly we are not using this yet….although I believe we are getting a project together to move in that direction…and I cannot wait.

  2. Very helpful and clear — thanks for your post. What if I want to apply a specific label to every document that gets placed in a specific SharePoint library, so all documents in that site are labeled with that label when they are placed there?

    1. Hi Revakg, you can’t do this using the auto-labeling capability. Microsoft Cloud App Security can do it.

  3. Joanne, any hope for being able to use server-side auto-labeling for more than 10 sites/onedrive sites? Starting to get some clients that want to turn it on tenant wide for SharePoint and OneDrive and be able to check all their sites.

    1. Hey Ben, the team at Microsoft is working on this current limitation. I’m not aware of a date though.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.