The Manual Classification Problem
Every Purview deployment starts with the same assumption: users will apply sensitivity labels to their documents and emails. The labelling scheme is documented, training is delivered, and policies are published. Then reality sets in.
The fundamental problem is that data classification is not a user problem — it is an architecture problem. Asking a busy financial analyst to decide whether their spreadsheet contains PII, confidential financial data, or internal-only information — and to apply the correct label — before every save and every send is asking them to be a data governance officer on top of their actual job.
In every Purview environment we assess, the pattern is consistent: sensitivity labels exist in the admin console, training happened, and yet vast quantities of sensitive data remain unlabelled or mislabelled in SharePoint libraries and Exchange mailboxes.
The question is not "do your users know the labelling policy?"
The question is: "what happens to your data protection when they forget, rush, or simply do not bother?" If the answer is "nothing protects it," your data governance is only as strong as your least engaged employee.
What Auto-Labelling Actually Does
Microsoft Purview Auto-Labelling is not a single feature — it is two distinct engines that operate at different points in your data lifecycle, with different strengths and appropriate use cases for each.
The first engine, client-side auto-labelling, operates on the user's device. It scans content as the user works and either suggests a label or applies one automatically — before the document is saved or the email is sent. The user stays in the loop, which is valuable for high-sensitivity workflows where human confirmation matters.
The second engine, server-side auto-labelling, operates entirely in the background across Microsoft 365 services — SharePoint, OneDrive, and Exchange. It scans existing content and new content at rest and in transit, applies labels without any user interaction, and can process your entire data estate systematically. This is the engine that scales.
The critical architectural principle governing both engines is label priority protection: auto-labelling never replaces a higher-priority label with a lower-priority one, and never removes a label already applied. This ensures automation cannot downgrade the security posture of already-classified content.
Client-Side vs Server-Side
| Capability | Client-Side | Server-Side | Strategic Value |
|---|---|---|---|
| Operates without user interaction | ✗ | ✓ | Critical |
| Covers SharePoint & OneDrive at rest | ✗ | ✓ | Critical |
| Classifies Exchange email in transit | ✗ | ✓ | Critical |
| Simulation mode before rollout | ✗ | ✓ | High |
| Classifies PDFs and images | ✗ | ✓ | High |
| User-facing policy tips | ✓ | ✗ | Medium |
| Real-time document labelling | ✓ | ✗ | Medium |
| Supports all Microsoft 365 plans | ✓ | ✗ | Medium |
The Compliance Dimension: Why This Matters to Your Auditor
Auto-labelling policies are not just a technical configuration — they are evidence. They demonstrate to auditors that your data protection is systematic, documented, and not dependent on individual user behaviour.
The common thread across every major European regulatory framework is the requirement for consistent and demonstrable data protection measures. Manual labelling, by definition, cannot be consistent. When your auditor asks how you ensure sensitive data is classified, "we trained our users" is not an acceptable answer under NIS2 Article 21 or DORA Article 9.
GDPR Compliance Exposure
Article 32 requires "appropriate technical measures" to ensure data security. A labelling architecture that depends entirely on user behaviour is not a technical measure — it is a policy aspiration. Auto-labelling is the technical measure.
NIS2 Compliance Exposure
NIS2 requires risk management measures including policies on data handling and access control. Demonstrating that sensitive data is systematically classified — not manually classified — is increasingly expected by Dutch competent authorities.
DORA Compliance Exposure
Financial institutions must demonstrate ICT risk management across their information assets. Unclassified or mislabelled financial data is an explicit gap in your DORA evidence package — one that auto-labelling closes.
Auto-Labelling Without Expertise Is a Risk, Not a Solution
We have deployed Purview auto-labelling across enterprise environments in financial services, healthcare, and professional services. The difference between a policy that protects and one that disrupts is in the design and simulation phase.
Book a Free Purview AssessmentWhy Deployment Expertise Matters More Than the Feature Itself
Microsoft makes auto-labelling available to any organisation with the right licence. What Microsoft does not make easy is deploying it correctly — in a way that achieves coverage without generating disruption, false positives, or performance degradation across your SharePoint environment.
The three failure modes we most commonly encounter when assessing Purview environments that have attempted auto-labelling without specialist support:
Skipping Simulation Mode
Server-side auto-labelling has a simulation mode designed to preview what would be labelled before any action is taken. The majority of organisations skip this step and go directly to production — then spend weeks responding to help desk tickets from users confused by unexpected label changes on existing files.
Misconfigured Sensitive Information Types
Auto-labelling triggers on Sensitive Information Types (SITs). Default SITs have false positive rates that are acceptable for detection but destructive for auto-labelling at scale. Deploying without SIT tuning means either over-labelling — everything becomes Confidential — or under-labelling, where the patterns miss your actual sensitive data formats entirely.
SharePoint Performance Impact
Scanning SharePoint at scale has real performance implications, particularly for libraries with millions of items. Without throttle management and phased rollout planning, an aggressive auto-labelling scan can degrade SharePoint performance across your environment during business hours — turning a security initiative into a productivity crisis.
Three Questions Every CISO Should Answer Before Deploying Auto-Labelling
These are the questions that distinguish a mature Purview deployment from a compliance checkbox exercise:
What percentage of documents in your SharePoint and OneDrive environment are currently labelled?
If the answer is "we don't know," you have no baseline. Without a baseline you cannot measure coverage, demonstrate compliance, or make a risk-proportionate decision about where to start.
Who in your organisation has the authority to decide what data patterns trigger an auto-label — and are they the right person?
Auto-labelling decisions are data governance decisions with downstream encryption and access consequences. This is not a question for IT. It requires a data owner, a privacy officer, and a security architect in the same room.
Do you have a simulation-mode validation process before any auto-labelling policy goes to production?
Without simulation, you are testing on live data with live users. One misconfigured policy can generate thousands of incorrect labels across your tenant — and unlike manual classification, automated mistakes scale instantly.
Auto-Labelling Is the Foundation Layer — Not the Destination
Purview's value proposition — DLP enforcement, encryption, RBAC governance, audit-ready reporting — depends entirely on the quality of your classification layer. If your data is inconsistently labelled, your DLP policies fire inconsistently. If sensitive data is unlabelled, it is invisible to your protection framework entirely.
Auto-labelling is not a configuration you toggle on. It is an architecture project that requires careful design of your Sensitive Information Types, phased simulation and validation, performance planning, and a governance model that defines who owns classification decisions going forward.
We have delivered this for enterprises in financial services, healthcare, and professional services across the Netherlands and Europe. If you are unsure what percentage of your sensitive data is currently classified — that uncertainty is itself the compliance gap.
Microsoft Purview Solutions
Auto-labelling architecture, DLP policy design, RBAC governance — discover how we implement Microsoft Purview for European enterprises.
View Purview ServicesPurview on macOS: Why "Onboarded" Doesn't Mean "Protected"
The platform gaps, hidden costs, and compliance risks that every CISO with a mixed-OS fleet must confront before the next audit cycle.
Read the Article