What they are
Sensitivity labels are a tool for classifying and protecting Microsoft 365 data based on its sensitivity or confidentiality level. At CU Boulder, sensitivity labels can safeguard their Microsoft files and emails, Teams sites, Microsoft 365 groups, SharePoint document libraries and PDF files against unauthorized data access and leakage.
Once applied, the label and its protections stay with the item even when it’s shared between devices, applications or cloud services.
What they do
OIT has configured a set of sensitivity labels that map to CU's classification levels of institutional data and apply the appropriate protective measures for that data classification.
Sensitivity Label | Description |
---|---|
Public (L1) | Data is not protected. Content was specifically prepared for public consumption. |
University Data (L2) | Data is not protected. Content was not meant for public consumption but would not have an adverse impact if disclosed to the public. |
Confidential (L3) | Content is sensitive, is not typically disclosed to the public, and requires a legitimate business purpose to access. |
Highly Confidential (L4) | Content is extremely sensitive; is protected from disclosure by law, regulations, contracts or legal agreements; and/or requires reporting of unauthorized disclosure. |
The confidential and highly confidential labels have four sublabels each that apply different protections.
Sensitivity Sublabel | Description |
---|---|
No Protection | Data is not protected; access is not restricted. Share only with trusted partners who cannot perform their work if the file is protected. |
Internal | Data is protected; access is restricted to users with a University of Colorado email address (e.g., colorado.edu, cu.edu). Users can take any action, including removing protection (justification required). |
External | Data is protected; access is not restricted to users with a University of Colorado email address. Users can take any action, including removing protection (justification required). |
Custom | The owner assigns a permissions level to each user or domain. |
Sublabel Protections
Sublabel Protections | No Protection | Internal | External |
---|---|---|---|
Applies an additional layer of encryption | |||
Prevents access by unauthenticated users | |||
Prevents access by non-CU accounts | |||
Prevents printing & downloading | |||
Requires justification to decrease or remove label |
What they don't do
Labeling a file or email as confidential or highly confidential does not shield it from disclosure under Colorado Open Records Act (CORA) if it is otherwise a public record subject to disclosure. For additional information, see the sensitivity labels FAQs.
What they look like
If sensitivity labels are enabled for your account, you'll see a brightly colored shield icon at the top of the labeled document or email, serving as a visual indicator of the sensitivity of its contents. In some applications, the name of the sensitivity label will appear next to the icon.
Users who don't have CU Boulder’s sensitivity labels enabled will only see the shield when using the Microsoft web applications. In desktop applications, the protections will be listed in a banner at the top of the file.
Word, Excel & PowerPoint
The sensitivity label appears next to the document name at the top of the window.
Outlook
In the inbox, labeled items are indicated by a padlock icon. In an open message, the sensitivity label appears either next to the subject line or below the message headers.
View Outlook (new) screenshots


Microsoft Teams
If a sensitivity label is applied to a Team, then the label will appear when one of the Team's channels is selected. The sensitivity label appears in the tabs row at the top of the content pane. Learn how to label a Microsoft Team.
View Teams screenshot

SharePoint libraries
At this time, there's no at-a-glance method for checking a SharePoint library's default sensitivity label; however, that information is available through the library settings menu (see screenshot below). Users can add the Sensitivity column to view files' sensitivity labels in the content list.
View SharePoint screenshots


PDF files
When viewed through Adobe Acrobat or Microsoft Edge, labeled PDFs have a banner at the top indicating that they're protected. Non-Microsoft web browsers don't display protected PDFs; instead, they display an Adobe-branded landing page that states the document is protected by Microsoft Purview Information Protection and can be viewed using a supported PDF reader.
View Adobe Acrobat screenshot

View Microsoft Edge screenshot

View non-Microsoft web browser screenshot

Who can use them
Sensitivity labels are currently only enabled for our project team and pilot groups. Once testing is complete, OIT plans to enable sensitivity labels for all CU Boulder faculty, staff and students.