>
    Strata Copilot
    Microsoft Purview Information Protection Labeling for Office 365
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Data Security Administration
    4. Microsoft Purview Information Protection Labeling for Office 365
    Download PDF
    SaaS Security

    Microsoft Purview Information Protection Labeling for Office 365

    Table of Contents

    Microsoft Purview Information Protection Labeling for Office 365

    Learn how to configure Microsoft Purview Information Protection labels for Office 365 in Data Security.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Data Security license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    Data Security supports Microsoft Purview Information Protection Labeling for Office 365 connectors. As an Administrator you can define rules and Data Security applies labels to your files accordingly, thus classifying and protecting your sensitive information. Labeling is supported for the following file types:
    • .docs
    • .docm
    • .xlsx
    • .xlsm
    • .xlsb
    • .pptx
    • .ppsx
    • .pdf (enable now)

    Configure Microsoft Purview Information Protection Labeling

    Prerequisite: Create and Publish Sensitivity Labels
    Data Security will need permissions to fetch the labels available in the M365 instance and their priorities. To grant permissions, perform the following steps.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecuritySaaS SecuritySettingsData Label Settings. The Office 365 instances which support data labeling are listed.
    3. If you have not fetched data labels for an existing onboarded Office 365 connector, choose your Office 365 connector instance and Authorize to fetch their labels.
    4. After authorization, the labels are fetched for the Office 365 connector immediately. Labels are refreshed every 24 hours. To fetch labels at any point in time, click Sync Data Labels Now.

    Apply Labeling with Data Asset Policies

    Perform the following steps to apply labeling with Data Asset Policies.
    1. Select ConfigurationSaaS SecurityData SecurityPoliciesAdd Policy. In the Add Data Asset Policies page, scroll down to Apply Data Label under the Action section.
    2. Choose the Office 365 connector instance and the required label from the drop-down list.
      • When a sensitive label has encryption settings enabled, you cannot apply that specific sensitivity label through APIs. Learn more about how to apply sensitivity labels to your files.
      • When you configure a policy, you cannot choose to quarantine and label at the same time.

    How Policy Driven Labeling Applies Labels

    Once data asset policies are created to apply labels, Data Security will regularly scan assets (of the right file types) that match the policy’s criterion and attempt to apply the label. Labels are only applied if the policy driven label has a higher priority than the label currently on the asset.
    For example, if an asset has the Top Secret (the highest priority) label and a matching policy needs to apply the Confidential (which has lower priority than Top Secret) label, the policy will not attempt to apply the label. This will also apply when multiple policies match the asset. Eventually, the rule with the highest priority label will get applied.
    Data Security applies labels by invoking Microsoft Graph API. This applies the label asynchronously on the asset. So, there might be a lag between the moment Data Security applying the label and the label actually reflecting on the file in Office 365.

    View and Override Labels

    1. Select ConfigurationSaaS SecurityData SecurityData AssetsLabeled by Policy. Use the various filters available at the top of the table to filter your results. As an example, the following screen shot shows a specific asset in a specific instance of Office 365.
    2. To override an existing label, select the asset and override with a different label.
      • If you override the labels manually for an asset, those assets will not be labeled by Data Asset Policies in the future.
      • Select the Prevent Downgrade option to prevent users from downgrading the asset to a lower priority labeling.

    Quotas for Labeling

    Licenses
    Recent Files (< 24 Hours)
    Older Files (> 24 hours)
    All customers
    25000 labels per day
    5000 labels per day
    Important Things to Remember
    • Labels are available only for Office 365 connectors which have been onboarded.
    • Manual overriding of labeling is limited to 500 per day.
    • Files less than 24 hours old (file content change or label change) are prioritized and allocated to the Recent Files quota while files older than 24 hours are allocated to the Older Files quota.
    • If the number of files to be labeled are more than your daily quota, those extra files are added to the backlog. However, these extra files are allocated to the Older Files category.

    © 2026 Palo Alto Networks, Inc. All rights reserved.