Decoding Microsoft Purview Licensing for Automated Labeling

For IT professionals managing enterprise data security, Microsoft Purview's licensing requirements for automated sensitivity labeling—particularly in SharePoint Online and OneDrive—remain frustratingly unclear. While the promise of streamlined, policy-driven labeling sounds straightforward, interpreting who actually needs what license is anything but.

A strong study of Microsoft’s Compliance licensing matrix will reveal that sensitivity labels appear in office documents starting in the mid-tier office plans like Microsoft Business Premium and even web-app-only licenses like Office E1. But in order to “apply sensitivity labels automatically to files in SPO”, you require one of the following:

1. Microsoft 365 E5
2. Microsoft 365 E3 + Microsoft 365 E5 Compliance add-on
3. Microsoft 365 E3 + Microsoft 365 E5/A5 Information Protection & Governance add-on
4. Office 365 E5

But does that mean, the governance officer who is configuring the labels requires one of the licenses listed above? Or does that mean that the governance officer and all of the employees in the organization need the license in order to have this ability?

For some enterprises, it’s literally a million dollar question.

Field Testing with Auto-Labelling

Why not open Purview and give it a try to see what happens? That’s easy enough, our governance officer has an E5 license, and we can provision a new user with a Microsoft Business Premium account.

1. Business Premium, in OneDrive, creates a new Word document and pastes some credit card information inside.
2. Governance Officer, in Purview Information Protection, publishes a new “Confidential” label, and attaches a new auto-labelling policy for credit cards. (Note to the reader: we thought detecting credit card numbers would be easy in Purview, but we hit some snags and that’s a different story.)
3. And now, we wait. The document currently has “No Label” but what will the document have tomorrow?

The result when we came into the office the next day: The label is tagged with “Condential”. It works! So our internal testing revealed that automated sensitivity labels can still be applied to files in OneDrive accounts tied to users with only a Microsoft Business Standard license—so long as the labeling policy is created by an administrator with one of the above four licenses.

Ok, it’s technically possible. But then we heard conflicting stories in the industry about this, with our contacts saying that they had to buy one of the four above licenses. This raises a critical question: if server-side labeling technically works for these users, are we still in breach of Microsoft’s terms?

MC736438: A Shift Toward Enforcement

In early 2024, Microsoft, attempting to clear things up, sent Purview administrators a Message Center notification in MC736438.

“Starting January 2024, new customers require specific licenses to use or continue using Information Protection sensitivity labels. Existing customers using sensitivity labels without the correct licenses will have a grace period until early April 2024. Admins and users who use Information Protection sensitivity labels need to have the required licenses assigned to them.

To apply a sensitivity label to documents, emails, meetings, groups, and sites manually, the following licenses are required for both the tenant admin and each end user:

1. Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium/OneDrive for Business (Plan 2)
2. Enterprise Mobility + Security E3/E5
3. Office 365 E5/A5/E3/A3

For both client and server-side automatic sensitivity labeling, the following licenses are required:

1. Microsoft 365 E5/A5/G5
2. E5 Compliance
3. Microsoft 365 E5/A5/G5 Information Protection and Governance
4. Office 365 E5/A5/G5”

This confirms that there is a known mismatch between what is operationally possible and what is allowed through the terms of the licenses. But this doesn’t clear up the critical question. For automatic licensing, we know at least one of those is required, but is it required for all the users?

Deeper down the licensing rabbit hole

At this point, we pour through the documentation again.

Starting with the more indepth legalese, we had a run through the Microsoft 365 license Terms and Conditions legalese in search of the truth, but no mentions of sensitivity labels could be found and we came back empty handed.

Turning back to the product documentation, we had high hopes that we would find our answers in Microsoft 365 guidance for security & compliance, but scrolling down to the section on Microsoft Purview Information Protection: Sensitivity labeling, we see it only talks about manual labelling. Nothing about automatic labelling.

Finally, we found a third documentation repository, a Microsoft Purview Customer Experience Engineering (CxE) site hosted on a GitHub Pages. It has published a playbook on automatic labelling that dares to go further than anything we have seen before:

“For default sensitivity labeling for SharePoint document library, client, and service-side automatic sensitivity labeling, the following licenses provide user rights:

• Microsoft 365 E5/A5/G5
• F5 Compliance
• F5 Security & Compliance
• Microsoft 365 E5/A5/G5 Information Protection and Governance
• Office 365 E5”

The keyword here is “user rights” which matches language that Microsoft employs to describe any user that is benefiting from a given service. If a user benefits from autolabelling, they will benefit from it. You can see other examples of the language on the Microsoft 365 guidance for security & compliance.

Conclusion: Everyone Gets E5

Putting it all together, the broader picture is clear that all users need one of the above licenses. This grey area is uncomfortable to put it lightly, but this mismatch between policy and behavior leaves security and compliance leaders in a precarious position. Relying on the current behavior of the system is risky, especially as Microsoft has shown a pattern of gradually introducing stricter enforcement (MC736438) and does periodically audit their enterprises for license compliance. The burden is on enterprises to stay aligned with Microsoft’s licensing intentions, even if the system still allows technically unlicensed actions.

Do you have to upgrade all your users? Let’s do some back of the envelope math. Let’s consider an enterprise with 5000 users. Let's assume that the most common license for employees is Microsoft 365 E3. Considering a $9 upgrade cost of the E5 Information Protection and Governance add-on and before any discounts, the math comes out to:

5000 users * $9 ‎license‎/month upgrade * 12 month/year = $540,000 annually

This is a best case scenario for this enterprise! If the enterprise’s most common license is Business Premium, they would have to upgrade to Office E5 and then that entails a $27 update per user

5000 users * $27 ‎license‎/month upgrade * 12 month/year = $1,620,000 annually

Budget accordingly, budget generously.

Strategic Considerations Beyond Purview

This issue also points to a broader challenge in relying entirely on Microsoft’s security stack. For many organizations, the limitations and cost of Microsoft licensing justify a closer look at third-party solutions for data classification and governance. Gartner, in their recommendations for unstructured data security state: “Be prepared to source the required combination of controls for unstructured data from multiple vendors and products. Waiting for a one-size-fits-all product will cause delays and drive operational complexity.”

Some tools, like Ohalo Data X-Ray offer more reasonable pricing and more powerful features, reducing licensing complexity while complementing Microsoft’s ecosystem. Data X-Ray specializes in straight-forward sensitivity labeling across your entire enterprise data landscape, including on premises datasources and not just limited to SharePoint Online and OneDrive. It also uses more modern sensitive data detection techniques using LLMs for state of the art document intelligence and plays nice with Purview by syncing those sensitivity labels back to the documents, for all of your DLP needs.

Let us know if you need help. Book a demo.