Control 1.5: Sensitivity Label Taxonomy Review — Troubleshooting
Common issues and resolution steps for sensitivity label taxonomy management.
Common Issues
Issue 1: Labels Not Appearing for Users
- Symptoms: Users report that sensitivity labels are not visible in Office applications or the label bar is missing entirely
- Root Cause: Label policies may not be scoped to the affected user groups, or Azure Information Protection client is not installed/configured for the Office version in use.
- Resolution:
- Verify the user is included in an active label policy using
Get-LabelPolicy - Check that the label policy is enabled and in enforcement mode
- For desktop Office apps, verify the Azure Information Protection unified labeling client is installed
- Force a policy refresh: In Office, go to Sensitivity button > Help and Feedback > Reset Settings
- Allow up to 24 hours for policy propagation to new user groups
Issue 2: Auto-Labeling Not Applying Labels
- Symptoms: Auto-labeling policies are configured but documents are not being labeled automatically
- Root Cause: Policies may still be in simulation mode, the sensitive information type patterns may not match the content, or the policy scope may exclude the relevant locations.
- Resolution:
- Check policy mode:
Get-AutoSensitivityLabelPolicy -Identity <name>— confirm Mode is "Enable" - Review simulation results to verify the policy matches expected content
- Verify sensitive information type definitions match your data patterns
- Confirm the policy scope includes the SharePoint sites and OneDrive locations where content resides
- Check for conflicting policies that may override auto-labeling
Issue 3: Label Priority Conflicts
- Symptoms: Higher-sensitivity labels are being overridden by lower-sensitivity auto-labeling, or users can apply lower labels without justification
- Root Cause: Label priority values may be incorrectly ordered, or the justification requirement for downgrades may not be enabled in the label policy.
- Resolution:
- Review label priority order:
Get-Label | Sort-Object Priority | Select-Object DisplayName, Priority - Verify higher-sensitivity labels have higher priority numbers
- Enable downgrade justification: In the label policy, set
RequireDowngradeJustificationto$true - Test priority behavior by attempting to apply labels in different order
Issue 4: Encryption Blocking Copilot Content Access
- Symptoms: Copilot cannot access content protected by encrypted sensitivity labels, resulting in incomplete responses or "I don't have access to that content" messages
- Root Cause: Sensitivity labels with encryption restrict access to specified users or groups. If the Copilot service principal does not have access rights, it cannot read encrypted content.
- Resolution:
- Review encryption settings on the label:
Get-Label -Identity <name> | Select-Object -ExpandProperty EncryptionRightsDefinitions - Verify that Copilot respects the user's access rights (Copilot accesses content as the user, not as a service)
- Confirm the user querying Copilot has the required rights to the encrypted content
- If Copilot should not access certain encrypted content, this is expected behavior — document it as intended
Issue 5: Sub-Labels Not Displaying Correctly
- Symptoms: Sub-labels appear as standalone labels or do not show under the correct parent label
- Root Cause: Sub-label parent assignment may be incorrect, or the label policy may publish the sub-label but not the parent label.
- Resolution:
- Verify parent-child relationship:
Get-Label | Where-Object ParentId -ne $null - Confirm both parent and child labels are included in the same label policy
- Check that the parent label is not disabled while the child label is enabled
- Force a client-side policy refresh and restart the Office application
Diagnostic Steps
- Export full taxonomy: Run Script 1 and review the complete label hierarchy
- Verify policy assignment: Check which policies apply to the affected user
- Test label application: Manually apply and remove labels to verify behavior
- Review audit logs: Search for label-related events using
Search-UnifiedAuditLog -RecordType SensitivityLabelAction - Check client version: Verify Office client supports current label features (minimum version requirements)
Escalation
| Severity | Condition | Escalation Path |
|---|---|---|
| Low | Individual user label display issues | IT Help Desk for client troubleshooting |
| Medium | Auto-labeling not functioning for a content type | Information Protection team |
| High | Label priority conflicts causing incorrect classification | Compliance team and governance committee |
| Critical | Encryption blocking legitimate Copilot access tenant-wide | Microsoft support and CISO |
Related Resources
- Portal Walkthrough — Taxonomy review steps
- PowerShell Setup — Label management scripts
- Verification & Testing — Validation procedures