Sensitivity Label Snapshot Report
Common Use Cases
- Locating sensitive content: seeing which sites hold the most files with a given label
- Verifying protection: checking whether labeled-content sites have the right controls in place
- Per-label monitoring: creating a report for each label you care about
- Quarterly governance: running the snapshot on Microsoft’s recommended cadence
- Copilot data protection: confirming labeled files sit on protected sites before rollout
- Policy gap-spotting: reviewing site label, device controls, and external sharing per site
Benefits
- Maps your sensitive content: ranks sites by labeled-file concentration
- Protection in context: shows the policies in force alongside each site
- Per-label clarity: one report per label keeps the view focused
- Copilot-relevant: labels travel with content into Copilot interactions
- Excel-ready: CSV download for filtering and sorting
- Verifies, not just locates: shows whether protection actually matches sensitivity
How It Works
- Lives in the SharePoint Admin Center: App Launcher, Admin, SharePoint admin center, Data access governance under Reports, sensitivity label reports
- Created per label: add a report for each label; it runs automatically the first time, then you re-run it manually
- Counts Office files: ranks sites by the number of Office files carrying the chosen label
- Admin only: only SharePoint administrators can create and view it
- Licensing plus a prerequisite: Advanced Management licensing, and Microsoft Purview sensitivity labels must already be configured (labels whose scope includes files)
- Output: an on-screen view plus a CSV, capped at 10,000 sites, a smaller cap than the other Data Access Governance reports
Limits and Nuances
- Created per label: add a report for each label whose scope includes files; it runs automatically the first time, then you re-run it manually
- SharePoint only: OneDrive is not currently supported, despite the report name suggesting otherwise
- Freshness: reports may take up to 24 hours to complete, data can be up to 120 hours old, and each report can be re-run only every 24 hours
- Prerequisite: Microsoft Purview sensitivity labels must already be configured
- Recommended cadence: Microsoft recommends running snapshot reports like this one quarterly
Common Questions About the Sensitivity Label Snapshot Report
What does the Sensitivity Label Snapshot report show?
For each sensitivity label you monitor, it ranks the SharePoint sites containing the highest number of Office files with that label applied, alongside the policies active on each site – the site sensitivity label, unmanaged device access controls, and external sharing settings.
What license is required to run this report?
You need either the SharePoint Advanced Management add-on license or a Microsoft 365 Copilot license, which includes Advanced Management. Licensing packages change often, so check Microsoft’s official requirements before planning around it.
Are there prerequisites before running it?
Yes. Microsoft Purview sensitivity labels must already be configured and applied in your tenant, and you can only create reports for labels whose scope includes files. If your organization has not rolled out sensitivity labels yet, this report has nothing to count.
Does it cover OneDrive?
No. Despite Microsoft documentation mentioning OneDrive in the report name, the same documentation is explicit that only SharePoint sites are currently supported.
How often should I run it?
Microsoft recommends running snapshot reports quarterly. Each report can be re-run every 24 hours at most, may take up to 24 hours to complete, and its data can be up to 120 hours old.
How does this report help with Microsoft 365 Copilot readiness?
Sensitivity labels are the backbone of Copilot data protection – they travel with content into Copilot interactions. This report shows whether your labeled files sit on sites that are actually configured to protect them, which is exactly what you want verified before rolling Copilot out.