Sensitivity Labels vs Retention Labels: They Look Similar. They Aren't.
Both live in Microsoft Purview. Both are called "labels." Both can be applied to the same SharePoint document. Both appear in similar menus in similar admin centres. And admins regularly apply the wrong one for the job - then discover the mistake during an audit or eDiscovery exercise, when it's too late to undo cleanly.
This guide is the head-to-head. What each label type actually does, when you'd use which, the specific scenarios where mixing them up costs you, and what survives when SharePoint content gets archived or moved.
Every claim links to Microsoft's own current 2026 documentation so the technical points are verifiable, not vendor spin.
The One-Sentence Difference
The simplest way to keep them straight:
- Sensitivity labels protect access. They control who can do what with the data and how the data is marked.
- Retention labels preserve content. They control how long the data must exist and what happens to it after the retention period.
Different problems. Different tools. Same admin centre.
What Sensitivity Labels Actually Do
Sensitivity labels are part of Microsoft Purview Information Protection - formerly known as the MIP framework, hence the older "MIP labels" terminology that admins still use. Microsoft's own definition:
"Provide protection settings that include encryption and content markings. For example, apply a 'Confidential' label to a document or email, and that label encrypts the content and applies a 'Confidential' watermark. Content markings include headers and footers as well as watermarks, and encryption can also restrict what actions specified people can take on the content."
Concretely, when you apply a sensitivity label to SharePoint content, the label can:
- Encrypt the content so only authorised users can open it, and restrict what they can do (view, edit, print, copy, forward)
- Apply visible markings - watermarks, headers, footers - that travel with the document wherever it goes
- Extend SharePoint protection when files are downloaded - the file's SharePoint permissions travel with the labelled file outside SharePoint
- Protect containers - apply labels to SharePoint sites, Teams sites, Microsoft 365 Groups, Viva Engage communities, Loop workspaces. This sets privacy, external sharing, and unmanaged device access for everything in the container.
- Protect Microsoft 365 Copilot grounding - per Microsoft, "Copilot and agents recognize and integrate sensitivity labels into the user interactions to help keep labeled data protected." If a sensitivity label encrypts a document, Copilot will only surface content from it when the requesting user has been granted the EXTRACT usage right.
- Identify content for eDiscovery cases - search queries in eDiscovery can filter to (or exclude) specific sensitivity labels
- Be applied automatically - auto-labeling policies can apply labels based on content patterns, or recommend them to users
The label itself, per Microsoft:
"Persistent. Because the label is stored in metadata for files and emails, the label stays with the content, no matter where you save or store it."
A sensitivity label travels with the file forever. It's not time-bounded.
What Retention Labels Actually Do
Retention labels are part of Microsoft Purview Data Lifecycle Management (and Records Management for the stricter variants). For the full reference, see Microsoft's retention policies for SharePoint and OneDrive.
A retention label tells SharePoint:
- How long this item must be retained
- What happens at the end of that period (deleted, reviewed, retained forever)
- Whether the item is a record (with stricter immutability than standard retention)
- Whether the item is a regulatory record (with the strictest immutability - cannot be edited or deleted at all)
Retention labels apply to SharePoint files, OneDrive files, and list items. When SharePoint detects that a labelled item has been edited or deleted in a way that would otherwise lose the original, SharePoint copies the original into the Preservation Hold Library - a hidden system library inside the same SharePoint site - to preserve it for the remainder of the retention period.
The storage implication is direct, in Microsoft's own words:
"When a user changes an item that's subject to retention from a retention policy or a retention label that marks items as a record, or deletes any item subject to retention, the original content is copied to the Preservation Hold library."
The key point most admins miss: retention labels can dramatically inflate SharePoint storage consumption. Every edit or deletion of a labelled record creates a copy in the Preservation Hold Library, and that copy counts against your tenant's SharePoint pool. This is the mechanism behind the storage growth problem covered in why retention silently inflates SharePoint storage costs.
Retention labels can be:
- Manually applied by users to individual items
- Auto-applied by policy based on content patterns, sensitive info types, trainable classifiers, or Keyword Query Language
- Applied as a default label for an entire SharePoint document library
Three retention behaviours: retain-and-delete (keep for N years, then delete), retain-only (keep for N years, then leave alone), and delete-only (no retention, just delete after N years).
The Head-to-Head Comparison
| Dimension | Sensitivity Label | Retention Label |
|---|---|---|
| Microsoft Purview area | Information Protection | Data Lifecycle Management / Records Management |
| Primary purpose | Protect access and mark the data | Preserve the data for a defined period |
| Encryption | Can encrypt content | Cannot encrypt - retention is orthogonal to access control |
| Watermarks / headers / footers | Yes - can apply visible content markings | No |
| Container scope (sites, Teams, Groups) | Yes - can apply to SharePoint sites, Teams, Groups, Loop workspaces, Viva Engage | No - retention policies apply at the location level, but retention labels apply only to items |
| Time-bounded | No - persists with the file forever, no expiry | Yes - applies for the configured retention period |
| Storage impact | Minimal - label is metadata; encrypted files are the same size in storage | Significant - retained content edits / deletions create copies in the Preservation Hold Library |
| Single per item? | Yes - one sensitivity label per item maximum | Yes - one retention label per item maximum |
| Can a single item have BOTH? | Yes - Microsoft explicitly supports both a sensitivity label and a retention label on the same item | Same |
| Microsoft 365 Copilot integration | Copilot reads and honours sensitivity labels for content access | Copilot reads from labelled and unlabelled content alike - retention labels don't affect Copilot grounding |
| eDiscovery integration | Search queries can filter by sensitivity label | Standard retention labels and records labels both supported for eDiscovery |
| Auto-apply capability | Auto-labeling policies based on content scanning | Auto-apply policies based on content scanning, keywords, or sensitive info types |
| End-user visibility | Visible to end users in the app (label appears in document chrome) | Visible to end users in the document properties pane |
| What happens if applied incorrectly | Wrong sensitivity label = wrong access permissions | Wrong retention label = wrong retention period, potential compliance breach |
The Audit Failure Modes (Where This Bites)
Three scenarios where confusing the two label types breaks the compliance posture.
Scenario 1: Applying a sensitivity label when retention was the requirement
A compliance team is told "all customer contracts must be retained for seven years per the master services agreement clauses." Someone in the Information Protection admin group creates a "Customer Contracts" sensitivity label that encrypts the documents and restricts access to the contracts team.
The label does what sensitivity labels do: it locks down access and encrypts the file. It does nothing about retention. A user with the right permissions can still delete the contract a week later. The Preservation Hold Library never receives a copy. Seven years from now, an auditor asks for a specific contract and the answer is "it doesn't exist anymore." Compliance failure.
The fix would have been a retention label with a seven-year retain-and-delete policy. The two are not interchangeable.
Scenario 2: Applying a retention label when access protection was the requirement
The opposite mistake. A legal team wants to make sure board minutes aren't shared outside the executive team. Someone in the Records Management admin group applies a "Board Minutes - 10 Year Retention" retention label to the document library.
The label does what retention labels do: it preserves the documents for ten years. It does nothing about access control. Anyone with SharePoint Read access to that site can still open the file and forward it. The encryption never happens. The access restrictions never apply. Leak risk unchanged.
The fix would have been a sensitivity label that encrypts the document and restricts access to the board distribution list - ideally in addition to a retention label, since the documents also need preservation.
Scenario 3: Both labels applied, but admin assumes one implies the other
Common assumption pattern: an admin applies a "Highly Confidential" sensitivity label and assumes that's enough for the compliance officer who wanted documents preserved for the audit window. Or applies a "7-Year Retention" retention label and assumes the documents are now encrypted.
They aren't. The two label types coexist on the same item but solve different problems. If the compliance requirement is both access protection and preservation, you need both labels applied. The good news is Microsoft explicitly supports this:
"Each item that supports sensitivity labels can have a single sensitivity label applied to it from your organization. Documents and emails can have both a sensitivity label and a retention label applied to them."
So the right pattern for highly-regulated content is: sensitivity label + retention label, both, on the same items, both managed in Microsoft Purview but in their respective sections.
When to Use Each (Quick Reference)
Use a sensitivity label when:
- The compliance requirement is about who can access this data
- The data needs encryption that travels with the file outside SharePoint
- You need visible markings (watermark / header / footer) on the document
- You need to control sharing behaviour (default sharing link type, external user access)
- You need Microsoft 365 Copilot to respect access controls when surfacing the content
- You need to lock down a SharePoint site, Teams site, Microsoft 365 Group, or Loop workspace at the container level
Use a retention label when:
- The compliance requirement is about how long the data must exist
- The data is a record that must be preserved for a regulatory or business reason
- The data must be deleted after a defined period (with disposition review)
- The data must be marked as a regulatory record - immutable, cannot be edited or deleted at all
- You need automatic deletion of old content to control storage growth
Use both when:
- Highly confidential content that also has a long retention requirement (most regulated business records)
- Customer or patient data subject to data protection law (GDPR, HIPAA, etc.) that needs both access protection AND retention enforcement
What Survives When SharePoint Content Is Archived
Whether the content is being moved to Microsoft 365 Archive, archived by a third-party tool, or migrated between tenants - the label behaviour matters for compliance continuity.
Sensitivity labels through archive and restore
Sensitivity labels are stored in document metadata. Any archiving solution that preserves file metadata preserves the sensitivity label. The encryption settings on the label continue to apply to the file in its new location - including when the file is restored back to SharePoint. The label is persistent by design.
For Microsoft 365 Archive, sensitivity labels carry through. For Squirrel, sensitivity labels are preserved on the archived file and re-applied on the stub when content is rehydrated to SharePoint.
Retention labels through archive and restore
Retention labels behave differently because the retention infrastructure is tied to SharePoint's Preservation Hold Library. Items in the Preservation Hold Library themselves carry their retention labels and sensitivity labels, and the system explicitly protects them:
"It's not supported to edit, delete, or move these automatically retained files yourself. Or, change or remove retention labels and sensitivity labels for these files."
For Microsoft 365 Archive, retention policies and labels continue to apply to archived sites - Microsoft's own integration handles this natively. For third-party archiving, this is where it matters which solution you choose: the archiver must explicitly preserve the retention label, respect any active retention period, and re-apply the label correctly on rehydration. Squirrel preserves both sensitivity labels and retention labels through the archive / restore cycle - see the AvePoint alternative comparison for the head-to-head on how each archiving vendor handles label preservation.
The storage cost angle
This is the part that affects buying decisions, not just compliance.
Retention labels that mark items as records create copies in the Preservation Hold Library on every modification. For a tenant with active retention on substantial content volumes, the Preservation Hold Library can grow to be a meaningful percentage of total SharePoint storage - silently, because it's hidden from normal SharePoint navigation. That growth pushes the tenant against its pool quota faster, which compounds at the SharePoint overage rate.
Archiving inactive content into customer-owned Azure Blob Storage reduces the pool consumption from the active SharePoint estate, but only works if the archiver preserves both label types so that compliance posture isn't broken. That's the basic argument for SharePoint archiving with a purpose-built tool over manual cleanup or rule-based deletion.
Frequently Asked Questions
Q: Are MIP labels and sensitivity labels the same thing?
A: Yes, in current terminology. "MIP labels" was the older name for sensitivity labels under the Microsoft Information Protection framework. They're now officially called "sensitivity labels" and managed under Microsoft Purview Information Protection. Many admins still use the older term interchangeably. They're the same labels.
Q: Can a single SharePoint document have both a sensitivity label and a retention label at the same time?
A: Yes. Microsoft documents this explicitly - sensitivity and retention labels coexist on the same item. It's the recommended pattern for content that needs both access protection (sensitivity) and preservation (retention).
Q: Do sensitivity labels affect SharePoint storage costs?
A: Minimal direct impact. The label itself is metadata. Encrypted files are roughly the same size in storage as unencrypted ones. The indirect impact is that sensitivity-labelled content is harder to clean up automatically because the access restrictions can limit what an archiving or governance tool can see and process.
Q: Do retention labels affect SharePoint storage costs?
A: Significantly, yes. Retention labels that mark items as records create copies in the Preservation Hold Library every time the item is edited or deleted. For tenants with substantial labelled content and active modification, the Preservation Hold Library can grow to a multi-terabyte hidden cost - all counting against the SharePoint pool quota.
Q: If I archive content with sensitivity and retention labels, do they survive?
A: For Microsoft 365 Archive, yes - Microsoft's integration preserves both. For third-party archivers, it depends on the vendor implementation. Squirrel preserves both sensitivity labels and retention labels through the archive and restore cycle, so compliance posture continues unchanged - see Squirrel vs Microsoft 365 Archive for the detailed comparison.
Q: Where in the Microsoft Purview portal do I create each label type?
A: Sensitivity labels: Information Protection > Labels. Retention labels: Records Management > Labels (or Data Lifecycle Management depending on the retention behaviour). Both flows are in the same Purview portal but in different navigation sections - which is part of why admins confuse them.
Q: Does Microsoft 365 Copilot respect both label types?
A: Copilot directly honours sensitivity labels - it will only surface content from a sensitivity-labelled document if the requesting user has the necessary usage rights (per Microsoft, EXTRACT usage right for copying content). Retention labels do not affect Copilot grounding directly - Copilot can index and surface retention-labelled content the same as unlabelled content. The exception is the Microsoft 365 Archive Copilot exclusion - content archived via M365 Archive is removed from the SharePoint index and excluded from Copilot grounding regardless of its labels.
Q: Can I auto-apply both label types?
A: Yes for both. Sensitivity labels support auto-labeling policies based on content scanning, sensitive info types, and trainable classifiers. Retention labels support auto-apply policies based on the same matching criteria. The auto-apply policies are managed separately for each label type in the relevant Microsoft Purview section.
Get the SharePoint Footprint Visible Before You Apply Either
Whichever labels you apply, knowing what's in your SharePoint estate first makes the policy design defensible. SharePoint Storage Explorer is a free Windows tool that shows site, library, and file-type consumption across your tenant in one view - the fastest way to see where retention labels would have the largest storage impact, and where sensitivity labels would lock down the most-shared content.
For the broader picture on how Squirrel preserves labels through SharePoint archiving while reducing tenant storage consumption, see the SharePoint archiving guide or customer case studies documenting how three enterprise customers handled the retention-vs-storage tradeoff at scale.
