Solving the Encryption Gap: Applying Sensitivity Labels to Files at Rest in SharePoint Using MCAS

As someone actively working in cloud security, I often come across a common misconception: that applying a default sensitivity label to a SharePoint document library means every file within it is encrypted — always, at rest, and universally. But anyone who's tested this in a real-world scenario knows the story isn’t that simple.

Here’s what many don’t realize — Microsoft’s automatic labeling at the SharePoint library level only applies encryption to supported Office files (Word, Excel, PowerPoint), and only when those files are actively opened or edited using Microsoft 365 apps. That leaves a huge gap in coverage: PDFs, legacy formats, and even Office files that are uploaded but never opened remain unencrypted at rest, despite the presence of a label.

So how do we close this gap?

The answer lies in an often-overlooked capability within Microsoft Defender for Cloud Apps (MCAS) — file policy–based auto-labeling. This feature lets us scan files already residing in SharePoint and OneDrive and apply sensitivity labels retroactively, even if the files were uploaded without labels or never opened.

The Practical Solution

By leveraging Microsoft Information Protection integration inside Defender for Cloud Apps, we can enable a more consistent and proactive encryption model — one that doesn’t wait for user activity.

Here’s how this works in practice:

1. Enable MIP Scanning in Defender for Cloud Apps Under Settings > Information Protection, enable the option to automatically scan new files for sensitivity labels and content inspection. This activates the MIP engine in MCAS to parse label metadata.
2. Connect the Microsoft 365 App Connector: This allows Defender to see into your SharePoint and OneDrive environments in real time.
3. Build a File Policy: Create a file policy with conditions like:
4. Monitor, Audit, and Enforce: Once in place, this policy will automatically detect unlabeled files sitting idle in SharePoint and encrypt them at rest, based on the permissions defined in the label.

Why This Matters

This approach essentially bridges a functional gap in Microsoft’s native automatic labeling — especially critical for compliance-driven environments. By using Defender for Cloud Apps as the enforcement engine, we shift from reactive encryption to proactive data governance.

• Encrypted PDFs?
• Office files never opened by users?

All covered - no user interaction needed.

Things to Be Aware Of

• You will need Microsoft 365 E5, E3 or Defender for Cloud Apps licensing to access these features.
• MIP auto-labeling from MCAS only works once you explicitly enable scan settings — it’s not on by default.
• Testing in a pilot environment is a must — especially when dealing with encryption policies that affect external collaboration.

Final Thoughts

This isn't just a security checkbox. It's about operationalizing compliance. If your organization relies on default labels at the library level and assumes all files are encrypted, it’s time to rethink the model.

Leveraging Defender for Cloud Apps transforms your SharePoint encryption posture from passive to proactive. And in today's data landscape, that shift is non-negotiable.

Let me know if you’ve implemented this, or are exploring something similar - happy to discuss use cases, edge scenarios, or challenges you’ve faced.

#CloudSecurity #Microsoft365 #MCAS #InformationProtection #DataGovernance #SensitivityLabels #SharePointSecurity #CyberSecurity #MicrosoftDefender #MIP #DLP