Fix Microsoft Purview Compliance Issues: Australian Gov Guide
Why This Is Happening
I've helped dozens of Australian Government agencies get their Microsoft Purview compliance for Australian Government configurations off the ground , and I can tell you honestly, the setup is more involved than Microsoft's getting-started pages suggest. If your sensitivity labels aren't appearing for staff, your DLP policies are blocking legitimate workflows, or your auto-labeling simulation has been spinning for three days without finishing, you're not doing anything wrong. You've just hit the walls that almost everyone hits.
Here's the core issue: the Protected Security Policy Framework (PSPF) and Information Security Manual (ISM) lay out clear classification requirements , UNOFFICIAL, OFFICIAL, OFFICIAL: Sensitive, PROTECTED, but Microsoft Purview doesn't come pre-configured for Australian government classification schemes. You have to map your agency's information classification tiers to sensitivity labels manually, then layer data loss prevention policies on top, then add auto-labeling to catch the items that fall through. Each of those three systems needs to be working independently before the combined effect actually meets your PSPF obligations.
The Microsoft Purview maturity model for Australian Government exists precisely because most agencies can't implement everything at once. Trying to go from zero to full auto-labeling enforcement in a single weekend is a reliable way to end up with broken workflows, furious staff, and a support queue full of "I can't send my email" tickets. I've seen it happen. The maturity model gives you a staged path, but the documentation doesn't warn you loudly enough about all the places where the configuration can silently fail without any useful error message.
Common scenarios that bring people to this guide:
- Sensitivity labels not visible in Word or Outlook, the label policy hasn't been published to the right users or groups, or the policy hasn't synced yet
- DLP rules blocking internal SharePoint access, overly broad conditions that catch internal-to-internal sharing when they were only meant to block external recipients
- Auto-labeling simulation stuck at 0%, the scanning service doesn't have read access to the targeted SharePoint sites, so it never starts
- Copilot-generated documents coming out unlabeled, label inheritance with Microsoft 365 Copilot requires specific label scope settings that aren't enabled by default
- "You don't have permission to apply this label" error, the user's account isn't in the label policy's scope, even though they can see other labels
- PROTECTED label applying but encryption not working, the label's protection settings weren't configured before it was published, and a republish is needed
I know this is genuinely frustrating, especially when it blocks real work and you're under pressure to demonstrate PSPF compliance to your agency's security team. The good news is that every single one of these problems has a concrete fix. Let's go through them. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If your staff can't see any sensitivity labels at all, start here before you do anything else. Ninety percent of the time, the problem is that the label policy hasn't been published to the affected users' accounts or security groups, not a licensing issue, not a service outage, not a client problem. Just a scope setting that got missed.
Here's what you do:
- Sign into the Microsoft Purview compliance portal at
compliance.microsoft.comusing a Compliance Administrator account. - In the left navigation, go to Information Protection > Label policies.
- Click on your existing policy name (if you don't see one, the labels have never been published, jump to Step 2 in the step-by-step section).
- Under Assign policy to users and groups, click the edit link and verify the affected user or their AAD security group is listed. If they're not there, add them and save.
- Wait, labels can take up to 24 hours to propagate, but in most cases, having the user close Office completely and re-open it brings the labels through within 1–2 hours.
If you need to confirm what's actually published without relying on the UI, run this PowerShell from a machine with the Exchange Online Management and Security & Compliance PowerShell modules installed:
Connect-IPPSSession
Get-LabelPolicy | Select-Object Name, ExchangeLocation, ModernGroupLocation, SharePointLocation
The output shows exactly which users, groups, and sites each policy is scoped to. If the column shows "All" but the user still can't see labels, the next thing to check is their Microsoft 365 license, basic sensitivity labeling for documents and email requires at minimum a Microsoft 365 E3 or equivalent license. Features like automatic sensitivity labeling and advanced DLP require E5 Compliance.
If labels are visible but the wrong ones are appearing, for example, a user sees generic labels instead of PSPF classifications, you likely have multiple policies published and one is taking priority over the other. The policy with the lowest number in the "Order" column wins. Reorder them in the Label policies view so your PSPF policy is first.
Before you touch any policy setting, audit what's actually configured in your tenant. Microsoft Purview sensitivity labeling for Australian government compliance requires a label hierarchy that precisely mirrors the PSPF classification structure. Getting the parent–child relationships wrong creates cascading failures in DLP rules, auto-labeling conditions, and the visual markings users see on documents.
In the compliance portal, go to Information Protection > Labels. You should see your top-level labels, UNOFFICIAL, OFFICIAL, OFFICIAL: Sensitive, and PROTECTED, as independent parent labels at the same hierarchy level. OFFICIAL: Sensitive caveats like CABINET or LEGAL-PRIVILEGE should be sub-labels nested beneath the OFFICIAL: Sensitive parent, not floating at the top level or nested under the wrong parent.
A common mistake I see in agency deployments: PROTECTED gets created as a sub-label under OFFICIAL instead of as a sibling at the top level. This breaks how DLP policy conditions match against the label, DLP rules that specify "label equals PROTECTED" won't match items labeled with a PROTECTED sub-label of OFFICIAL unless the rule explicitly includes sub-label matching.
Run this PowerShell to export your full label hierarchy for review:
Connect-IPPSSession
Get-Label | Select-Object Name, ParentLabelId, Priority, ContentType |
Export-Csv C:\pspf_label_audit.csv -NoTypeInformation
Open the CSV. Any label that should be a top-level PSPF classification tier must have a blank ParentLabelId column. If PROTECTED shows a GUID in that column, it's nested under another label and needs to be deleted and recreated at the correct level, labels can't be moved in the hierarchy after creation.
What you should see when the hierarchy is correct: four top-level labels with blank ParentLabelId values (UNOFFICIAL, OFFICIAL, OFFICIAL: Sensitive, PROTECTED), and any caveats showing their parent label's GUID correctly under OFFICIAL: Sensitive only.
Creating sensitivity labels in the portal doesn't make them available to users. Labels only appear in Office clients after you create a label policy and publish it. If you skipped this step or your existing policy is missing key settings, here's how to configure it correctly for PSPF compliance.
In Information Protection > Label policies, click Create policy (or edit your existing one). Work through the wizard:
- Choose labels to publish: Add all four PSPF classification labels, UNOFFICIAL, OFFICIAL, OFFICIAL: Sensitive, PROTECTED, plus any approved sub-label caveats.
- Assign policy to users and groups: Start with your pilot security group. Expand to all agency staff after validation.
- Default label for documents: Set to OFFICIAL. This aligns with baseline PSPF guidance that unclassified official information is treated as OFFICIAL by default.
- Default label for emails: Set to OFFICIAL for the same reason.
- Require users to apply a label: Set to On. This is the mandatory labeling requirement that directly supports PSPF Policy 8, without it, users can save documents and send emails with no classification applied.
- Require users to provide justification to remove or lower a label: Set to On. This creates an audit trail whenever someone downgrades or removes a classification.
To verify mandatory labeling is on after publishing, run:
Connect-IPPSSession
Get-LabelPolicy -Identity "PSPF Classification Policy" |
Select-Object Name, RequiredLabelForMail, RequiredLabelForDocuments
Both RequiredLabelForMail and RequiredLabelForDocuments should return True. If either shows False, the mandatory labeling requirement isn't enforced and your PSPF Australian government sensitivity labeling configuration is incomplete. Go back into the policy wizard and toggle the setting on, then save and republish.
After publishing, users need to fully close and reopen their Office applications for the policy to take effect. Signing out of their Microsoft 365 account and back in within the app speeds this up considerably.
Data loss prevention policies are where you'll spend most of your troubleshooting time. When they're misconfigured, users hit walls with no clear explanation, SharePoint blocks a file upload, Outlook refuses to send an email, and the error message says something generic like "This action is restricted by your organization's security policies." Not helpful.
In the Purview compliance portal, go to Data loss prevention > Policies. For a PSPF-compliant Microsoft 365 data loss prevention configuration for Australian government, you need at minimum two policies, one for PROTECTED content and one for OFFICIAL: Sensitive.
For your PROTECTED DLP policy, configure the rule conditions as follows:
- Condition: Content contains sensitivity label, PROTECTED (and include any PROTECTED sub-labels)
- Action: Restrict access or encrypt the content, Block everyone except the owner and the Microsoft 365 compliance service
- Action: Send incident report to your agency's security inbox
- User notifications: On, tell the user why the action was blocked
For your OFFICIAL: Sensitive DLP policy:
- Condition: Content contains sensitivity label, OFFICIAL: Sensitive
- Action: Block external sharing only (allow internal sharing between agency staff)
- Exception: Sender is a member of [approved external sharing group], add exceptions for legitimate external collaboration
Critical check, run this PowerShell to confirm your policies are in enforcement mode, not just test mode:
Connect-IPPSSession
Get-DlpCompliancePolicy | Select-Object Name, Mode, Workload
If the Mode column shows TestWithNotifications or TestWithoutNotifications, the policy is logging matches but not blocking anything. That means PROTECTED documents are going wherever users send them, right now, with no enforcement. Change the mode to Enable in the portal once you've reviewed the simulation results and are confident in the rule conditions.
Auto-labeling is the safety net that catches documents users forget to label, items imported from legacy systems, and content generated by automated processes that have no awareness of your classification scheme. For PSPF ISM compliance requirements, it's not optional, you need a mechanism that identifies sensitive information and applies protections automatically.
Go to Information Protection > Auto-labeling and click Create auto-labeling policy. For Australian government environments, configure the rules to trigger on:
- Australia Tax File Number, built-in sensitive information type, map to OFFICIAL: Sensitive
- Australia Medical Account Number, built-in sensitive information type, map to OFFICIAL: Sensitive
- Custom keyword lists matching PROTECTED document markers (e.g., specific codewords or classification markers your agency uses)
- Specific SharePoint site locations that are known to host classified project materials
After creating the policy, always start in Simulation mode, not live enforcement. The simulation scans your selected locations and shows you exactly which items would be labeled and with what label. This prevents false positives from going live and triggering DLP blocks across your environment.
Check simulation progress with:
Connect-IPPSSession
Get-AutoSensitivityLabelPolicy -Identity "PSPF Auto-Label Policy" |
Select-Object Name, SimulationStatus, Mode, LastModifiedTime
SimulationStatus should eventually show Completed. If it shows NotStarted after 48 hours, the service account running the scan doesn't have access to the targeted SharePoint sites. Check site permissions in SharePoint Admin Center and ensure the Purview scanning service principal has at minimum Site Collection Read access. Once SimulationStatus shows Completed, review the matched items in the portal, tune any false positives, and then change the Mode to Enable.
What you should see when everything is working: the "Items to be labeled" column in the auto-labeling policy view shows a count that matches your expectations for your environment's content volume. If you have 50,000 documents in a SharePoint library and the simulation only reports 12 matches, your sensitive information type conditions are probably too narrow.
If your agency has deployed Microsoft 365 Copilot, you have an additional validation step that most agencies skip, confirming that sensitivity label inheritance is actually working when Copilot generates content from classified source documents. The Microsoft Purview documentation is clear on this: when Copilot generates an item based on a source item, any sensitivity labels applied to that source are inherited by the generated item. But "is supposed to happen" and "is actually happening in your tenant" are two different things.
Here's the test procedure I run for every agency Copilot deployment:
- Open a Word document that has been labeled OFFICIAL: Sensitive by a user (not auto-labeled, you want to test human-applied label inheritance specifically).
- Click the Copilot icon in the Home ribbon. Select Summarize this document.
- When Copilot generates the summary and offers to create a new document from it, accept and open the new document.
- Immediately check the sensitivity label shown in the ribbon. It should display OFFICIAL: Sensitive, not blank, not UNOFFICIAL, not OFFICIAL.
- Repeat the test with a PROTECTED-labeled source document.
If the generated document comes out without a label, check these settings in the compliance portal:
- Go to Information Protection > Labels, click on OFFICIAL: Sensitive, then select Scope. Confirm both Files & other data assets and Emails are checked. Without file scope enabled, label inheritance can't fire for generated documents.
- Confirm the user running the test has a Microsoft 365 E5 or Microsoft 365 E5 Compliance license, label inheritance with Copilot is an E5-tier capability.
For PROTECTED documents specifically: users will find that Copilot can't access or generate content from PROTECTED-labeled items that have encryption applied. This is intentional, sensitivity label encryption on PROTECTED items prevents access by unauthorized parties, and the encryption permission model effectively prevents Copilot's services from reading the underlying content. Per the Microsoft Purview documentation, this reduces the risk of sensitive information being included in AI-generated output. If your agency needs to discuss whether Copilot should access PROTECTED material, that's a CISO-level policy decision, not a technical fix.
What working label inheritance looks like: generated documents immediately show the source document's label in the ribbon, without the user having to manually apply it. The Microsoft Purview compliance portal's audit log shows a "Label applied via inheritance" activity entry within a few minutes of the Copilot generation event.
Advanced Troubleshooting
If you've worked through all five steps and still have issues, you're most likely hitting one of three scenarios: a Group Policy or registry conflict on domain-joined machines, a federated identity mismatch causing silent policy failures, or a service-side issue that needs Microsoft's involvement. Here's how to diagnose each one.
Group Policy and Registry Conflicts on Domain-Joined Agency Machines
Domain-joined machines managed via Group Policy can have Office sensitivity labeling client behavior overridden by local policy settings. The key registry location to check is:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Common\Security\Labels
If this key exists and has values set, those values override your cloud-delivered label policy. Open Registry Editor on an affected machine (Win+R, type regedit) and navigate to this path. If you see label-related DWORD values here that don't match your intended configuration, work with your GPO team to remove or correct the conflicting Group Policy Object. The name of the GPO responsible will be in the gpresult /h C:\gpresult.html output, look for Office/security-related policies.
Reading the Event Log for Labeling Client Errors
When the labeling client fails silently, the user sees labels, clicks one, and nothing happens, or a label recommendation appears and disappears without applying, the errors go to the Office Alerts log in Event Viewer. On the affected machine, open Event Viewer and navigate to:
Applications and Services Logs > Microsoft Office Alerts
Filter for events in the past hour. Look for event IDs in the 40000–50000 range from the "Microsoft Office" source. Common messages that indicate labeling client failures include policy download errors (check proxy/firewall access to *.protection.outlook.com port 443) and encryption service errors (check RMS service endpoint access to *.aadrm.com).
Local Label Cache Check
The labeling client caches downloaded policies locally. If the cache is corrupt or empty, labels won't appear even if the policy is correctly published:
dir "$env:LOCALAPPDATA\Microsoft\Office\CLP"
If this folder is empty or absent, the policy hasn't downloaded to the machine. The most common cause for this on agency networks is a web proxy blocking the label policy endpoint. Have your network team confirm that *.protection.outlook.com is on the proxy allowlist for all agency endpoints.
Federated Identity UPN Mismatches
In whole-of-government identity federation scenarios, users' UPNs in the identity provider sometimes don't match their Microsoft 365 UPN. When this happens, the label policy check at sign-in fails silently and users don't get their assigned labels. Verify with:
Connect-MsolService
Get-MsolUser -UserPrincipalName user@agency.gov.au |
Select-Object UserPrincipalName, ProxyAddresses, Licenses
Check that the UPN returned matches what the user uses to sign into Windows and Office. A mismatch here, even a subtle domain suffix difference, causes policy assignment failures that don't produce visible errors to the user.
Checking DLP Match Audit Logs
When users report unexpected DLP blocks, the fastest way to diagnose what rule triggered is the audit log in the compliance portal. Go to Audit in the left navigation, click Search, and filter on:
- Activities: DLP rule matched, DLP policy matched
- Date range: time window of the reported block
- User: the affected user's email address
The results show you the exact policy name, the specific rule that fired, and what condition was matched. This is infinitely more useful than asking the user to describe what happened. Screenshot this and use it to tune your DLP exception conditions.
If your DLP policies are correctly configured and set to Enable mode, but items matching the conditions aren't being blocked, first check the Microsoft 365 Service Health dashboard at admin.microsoft.com > Health > Service Health. Filter for "Microsoft Purview" and "Microsoft Purview Information Protection." If you see a degraded or investigating status, wait for Microsoft to resolve the service incident before troubleshooting your configuration further, a backend service issue will make your config look broken even when it's correct. If Service Health shows green across the board but the problem persists, open a case with Microsoft Support through the admin center and attach your audit log exports as evidence. Australian Government customers with a Microsoft Unified Support agreement should call their Technical Account Manager directly and reference "Purview Information Protection, PSPF alignment" in the ticket title for faster routing to the right team.
Prevention & Best Practices
The agencies that have the fewest Purview compliance headaches aren't the ones who configured it perfectly the first time. They're the ones who built a repeatable process around it. Here's what actually works in practice for keeping your Microsoft Purview PSPF compliance configuration stable and your users out of the support queue.
Use the Microsoft Purview Maturity Model as your roadmap, not a suggestion. The maturity model for Australian Government starts with sensitivity labeling, then adds DLP enforcement, then adds auto-labeling. Skipping straight to auto-labeling enforcement before your label policy is stable across all your endpoints is how you get mass false-positive DLP blocks. Each layer needs at least two weeks of pilot testing before you expand to all staff.
Run DLP policies in test mode for a minimum of two weeks. Review the matched items daily during that window. Every "false positive" you catch in test mode is one less helpdesk ticket after you switch to enforcement. Pay particular attention to shared drives with legacy content, auto-labeled or manually labeled items from before your PSPF alignment will often match DLP rules in unexpected ways.
Maintain a label schema register. Document in a spreadsheet: each label's name, its PSPF equivalent classification tier, its encryption settings, its visual marking settings (header, footer, watermark text), and which label policy publishes it. When Microsoft Purview releases an update that affects label behavior, and they do, regularly, you need a baseline to compare against. Check the Microsoft 365 Message Center at admin.microsoft.com > Health > Message Center weekly and filter for Purview-related messages.
Test label inheritance with Copilot before your agency-wide Copilot rollout. Run the five-step validation from Step 5 above against every classification tier in a non-production tenant or pilot group. Document the results. If inheritance isn't working for a specific label, you want to know before 5,000 staff start generating AI content from classified documents.
Set up a "sensitivity label support" page on your agency intranet. Link to it from the label policy's "Help link for user" field in the portal. When users click the info icon next to a label they don't understand, they'll see a link to your internal guidance page. This reduces helpdesk contact volume significantly and keeps staff informed of what each PSPF classification means in practice.
- Enable mandatory labeling for email before documents, email is higher risk for data oversharing and the change is less disruptive to staff workflows than mandatory document labeling
- Turn on the "Require justification to lower or remove a label" policy setting immediately, it creates an audit trail that your security team will thank you for during any incident review
- Add your agency security inbox as an incident report recipient in all DLP policies, you want to see what's being blocked before affected users do
- Schedule a monthly DLP policy match report review using the built-in reports in the compliance portal under Data loss prevention > Reports, patterns of repeated violations often reveal a team that needs training, not just a rule adjustment
Frequently Asked Questions
Why can't my staff see any sensitivity labels in Word or Outlook even after I created them?
Creating labels in the compliance portal is only the first step, labels only appear in Office clients after you create a label policy and publish it to users. Go to Information Protection > Label policies in the Purview compliance portal and check that a policy exists, that it includes your labels, and that the policy is scoped to the affected users' accounts or security groups. After publishing, labels can take up to 24 hours to appear, but having the user close Office completely and reopen it usually brings them through within an hour. Also confirm the user is signed into Office with their work account and not a personal Microsoft account.
My DLP policy is showing in the portal but it's not blocking anything, what did I miss?
Check the policy Mode. In Data loss prevention > Policies, click the policy and look at its current status. If it says Test or shows "TestWithNotifications" in PowerShell, the policy is logging matches without blocking any action, that's by design for simulation. Change the status to "Turn it on right away" (Enable) in the policy wizard once you've reviewed simulation results and are confident the rules won't generate excessive false positives. Also verify the policy's Workload setting covers the services where your content lives (Exchange, SharePoint, OneDrive), a policy scoped only to Exchange won't touch SharePoint files.
How do I know if our Purview setup actually meets PSPF and ISM requirements?
The Microsoft Purview Information Protection Guide for Australian Government includes an "Australian Government requirement to capability mapping" section that lists each PSPF requirement alongside the specific Purview configuration steps and portal locations that satisfy it. Use this as your compliance checklist. Cross-reference your configuration against the ASD's Blueprint for Secure Cloud, which provides ISM-aligned Microsoft 365 baseline configurations. For formal attestation, your agency's security team will likely require evidence from the Purview audit log and the compliance score in the Microsoft Purview Compliance Manager, both available in the compliance portal.
Copilot can't read our PROTECTED documents, is something broken in our setup?
This is expected behavior, not a configuration fault. When sensitivity label encryption is applied to PROTECTED-labeled items, the encryption permission model locks out services that aren't explicitly authorized in the label's Rights Management settings, and Copilot's underlying services fall into this category for PROTECTED content. The Microsoft Purview documentation specifically identifies this as a deliberate risk reduction: encryption prevents sensitive items from being read by AI tools, reducing the chance that classified information ends up in Copilot-generated output. If your agency determines there's a legitimate need for Copilot to work with PROTECTED material, that's a security policy decision requiring CISO sign-off, not a technical fix you should make unilaterally.
Auto-labeling simulation has been running for over three days with no progress, how do I fix it?
Run Get-AutoSensitivityLabelPolicy in PowerShell and check the SimulationStatus and LastModifiedTime fields. If LastModifiedTime hasn't changed in 48 hours, the scan has stalled. The most common cause is that the Purview scanning service doesn't have read access to your targeted SharePoint sites, check the site collection permissions in SharePoint Admin Center and confirm the compliance service principal is listed with at least read access. A second common cause is that the SharePoint sites are excluded from compliance scope at the tenant level. Check Settings in the compliance portal for any scope exclusions. If neither of those resolves it, open a Microsoft support case with your Get-AutoSensitivityLabelPolicy output attached.
Do we need Microsoft 365 E5 to fully comply with PSPF and ISM requirements, or will E3 cover it?
E3 licensing covers basic sensitivity labeling and basic DLP, enough for a foundational PSPF compliance posture, but not the full picture. Features that directly support ISM controls and PSPF enforcement at scale, including automatic sensitivity labeling, advanced DLP with exact data match, communication compliance monitoring, and insider risk management, require Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on. For any environment handling PROTECTED-level information, the ISM controls around audit logging, data loss prevention, and access restrictions effectively require E5-tier capabilities. Australian Government agencies often have Microsoft-specific licensing arrangements, contact your Microsoft account team and ask specifically about the Microsoft 365 Government licensing tiers, as pricing and feature availability differ from standard commercial agreements.