Microsoft is rolling out a significant update to how administrators assign sensitivity labels in Purview, with new controls that let them exclude entire Microsoft 365 groups and include dynamic security groups. The changes, which reach general availability in May 2026, address a long-standing limitation that forced broad label policies even when certain groups didn’t need them.

Expanded Group Targeting Options in Sensitivity Labels

For years, Purview label policies could only be applied to specific user or group types—mail-enabled security groups, distribution groups, or Microsoft 365 groups were the standard. The problem was twofold: you couldn’t explicitly exclude a group from a policy, and dynamic or non-mail-enabled security groups were off the table. That meant admins often had to create multiple policies or accept imperfect scoping.

With the May 2026 GA release, Microsoft now supports three new capabilities:

  • Exclude Microsoft 365 groups: When configuring a label policy, you can add one or more Microsoft 365 groups (including Teams-attached groups) as exclusions. Members of those groups will not receive the sensitivity label, even if they are part of a broader included scope. This is ideal for carving out exceptions—for instance, excluding a “Contractors” group from a policy that applies to all full-time employees.
  • Include dynamic security groups: Previously, dynamic groups (where membership is rule-based, such as “all users in the Sales department”) were unsupported. Now, you can target sensitivity labels at dynamic security groups, ensuring label policies automatically adjust as people join or leave departments.
  • Include non-mail-enabled security groups: These are often used for resource access control and not tied to email addresses. Admins can now use them directly in sensitivity label policies, bridging a gap between identity management and information protection.

The update also brings a more intuitive interface in the Microsoft Purview compliance portal, with separate lists for included and excluded groups, plus validation warnings when a policy has no effective recipients.

How This Impacts Label Policy Management

For administrators, the immediate benefit is a dramatic reduction in policy sprawl. Instead of maintaining separate policies for “Finance Department” and “Finance Department except interns,” you can now have a single policy that uses an inclusion dynamic group for Finance and an exclusion Microsoft 365 group for interns. This not only streamlines administration but also reduces the chance of mislabeling, which can lead to over-protection or under-protection of sensitive data.

From an end-user perspective, the change is mostly invisible—but the consistency it brings matters. A new hire who joins Finance will automatically get the correct sensitivity labels on her files and emails because the dynamic group rule triggers immediately, without an admin having to add her manually. Likewise, if a user moves out of Finance, labels can be removed just as seamlessly.

Compliance officers will appreciate the finer grained control when applying labels meant for specific regulatory requirements. For example, you might want a “Highly Confidential – GDPR” label to be available only to EU-based employees. With a dynamic group that filters on the ‘co’ attribute of user accounts, this becomes a one-time setup instead of a constant maintenance chore.

There are also security implications. By reducing the number of users who have access to sensitive labels, you shrink the attack surface for accidental or malicious data leaks. And because the exclusion capability works on Microsoft 365 groups, you can elegantly handle guest user scenarios—exclude the “All Guests” group from receiving labels that should never be applied to external collaborators.

The Evolution of Purview Sensitivity Label Scoping

Sensitivity labels in Microsoft 365 have been around since 2018, but their targeting capabilities were initially rudimentary. Labels could either be published to all users or to a static set of individual email addresses. Over time, Microsoft added support for mail-enabled security groups and distribution groups, then later for Microsoft 365 groups. But each addition came with restrictions. Dynamic groups, for instance, were testable in private preview as early as 2024 but remained gated behind a complex enablement process.

The May 2026 general availability is the culmination of a multi-year effort to make Purview’s label policies as flexible as Entra ID’s group management itself. It aligns with Microsoft’s broader Zero Trust ethos, where permissions and protections are tied to identities, not locations. By finally allowing both dynamic inclusions and static exclusions, Microsoft acknowledges that real-world organizations are messy—they have exceptions, contractors, mergers, and rotating teams—and need a labeling system that can adapt without administrative overhead.

This release also reflects the growing importance of Purview in Microsoft’s compliance stack. As regulators tighten data protection requirements, the ability to enforce labeling at scale, and precisely target who can apply which label, is no longer a nice-to-have; it’s a must-have for multinational enterprises.

Steps to Implement the New Controls

If your tenant has the appropriate licensing (typically Microsoft 365 E5 or E5 Compliance), you can start using the new group targeting controls immediately after the May 2026 GA update rolls out. Here’s how to get started:

  1. Review your existing sensitivity label policies. Identify policies that currently use broad “all users” scoping or static group lists. Look for exceptions you’ve been handling with separate policies.
  2. Design your group structure. In the Microsoft Entra admin center, create or identify the Microsoft 365 groups you want to exclude, the dynamic security groups you want to include, and any non-mail-enabled security groups that map to business units or access control lists.
  3. Edit a label policy. In the Microsoft Purview compliance portal, navigate to Information protection > Label policies. Choose an existing policy or create a new one. On the Users and groups page, you’ll now see separate sections for “Include” and “Exclude.” Add your Microsoft 365 groups to the exclude list, and your dynamic or non-mail-enabled security groups to the include list.
  4. Validate and test. Use the new preview functionality (if available) to see which users will be affected. If not, simulate the policy changes in a test environment first. Check that excluded users do not see the label in Office apps after the policy syncs (allow up to 24 hours).
  5. Roll out gradually. Start with a low-impact label, monitor for help-desk tickets, then expand to more sensitive labels.

A critical caveat: dynamic group membership evaluation in Entra ID can take several minutes to a few hours to update. If a user’s attributes change (e.g., department transfer), there may be a short lag before sensitivity label scoping reflects the new membership. This is usually acceptable, but if you need instant changes, static groups might still be preferable for certain high-sensitivity labels.

The Road Ahead

Microsoft has signaled that sensitivity label scoping will become even more contextual in future releases. Expect to see integration with Insider Risk Management signals, where labels could be automatically applied based on user behavior or device risk. Additionally, the option to scope labels to administrative units—something already possible for some Purview policies—may eventually appear for sensitivity labels, allowing decentralized label management for large organizations.

For now, the May 2026 update removes a major friction point in data governance. If you manage sensitivity labels in a complex environment, reevaluating your policies with the new exclusion and dynamic inclusion capabilities should be at the top of your to-do list.