The gap Microsoft built into the Microsoft 365 stack
Container labels on sites and groups don’t apply file-level protection settings to the items inside them. Microsoft says this explicitly. It’s a common point of confusion.
The built-in “default sensitivity label for a library” only applies to NEW uploads or to files when they are EDITED. Files already at rest are unaffected. So most labelling rollouts leave a gap: the protections you designed in Purview only attach themselves to fresh content; your historic estate sits unlabelled.
Backfill, drift detection, and tenant-wide remediation are gaps Microsoft expects you to close yourself, usually with one-off scripts and project work. AutoTag is purpose-built to close them.
Four pillars of governance
File-level sensitivity & retention labels
Backfill labels on files at rest. Retention labels for folders, document sets, list items.
Drift detection & remediation
Report-mode first. Find drift, understand exposure, then remediate.
Container governance
Phase 2: Teams & containersSite labels, group orchestration, label-driven sharing and privacy controls.
Channel sites & adjacent workloads
Phase 3: Microsoft 365 adjacenciesPrivate and shared channel sites, OneDrive, Loop, Viva Engage.
File-level sensitivity & retention labels
Apply sensitivity labels to files already at rest in SharePoint and OneDrive; closing the gap where Microsoft’s library-default labelling only covers new uploads or edited files. Retention labels for folders, document sets, and list items. Verification mode reads current labels back into reportable metadata so you know what’s there before remediating anything.
The Bot platform handles the operational work: source-list driven label assignment, large-batch operations for libraries with millions of items, and per-run reporting of what changed. For record-classifying labels (those that mark items as records under retention), AutoTag uses tenant-admin permissions explicitly and reports the items it touched. This is important for audit trails when a Bot run modifies retained content.
Drift detection & remediation
Run report mode before any bulk apply. AutoTag finds where sensitive files concentrate, where labels are missing, and where container settings have drifted from policy. The output is a dataset, not a dashboard alone. Feed it back through the same Bot framework and remediation becomes a follow-on run, not a separate project.
This is the second persona AutoTag carries: not just “apply labels” but “find drift, understand exposure, fix at scale.”
Phase 2: Teams & containers Container governance
Site sensitivity labels enforce more than just classification. They drive privacy, external-user access, sharing-link defaults, and authentication contexts. AutoTag applies and reconciles those labels at scale across the tenancy and reports on container settings that drift from the intent of the label.
Microsoft 365 Groups carry their own label orchestration, and that orchestration is the right surface for governing groups, Teams sites, Loop workspaces, and Viva Engage communities. They all sit on the same group-labelling substrate. AutoTag governs them through the right surface for each, including a delegated-admin runner mode for the workloads where Microsoft hasn’t shipped application-permission support yet.
Phase 3: Microsoft 365 adjacencies Channel sites & adjacent workloads
Private channel sites inherit the parent team’s label automatically. Shared channel sites get their own SharePoint site but inherit the parent team’s label. Microsoft does NOT use automatic labelling for shared-channel documents. AutoTag fills that gap.
OneDrive coverage shares the SharePoint substrate, so Phase 1 file-level labelling extends naturally. Loop workspaces and pages are labelled through the same engine. Viva Engage communities sit on the connected SharePoint site. Microsoft says PowerShell doesn’t support Engage labels directly, so AutoTag applies labels via the connected site (the documented Microsoft workaround).
Why AutoTag rather than custom scripts
AutoTag knows your tenant (sites, libraries, groups, channels, OneDrive), so you don’t write that discovery from scratch. It’s built for tenant-wide operational work: cost-aware, retry-aware, dry-run-first.
Drift detection layers naturally on top of remediation. The same engine that finds the gaps closes them.
JFDI Consulting has been writing SharePoint governance solutions since 2003. AutoTag is the operationalisation of that experience. The tooling we’ve been building for our largest customers, productised.
For technical evaluators: see Technical Reference for the Microsoft Graph endpoints, PowerShell cmdlets, permission scopes, and honest constraints behind each pillar.
Operationalise governance at tenant scale.
Talk to us about your Microsoft 365 governance roadmap.