min read

How do different tools stack up for Microsoft 365 sensitivity label migration?

ShareGate Team

Published on

October 14, 2025

No items found.

Master Hacks: Migrate like a pro

Check out our video series to help you turn migration projects into masterpieces!

Watch now

Text Link

Preserving Microsoft Purview sensitivity labels during a migration is critical for compliance, security, and Copilot readiness—but not every tool makes it easy. We break down how ShareGate, AvePoint FLY, Quest On Demand Migration, and PowerShell handle labels during migration, so you can clearly see the trade-offs and pick the right fit.

Sensitivity labels are built into Microsoft Purview to help classify and protect content in Microsoft 365. They apply encryption, access restrictions, and usage rules that follow files, chats, and emails wherever they go in the cloud—giving IT teams a way to keep collaboration secure and compliant without slowing people down.

The challenge comes during migration. In tenant-to-tenant moves, existing labels should ideally carry over intact, but not every approach supports that. Some migration tools preserve Purview sensitivity labels automatically, while others only reapply them after the fact or leave IT to rebuild protections manually.

If labels aren’t preserved, encryption and access rules can break, permissions may be lost, and sensitive files risk being exposed or overshared. That leaves IT teams with compliance gaps, extra cleanup, and slower projects.

And the stakes are only getting higher. With mergers, hybrid work, and Copilot adoption driving more frequent migrations, sensitivity label management has shifted from a background task to a business-critical priority. That’s why tool choice matters, and why we’re comparing four common approaches to help you choose the right fit for your project.

Why sensitivity label migration matters

Microsoft Purview sensitivity labels are the backbone of secure collaboration in Microsoft 365. By classifying content according to sensitivity (e.g., as “Public”, “Confidential,” or “Highly Confidential”), they can be used to automatically apply protections like encryption, access restrictions, and usage controls across services like SharePoint, OneDrive, and Outlook.

During a tenant-to-tenant migration, losing those labels—or failing to reapply them properly—means losing control over how sensitive data is protected in the destination environment. A document that was once locked down could suddenly be shared too widely, or an encrypted file might lose its encryption and end up vulnerable to unauthorized access. The result isn’t just inconvenience—it’s a direct compliance and security risk.

What’s actually at stake

When sensitivity labels don’t make it through a migration, the consequences include:

Unprotected data as files and emails lose the encryption or access controls tied to their labels
Compliance gaps that increase risk in regulated industries like finance, healthcare, or legal
Project delays in M&A or Copilot rollouts when unlabeled data creates governance roadblocks
Operational inefficiencies from hours of manual rework and missing bulk-edit or reporting tools

That risk is magnified in M&A scenarios, where instead of one directory, you have two (sometimes more) Microsoft Entra ID tenants and security frameworks to reconcile. According to our recent State of Microsoft 365 report, 41% of IT professionals cite security and compliance as the single biggest challenge in M&A migrations—more than double the rate seen in on-prem-to-cloud projects.

With M&A activity, hybrid work, and Copilot adoption accelerating, label loss during migration isn’t a niche concern: it’s one of the biggest compliance risks organizations face in Microsoft 365. Yet many IT teams still spend hours manually reapplying sensitivity labels after the fact, often without full confidence that protections have been restored. This overreliance on manual effort creates unsustainable governance debt, demanding time and expertise most teams simply don’t have.

As Microsoft MVP Richard Harbridge puts it:

“Proactive investment in automation and governance accelerates AI adoption and maximizes ROI while reducing risk.”

— Richard Harbridge, Microsoft MVP in M365 Apps & Services, State of Microsoft 365

‍

The best way to avoid scrambling under pressure is to have a process and pre-vetted toolkit in place before the migration starts. With the right solution, sensitivity labels carry over automatically, so protections remain intact, compliance gaps are closed, and IT teams save countless hours of rework—ensuring a secure springboard for whatever comes next.

To learn more about sensitivity labels from Microsoft Purview Information Protection, which replaced the Azure Information Protection unified labeling client, see Microsoft’s official sensitivity label documentation.

‍

Tool comparison: ShareGate vs. AvePoint vs. Quest vs. PowerShell

Not all migration tools treat sensitivity labels the same way. Some preserve labels seamlessly, while others require extra setup—or leave you to reapply labels manually after the fact. Below, we break down how ShareGate, AvePoint FLY, Quest On Demand Migration, and Microsoft PowerShell approach label migration so you can see which option best fits your needs.

Sensitivity label migration: Feature comparison

Feature	ShareGate	AvePoint FLY	Quest ODM	PowerShell
Label preservation	✔ Yes (with metadata)	✔ Yes across workloads	⚠ Reapplied only (no metadata)	✗ None
UI-based mapping	✔ Drag-and-drop	✗ Not exposed	⚠ Limited (CSV import)	✗ None
Auto-mapping	✔ Exact name-based	✔ Auto-applies if label exists in target	⚠ Requires pre-created labels and matching	✗ N/A
Manual override	✔ Yes	✗ No known override*	⚠ Limited	⚠ Scripted only
Encryption metadata	✔ Preserved and surfaced in the UI	✗ Not documented*	⚠ Requires MIP SDK	✗ Manual only
Same-tenant behavior	✔ Preserved	✔ Preserved	✗ Not supported	⚠ Manual
Cross-tenant handling	✔ Auto-mapped or remapped manually	✔ Reapplied if matching labels exist	⚠ Reapplied if manually matched	✗ Manual
Setup complexity	No feature flags or elevated permissions required	Extra config needed for Teams workloads	Requires feature flag activation, label pre-creation in the target, MIP SDK, and elevated permissions (e.g., Content.SuperUser)	Fully manual scripting
Workload scope	SharePoint, OneDrive, Teams (team files and personal chat file storage)	SharePoint, OneDrive, Teams (chat + attachments)	SharePoint, OneDrive, Exchange Online	Any workload (manual only)

* Indicates that, based on publicly available materials, we found no evidence the feature is supported. It may still exist, but we were unable to independently confirm it.

‍

ShareGate core use case: Large SharePoint/OneDrive migrations with compliance requirements

ShareGate is built for IT teams handling large-scale SharePoint and OneDrive migrations where compliance can’t be an afterthought. Unlike many tools that copy files but strip their protections, ShareGate integrates the Microsoft Information Protection (MIP) APIs upfront to move both the file and its Microsoft Purview sensitivity label, including associated encryption and access controls, in a single pass.

Label preservation: Preserves structure- and content-level labels in SharePoint and OneDrive, carrying over critical metadata like name, GUID, encryption status, and scope. Sensitivity labels stay intact in same-tenant moves and carry across securely in cross-tenant migrations.
Mapping and setup: Auto-maps labels based on exact name or GUID matches, with a drag-and-drop interface for quick remapping. No feature flags, scripting, or SDKs required.
Workload scope: SharePoint and OneDrive. Because of the architecture behind Microsoft Teams, this also covers Teams files (stored in SharePoint) and personal chat file storage (in OneDrive). Teams content stored in Exchange Online (Teams channel and private chat messages) is migrated, but sensitivity label preservation doesn’t currently extend there.
Pros: Saves IT teams hours of manual work with automated label preservation, bulk remapping, and an intuitive UI—ensuring that migrations stay secure, compliant, and Copilot-ready at scale.
Cons: Doesn’t support label property auto-mapping (e.g., ID, color, description, or priority).

‍

DIVE DEEPER: See how to simplify sensitivity label migration in Microsoft 365 with a step-by-step walkthrough of ShareGate’s purpose-built feature

‍

AvePoint FLY core use case: Multi-workload migrations

AvePoint FLY is a strong fit for multi-workload migrations where Microsoft Teams content — especially 1:1 chats and their attachments—needs to be moved with sensitivity labels intact. While other solutions cover Teams data through its underlying storage, AvePoint surfaces Teams-specific label handling more explicitly in the migration process.

Label preservation: Maintains sensitivity labels during Teams chat, OneDrive, and SharePoint migrations. If the same label exists in the target, it can be reapplied automatically.
Mapping and setup: Offers flexibility to migrate existing labels, create new ones in the destination, or remove them entirely.
Workload scope: SharePoint, OneDrive, and Teams (1:1 chats and their attachments).
Pros: Delivers full-fidelity preservation across multiple Microsoft 365 workloads, making it well suited for large-scale, automated migrations that include Teams.
Cons: Setup is less streamlined than some other tools; for migrations involving Teams content (Teams chats + attachments), additional upfront configuration is required.

‍

Quest On Demand Migration core use case: Highly regulated environments

Quest On Demand Migration (ODM) takes a different approach to sensitivity label migration. Instead of moving labels along with content, it reapplies them in the destination tenant. This method can help organizations with strict regulatory requirements maintain control, but it also means more manual effort and longer project timelines.

Label preservation: Labels are reapplied in the destination, but original metadata (scope, encryption status, etc.) is not preserved.
Mapping and setup: Labels must already exist in the target tenant and be matched manually. Setup requires feature flag activation, MIP SDK, and additional Microsoft permissions (e.g., Content.SuperUser).
Workload scope: SharePoint, OneDrive, and Exchange Online.
Pros: Works well in highly regulated environments that require strict security controls and can accommodate the added setup and oversight.
Cons: Requires heavy configuration, doesn’t preserve metadata, and slows migrations with manual label matching.

‍

Microsoft PowerShell core use case: Small, one-off migrations with in-house technical know-how

PowerShell isn’t, technically speaking, a migration tool—it can’t move content or sensitivity labels between tenants. At most, it can be scripted to read label definitions and reapply them in a destination tenant after content has already been migrated by another solution.

Unlike purpose-built tools that integrate label handling into their workflows, PowerShell offers no automation, mapping, or error handling. Any attempt to use it for tenant-to-tenant projects requires custom scripts, deep technical knowledge, and a high tolerance for risk.

Label preservation: None natively supported. Sensitivity labels are typically removed before transfer—especially if they enforce encryption—and must then be recreated and reapplied through custom scripts.
Mapping and setup: Entirely manual. Admins can use Security & Compliance PowerShell (Get-Label, Get-LabelPolicy) to list existing sensitivity labels and policies from the source tenant, but there’s no Microsoft-supported automation for migrating them across tenants. Equivalent labels must be recreated in the target tenant before scripts can apply them.
Workload scope: Script-dependent and fragmented. PowerShell offers no unified workflows across SharePoint, OneDrive, or Exchange, making it impractical for production-scale migrations.
Pros: Free to run, flexible, and offers granular control for highly technical admins.
Cons: Extremely labor-intensive, error-prone, and high-risk at scale. A separate migration tool is always required to move actual content.

Caveat: While PowerShell itself is free, Microsoft’s free migration utilities (Migration Manager, SharePoint Migration Tool), are limited to on-premises or third-party sources such as Google, Box, or Dropbox. They don’t support Microsoft 365 tenant-to-tenant moves, so pairing them with PowerShell won’t solve Microsoft Purview sensitivity label migration. A paid third-party solution is still required.

Each tool takes a very different approach to sensitivity label migration. The key differences come down to ease of use, workload coverage, and compliance risk—with ShareGate standing out for its automation and simplicity.

Simplify your sensitivity label migration

Managing sensitivity labels during migration doesn’t have to be complicated. With ShareGate’s purpose-built Microsoft 365 migration tool, you can:

Automatically preserve all Microsoft Purview sensitivity labels. No manual work required.
Maintain compliance and security across tenant-to-tenant moves and organizational restructures without the overhead.
Keep your Microsoft 365 environment Copilot-ready by ensuring protections stay intact post-migration.
Confidently meet compliance standards and protect sensitive data with less effort.
Simplify how you assess, migrate, and govern Microsoft 365, from start to finish.

Trusted by more than 100,000 IT pros worldwide, ShareGate is built to make migrations not just faster, but safer.

Ready to see the feature in action?

ShareGate’s sensitivity label migration feature makes it easy to keep protections intact, close compliance gaps, and move faster through complex tenant-to-tenant projects.

Book a demo to see how it works.