Confidential by design: How we’re securing OneNote for the age of AI at Microsoft

Here at Microsoft and at workplaces around the world, OneNote is used for everything from record keeping and note-taking to collaborating across teams. And with Microsoft 365 Copilot making work easier and more efficient across all Microsoft 365 applications, OneNote should be no exception.

However, before we in Microsoft Digital, the company’s IT organization, could fully integrate Copilot into OneNote, we first needed to make it more secure. We recently accomplished this internally at Microsoft by deploying labeling that makes our OneNote notebooks and files more secure. This allowed us to start using Copilot in OneNote without compromising our sensitive or classified data.

“We realized that notebook oversharing was happening significantly and that we were keeping a lot of sensitive data in our notebooks,” says David Johnson, a principal product manager with Microsoft Digital. “OneNote was the only Microsoft 365 program that didn’t support labeling, a gap that we needed to address.”

“OneNote is designed to be the ultimate collaboration tool. So, you can have OneNote as your own personal notebook, or you can share it out with other people and collaborate. People use OneNote for a lot of different things, but at Microsoft especially, it is used for things like troubleshooting guides, post-incident reviews and other very sensitive things that require a high degree of seamless collaboration.”

Faye Harold, principal product manager, Information Protection team, Microsoft Security

Our diverse and heavy use of OneNote throughout Microsoft made closing that gap a critical need.

“OneNote is designed to be the ultimate collaboration tool,” says Faye Harold a principal product manager within the Information Protection Team in Microsoft Security. “So, you can have OneNote as your own personal notebook, or you can share it out with other people and collaborate. People use OneNote for a lot of different things, but at Microsoft especially, it is used for things like troubleshooting guides, post-incident reviews and other very sensitive things that require a high degree of seamless collaboration.”

And the idea that “it’s fine” because no one will ever find your notes in OneNote?

That’s no longer a thing, if it ever was.

In the age of AI, security through obscurity is effectively gone.

“Now the construct is, ‘AI can show you everything you have access to, no matter where it is, including in your colleague’s OneNote notebooks,’” Johnson says. “Without labeling, Copilot can and will show you information that you’re not supposed to see.”

“Bringing sensitivity labels to OneNote marks a major step forward in helping tenant admins safeguard organizational data. It enables consistent enforcement of security policies across the Microsoft 365 suite, giving admins greater confidence that sensitive information in OneNote is protected and governed just like in other Office apps.”

Daniel Beade, senior product manager, OneNote product group

Permissions versus labeling

The current security measures in OneNote are permission-based, determining who can access content at a specific point in time. Labeling adds encryption and policy enforcement to ensure content is protected regardless of where it is stored or shared. And when it comes to AI, labeling establishes confidentiality and security requirements that Copilot must respect. Labeling also helps users understand the sensitivity of content used by Copilot, ensuring they handle the generated responses with appropriate care.

“Bringing sensitivity labels to OneNote marks a major step forward in helping tenant admins safeguard organizational data,” says Daniel Beade, a senior product manager with the OneNote product group. “It enables consistent enforcement of security policies across the Microsoft 365 suite, giving admins greater confidence that sensitive information in OneNote is protected and governed just like in other Office apps.”

Johnson used the analogy of a poisoned apple pie to explain further.

“Imagine if Copilot was baking you a nice apple pie and you weren’t told that the apples it used to make the pie were poison,” he says. “You probably should know that before you take a bite of that pie. Same basic idea here. You’ve got highly confidential content in use that Copilot is using to generate a response. You should be aware of it.”

A triangle deployment model

Security labeling for OneNote was deployed internally to our 300,000 Microsoft employees and vendors in April 2025, and we have updated the Microsoft 365 product roadmap to reflect our plan to make this capability generally available by January 2026 with more information to be shared in the coming months.

“The user awareness aspect of labeling is absolutely critical. When you think about labeling, it’s about user awareness of how sensitive a piece of content should be and the applicability of policies to make sure that the content doesn’t go beyond whatever limits are imposed.”

David Johnson, principal product manager, Microsoft Digital

Our internal deployment happened in two stages. The first stage enabled labeling in the user interface. The second stage rolled out a default policy that labeled all content with a protected label, with options for users to adjust based on the sensitivity of the content.

“The user awareness aspect of labeling is absolutely critical,” Johnson says. “When you think about labeling, it’s about user awareness of how sensitive a piece of content should be and the applicability of policies to make sure that the content doesn’t go beyond whatever limits are imposed.”

“It’s super important to have a labeling capability in OneNote, because down the road labeling is going to help enable more capabilities of Copilot that will allow users to increase their productivity.”

Humberto Arias, senior product manager, Microsoft Digital

The internal deployment strategy involved a triangle model where one organization focused on security requirements, another on tenant management, and his team focused on employee experience.

The model ensured that security measures did not hinder productivity.

“Because Copilot extracts and surfaces content from various sources, it is essential for it to know the sensitivity of the content it uses to generate responses,” says Humberto Arias, a senior product manager in Microsoft Digital. “So that’s why it’s super important to have a labeling capability in OneNote, because down the road labeling is going to help enable more capabilities of Copilot that will allow users to increase their productivity.”

As for those future capabilities, Beade from the product group listed three that will further enhance security within OneNote.

The first, user-defined permissions labels, or UDP, will allow tenants to define permissions at the user level. This means one of our employees could set up a UDP label and then use it to grant edit permissions to one person and read-only access to another. This is similar to what currently exists in Word, PowerPoint and Excel.

The second feature Beade mentioned is auto-labeling. This will allow OneNote to automatically label information based on criteria defined by the tenant admin. Flagging certain content automatically will help prevent Copilot from surfacing sensitive information.

Another security feature coming soon to OneNote is dynamic watermarking.

“Not only will the labeling protection be added into the file, but also watermarking will be added that will ensure everyone knows that the information is confidential,” Beade says. “All three will compliment security labeling and add more protection to OneNote.”

Adding new features to OneNote will now be much easier.

“Labeling is going to make it very seamless for us to deploy new Copilot features in the future,” Arias says. “This was an important step for us to bring OneNote up to par with the rest of the Microsoft 365 apps.”