Microsoft Purview sensitivity labels and data loss prevention
5 minutes
5 Questions
Microsoft Purview sensitivity labels and data loss prevention (DLP) are essential components of Microsoft 365's security and compliance framework designed to protect organizational data.
Sensitivity labels allow organizations to classify and protect their content based on its level of confidential…Microsoft Purview sensitivity labels and data loss prevention (DLP) are essential components of Microsoft 365's security and compliance framework designed to protect organizational data.
Sensitivity labels allow organizations to classify and protect their content based on its level of confidentiality. These labels can be applied to documents, emails, and other content types across Microsoft 365 applications. When a sensitivity label is applied, it can enforce protection settings such as encryption, content marking (headers, footers, watermarks), and access restrictions. Labels can be applied manually by users or automatically through policies that detect sensitive information patterns. For example, a document containing financial data might receive a "Confidential" label that restricts external sharing and applies encryption.
Data Loss Prevention (DLP) policies work alongside sensitivity labels to prevent accidental or intentional sharing of sensitive information. DLP scans content across Exchange Online, SharePoint, OneDrive, Teams, and endpoint devices to identify sensitive data types like credit card numbers, social security numbers, or health records. When DLP detects potential policy violations, it can take various actions including blocking the sharing attempt, notifying administrators, displaying policy tips to educate users, or requiring business justification before allowing the action.
Together, these features provide comprehensive data protection by combining classification with enforcement. Organizations can create policies that align with regulatory requirements such as GDPR, HIPAA, or industry-specific standards. The Microsoft Purview compliance portal serves as the central management hub where administrators configure sensitivity labels, define DLP policies, and monitor compliance across the organization.
These tools help organizations maintain control over sensitive information, reduce the risk of data breaches, meet compliance obligations, and create a culture of data awareness among employees while still enabling productivity and collaboration.
Microsoft Purview Sensitivity Labels and Data Loss Prevention (DLP)
Why It Is Important
In today's digital workplace, organizations handle vast amounts of sensitive data including financial records, personal information, intellectual property, and confidential business documents. Microsoft Purview sensitivity labels and Data Loss Prevention (DLP) are critical components of Microsoft 365's security and compliance framework. They help organizations:
• Protect sensitive information from unauthorized access or accidental sharing • Meet regulatory compliance requirements (GDPR, HIPAA, etc.) • Maintain customer trust by safeguarding their data • Prevent data breaches that could result in financial and reputational damage
What Are Sensitivity Labels?
Sensitivity labels are tags that you apply to documents, emails, and other content to classify and protect organizational data. Think of them as digital stamps that indicate how sensitive the content is and what protections should be applied.
Common sensitivity label classifications include: • Public - Information that can be shared freely • General - Internal use, not intended for public sharing • Confidential - Sensitive business data requiring protection • Highly Confidential - Most sensitive data with strictest controls
What Sensitivity Labels Can Do: • Encrypt content so only authorized users can access it • Add watermarks, headers, or footers to documents • Control who can access the content • Apply visual markings to indicate sensitivity level • Persist with the content wherever it travels
What Is Data Loss Prevention (DLP)?
Data Loss Prevention is a set of policies and tools that help prevent the accidental or intentional sharing of sensitive information. DLP policies monitor content across Microsoft 365 services and take action when sensitive data is detected.
DLP works across: • Microsoft Teams • Exchange Online (email) • SharePoint Online • OneDrive for Business • Microsoft 365 Apps (Word, Excel, PowerPoint) • Endpoints (Windows and macOS devices)
How DLP Works:
1. Detection - DLP uses sensitive information types (like credit card numbers, social security numbers, or custom patterns) to identify sensitive content
2. Policy Evaluation - When sensitive content is detected, DLP checks it against configured policies
3. Action - Based on the policy, DLP can: • Block the sharing or sending of content • Show policy tips to educate users • Send alerts to administrators • Require justification before allowing sharing • Generate reports for compliance auditing
How Sensitivity Labels and DLP Work Together
These two features complement each other: • Sensitivity labels classify and protect individual items • DLP policies monitor for sensitive content and enforce organizational rules • DLP can use sensitivity labels as a condition (e.g., block sharing of any document labeled Highly Confidential)
Microsoft Purview Compliance Portal
Both sensitivity labels and DLP are managed through the Microsoft Purview compliance portal. This centralized location allows administrators to: • Create and publish sensitivity labels • Define DLP policies • Monitor policy matches and alerts • Review compliance reports
Exam Tips: Answering Questions on Microsoft Purview Sensitivity Labels and DLP
Key Concepts to Remember:
1. Sensitivity labels are user-applied or automatic - Labels can be applied manually by users or automatically based on content inspection
2. Labels persist with content - When a labeled document is shared, the label and its protections travel with it
3. DLP uses sensitive information types - These are patterns that identify data like credit cards, passport numbers, or health records
4. DLP policies have conditions and actions - Understand that policies evaluate conditions and then perform actions
5. Policy tips educate users - DLP can show users why their action was blocked and how to proceed
Common Exam Scenarios:
• Questions about preventing external sharing of confidential documents - Think DLP policies • Questions about classifying and encrypting documents - Think sensitivity labels • Questions about detecting credit card numbers in emails - Think DLP with sensitive information types • Questions about adding visual markings to documents - Think sensitivity labels with headers, footers, or watermarks
Watch for These Keywords:
• Classify and Protect usually point to sensitivity labels • Detect and Prevent sharing usually point to DLP • Policy tips and user notifications relate to DLP • Encryption and access control relate to sensitivity labels
Remember: • Microsoft Purview is the umbrella term for compliance solutions • Both features require appropriate Microsoft 365 licensing (typically E3 or E5) • DLP can work with both Microsoft cloud services and on-premises locations