This chapter covers Microsoft Purview Information Protection, a core component of Microsoft 365's compliance and security capabilities. For the MS-900 exam, this topic appears in approximately 10-15% of questions under objective 3.4, focusing on data classification, sensitivity labels, and data loss prevention. Understanding how Purview protects data at rest, in transit, and in use is essential for demonstrating foundational knowledge of Microsoft 365 security and compliance features.
Jump to a section
Think of a diplomatic embassy that handles three levels of classified documents: Unclassified, Confidential, and Top Secret. The embassy's mailroom is Microsoft Purview. When a document arrives, the mailroom clerk scans it and applies a stamp (sensitivity label) based on its content: a green stamp for Unclassified, a yellow stamp for Confidential, and a red stamp for Top Secret. The stamp is permanent and travels with the document everywhere — even if a staff member photocopies it, the stamp appears on the copy. The embassy has rules: Top Secret documents cannot leave the secure vault; Confidential documents can be carried only by authorized personnel within the building; Unclassified documents can be emailed to outside partners. If a staff member tries to email a Top Secret document out, the mailroom automatically blocks the transmission and alerts the security chief. The stamp also tells the printer: Top Secret documents must be printed on special paper with a watermark. This entire system — stamping, rule enforcement, and automatic protection — mirrors how Microsoft Purview Information Protection works with sensitivity labels and policies to classify and protect data across Microsoft 365 services.
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (formerly Microsoft Information Protection, MIP) is a suite of capabilities that helps organizations discover, classify, protect, and monitor sensitive information across Microsoft 365 services. It integrates deeply with Microsoft 365 apps (Word, Excel, PowerPoint, Outlook), SharePoint, OneDrive, Teams, and endpoints. The goal is to ensure that sensitive data — such as credit card numbers, health records, or intellectual property — is handled according to organizational policy, whether it is stored, shared, or transmitted.
Why It Exists
Data breaches often result from accidental oversharing or misplacement of sensitive information. Traditional perimeter-based security (firewalls, VPNs) is insufficient once data leaves the corporate network. Purview Information Protection provides a data-centric security model: the protection travels with the data, regardless of where it is stored or who accesses it. This is achieved through persistent labels and encryption that remain attached to the data even when it is copied, forwarded, or saved to a different location.
Core Components
1. Sensitivity Labels – These are tags that define the sensitivity level of data (e.g., "Confidential", "Highly Confidential"). Labels can be configured to enforce protection actions automatically, such as encryption, watermarking, or access restrictions. - Labels are published through label policies and can be applied manually by users, automatically via auto-labeling rules, or recommended based on content inspection. - Labels support sub-labels (parent-child hierarchy) for granularity. - Label priority: when multiple labels apply (e.g., from automatic and manual), the highest priority label is applied.
2. Auto-labeling – Uses sensitive information types (e.g., credit card number regex) or trainable classifiers (machine learning) to automatically apply labels to files and emails. Auto-labeling can be configured for data at rest (in SharePoint, OneDrive) or data in transit (Exchange Online). - At rest: scans existing files and applies labels. - In transit: applies labels to emails as they are sent.
3. Data Loss Prevention (DLP) – DLP policies detect and block or warn users when they attempt to share sensitive information inappropriately. DLP uses the same sensitive information types as auto-labeling but focuses on actions (e.g., sending an email with credit card numbers to an external recipient). - DLP policies can be applied to Exchange Online, SharePoint, OneDrive, Teams, and endpoints. - Actions: block with override, block without override, audit only, notify user.
4. Encryption – Sensitivity labels can enforce encryption using Azure Rights Management (Azure RMS). This ensures that only authorized users can decrypt and access the content. Encryption is persistent: even if the file is renamed or moved, the encryption remains. - Encryption algorithms: AES 256-bit. - Key management: Microsoft-managed keys (default) or customer-managed keys (BYOK).
Content Marking – Labels can add visual markings like headers, footers, or watermarks to documents and emails. For example, a "Confidential" label might add a footer "CONFIDENTIAL" to every page.
Analytics and Monitoring – Activity Explorer and Content Explorer provide visibility into how labels are applied and where sensitive data resides. Activity Explorer logs label changes, DLP actions, and user activities.
How It Works Internally
When a user applies a sensitivity label to a document in Word, the following occurs: 1. The Word client (desktop, web, or mobile) communicates with the Microsoft 365 compliance center to retrieve the label policy and the label's configuration. 2. The label's metadata (including the label ID, protection status, and any custom attributes) is embedded into the document's file format. For Office documents, this metadata is stored in the file's properties (e.g., custom XML parts). For non-Office files (PDF, images), a separate .pfile (protected file) is created. 3. If the label requires encryption, the client requests an encryption key from Azure RMS. The key is used to encrypt the document content. Access rights (e.g., view-only, edit, print) are specified in the label configuration and enforced by the RMS client. 4. The encrypted document is saved. Any subsequent access triggers the RMS client to check the user's identity and permissions. If the user is unauthorized, the document cannot be decrypted. 5. When the document is shared via email, the sensitivity label is preserved in the attachment. The recipient must have appropriate rights to open it.
Configuration and Verification
To configure sensitivity labels, administrators use the Microsoft Purview compliance portal (https://compliance.microsoft.com). Key steps:
Define labels in Information Protection > Labels.
Publish labels via Label policies.
Configure auto-labeling rules in Auto-labeling.
Create DLP policies in Data loss prevention.
Verification commands (PowerShell):
To list labels: Get-Label | ft DisplayName, Priority
To export label configuration: Get-Label | Export-Label -Path ".\labels.xml"
To check DLP policy status: Get-DlpCompliancePolicy | ft Name, Mode
Interaction with Related Technologies
Microsoft Defender for Cloud Apps – Can extend label enforcement to third-party SaaS apps (e.g., Salesforce, Dropbox). If a file with a "Confidential" label is uploaded to a non-approved app, Defender can block it.
Microsoft Entra ID – Identity and access management controls who can apply and remove labels. Label policies can target specific groups.
Microsoft 365 Compliance Center – Central management interface for labels, DLP, and auto-labeling.
Microsoft 365 Apps – Native integration in Office apps allows users to apply labels easily.
Key Numbers and Defaults
Maximum number of labels: 500 per tenant.
Maximum label policy: 500 labels per policy.
Auto-labeling scan rate: up to 1 million files per day per tenant.
DLP rule evaluation: near real-time (typically within seconds).
Encryption key rotation: default 1 year for Microsoft-managed keys; configurable for BYOK.
Use Cases
Healthcare: Automatically label all documents containing patient health information (PHI) as "Highly Confidential" and encrypt them to prevent unauthorized access.
Finance: Apply "Confidential - Financial" label to any document with credit card numbers; block external sharing of such documents via DLP.
Legal: Use trainable classifiers to detect legal contracts and apply a "Legal Privilege" label with strict access controls.
Create Sensitivity Labels
Navigate to Microsoft Purview compliance portal > Information Protection > Labels. Create a new label with a display name (e.g., 'Confidential'), description, and priority. Configure protection settings: choose encryption (with user permissions like View, Edit, Print), content marking (header/footer/watermark), and auto-labeling for files and emails. Each label must have a unique priority; higher priority labels override lower ones when multiple match.
Publish Labels via Policy
After creating labels, publish them through a label policy. Specify which users or groups receive the labels. You can set policy scope (Exchange, SharePoint, OneDrive, Teams) and default label for documents and emails. Users will see published labels in their Office apps. Policies can also include mandatory labeling settings (e.g., require a label to save a document).
Configure Auto-Labeling Rules
In Auto-labeling, create rules that automatically apply labels to files and emails based on sensitive information types (e.g., credit card numbers) or trainable classifiers. For data at rest, the rule scans existing SharePoint and OneDrive files. For data in transit, it scans emails as they are sent. Auto-labeling runs in simulation mode first by default; after reviewing results, you can enable it.
Implement DLP Policies
In Data Loss Prevention, create a policy targeting Exchange, SharePoint, OneDrive, Teams, or endpoints. Define rules that detect sensitive info (e.g., 'Credit Card Number') and set actions like 'Block sharing with external users' or 'Notify user with a policy tip'. DLP policies can be tested in test mode before enforcement. Use Activity Explorer to monitor DLP matches.
Monitor and Audit
Use Content Explorer to view where sensitive data resides. Use Activity Explorer to track label applications, DLP actions, and user activity. Generate reports on label usage and DLP incidents. Audit logs are retained for 90 days (default) or longer with an add-on license. Regularly review and adjust policies based on findings.
In a large healthcare organization with 10,000 employees, Purview Information Protection was deployed to protect patient health information (PHI). The compliance team created sensitivity labels: 'General' (no protection), 'Confidential - PHI' (encrypted, view-only for doctors), and 'Highly Confidential - PHI' (encrypted, no forwarding, watermarked). Auto-labeling rules were configured to scan all SharePoint document libraries for files containing social security numbers or diagnosis codes, applying the 'Confidential - PHI' label automatically. The DLP policy blocked any email containing PHI from being sent to external recipients unless the sender justified via override. Initially, the simulation mode revealed that 15% of files were incorrectly labeled due to false positives from credit card numbers in training materials. The team refined the sensitive info types by excluding certain patterns. Performance was acceptable: scanning 500,000 files took about 12 hours. A common misconfiguration was not enabling encryption on the label, leaving data unprotected despite the label. The team also discovered that labels applied via auto-labeling on existing files did not retroactively encrypt them unless encryption was explicitly set. After correction, encryption was enforced, and DLP incidents dropped by 80%. Another scenario: a financial firm used trainable classifiers to detect merger and acquisition documents. The classifier required 50 positive samples to train; after deployment, it achieved 95% accuracy. The main challenge was user resistance to mandatory labeling; they addressed it by providing a grace period and training. In production, label policies must be scoped correctly — applying a 'Top Secret' label to all users caused confusion; scoping to only the legal team resolved this. Misconfigurations often involve setting label priority incorrectly: if a lower-priority label is applied automatically, a higher-priority manual label may not override it unless the policy allows it.
The MS-900 exam tests Purview Information Protection under objective 3.4: 'Describe the capabilities of Microsoft Purview Information Protection.' Focus on understanding the difference between sensitivity labels and DLP. Common wrong answer: 'Sensitivity labels only apply to emails' — in reality, they apply to documents and emails. Another trap: 'DLP policies require sensitivity labels to work' — DLP can work independently using sensitive information types. The exam often asks about the purpose of auto-labeling: it is for automatic classification, not for blocking (that's DLP). Key numbers: labels max 500, priority is numerical (higher number = higher priority). Terms to know: 'persistent protection' (protection travels with data), 'encryption with Azure RMS', 'content marking', 'trainable classifiers'. Exam loves edge cases: what happens if a user removes a label? If the label enforced encryption, removing the label does not remove encryption; the file remains encrypted. Also, labels can be manually or automatically applied, but automatic never overrides manual unless configured. Another trick: 'Which tool should you use to see where sensitive data is stored?' Answer: Content Explorer. For monitoring label usage: Activity Explorer. DLP policies can be configured for Exchange, SharePoint, OneDrive, Teams, and endpoints (Windows 10/11). The exam may present a scenario: 'You need to prevent users from sharing credit card numbers in email. What should you configure?' Answer: A DLP policy. Not a sensitivity label — labels classify, DLP blocks. Also, remember that sensitivity labels can be applied to containers (Teams sites, groups) to control access settings. Finally, know that Purview Information Protection is part of Microsoft 365 E5 compliance add-on or included in E5; E3 includes basic classification but not auto-labeling or DLP. The exam expects you to know which licenses include which features.
Sensitivity labels are used to classify and protect data with encryption, content marking, and access controls.
DLP policies detect and block or warn on sharing of sensitive information like credit card numbers or health records.
Auto-labeling automatically applies labels to files and emails based on sensitive information types or trainable classifiers.
Labels can be applied to containers (Teams, groups) to control access and sharing settings.
Protection applied via labels is persistent and travels with the data even outside Microsoft 365.
Content Explorer shows where sensitive data resides; Activity Explorer tracks label usage and DLP actions.
Maximum number of labels per tenant is 500; label priority determines which label applies when multiple match.
These come up on the exam all the time. Here's how to tell them apart.
Sensitivity Labels
Classify and protect data with encryption, markings, and access controls.
Applied manually, automatically, or via auto-labeling.
Protection persists with the data (encryption, rights management).
Focuses on labeling and persistent protection.
Cannot block sharing; only labels data.
Data Loss Prevention (DLP)
Detects and blocks or warns on risky sharing actions.
Uses sensitive information types and policies.
No persistent protection; only controls sharing in transit or at rest.
Focuses on preventing data loss incidents.
Does not apply labels; only monitors and enforces rules.
Mistake
Sensitivity labels and Azure Information Protection (AIP) are the same thing.
Correct
AIP is the older, now deprecated client-based solution. Purview Information Protection (MIP) is the current cloud-native solution built into Microsoft 365. AIP labels are being migrated to Purview labels.
Mistake
DLP policies require sensitivity labels to function.
Correct
DLP can work independently using sensitive information types (e.g., credit card numbers) without any labels. Labels are optional for DLP.
Mistake
Once a sensitivity label is applied, it cannot be changed.
Correct
Users with appropriate permissions can change a label to another label of the same or lower priority, unless the label is set as 'mandatory' or has protection that prevents removal.
Mistake
Auto-labeling automatically blocks users from sharing sensitive data.
Correct
Auto-labeling only applies labels; it does not block sharing. Blocking is done by DLP policies.
Mistake
Sensitivity labels protect data only within Microsoft 365.
Correct
Labels can be extended to third-party apps via Microsoft Defender for Cloud Apps, and encryption persists even when files leave Microsoft 365 (e.g., saved to external drive).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A sensitivity label focuses on classification and protection (encryption, markings, access) of data, while a retention label governs how long data is kept and whether it should be deleted. Sensitivity labels protect data; retention labels manage lifecycle. Both can be applied automatically, but they serve different purposes.
Yes, but only if the file is synced to SharePoint or OneDrive via the OneDrive sync app, or if the Azure Information Protection unified labeling client is used on Windows. Native cloud labels (Purview) apply primarily to cloud-stored files; on-premises files require the AIP client for labeling.
Basic sensitivity labels (manual) are available in Microsoft 365 E3 and Business Premium. Auto-labeling, DLP, and advanced features require E5 or add-on licenses like Microsoft 365 E5 Compliance or Information Protection and Governance.
Encryption uses Azure Rights Management (Azure RMS) with AES 256-bit encryption. The label configuration specifies which users or groups can decrypt and what permissions they have (view, edit, print, forward). Encryption keys are managed by Microsoft (default) or customer-managed (BYOK).
Removing the label does not remove encryption. The file remains encrypted with the original rights. To remove encryption, an administrator must use a super user feature in Azure RMS or the user must have sufficient rights to decrypt and re-save.
Yes, DLP policies can be applied to Teams chat and channel messages. They detect sensitive information shared in messages and can block or warn users. However, DLP for Teams requires an E5 license.
Auto-labeling for data at rest scans existing files in SharePoint and OneDrive and applies labels. Auto-labeling for data in transit applies labels to emails as they are sent (Exchange Online). Both use the same sensitive information types but target different locations.
You've just covered Microsoft Purview Information Protection — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?