This chapter covers Information Protection and Data Loss Prevention (DLP) in Microsoft Purview, a critical area for the SC-900 exam. You will learn how sensitivity labels and DLP policies work together to protect sensitive data across Microsoft 365 services. Approximately 15-20% of the exam questions touch on compliance solutions, with a significant portion focused on information protection and DLP. Mastery of these concepts is essential for passing the SC-900 certification.
Jump to a section
Imagine a large library with a restricted section containing sensitive documents. The librarian (Microsoft Purview) implements a multi-layered protection system. First, every book is labeled with a color-coded sticker (sensitivity label) indicating its clearance level: Green (public), Yellow (internal), Red (confidential), and Black (highly restricted). These stickers are automatically applied by a machine (auto-labeling) based on content rules—for example, any book containing the phrase 'trade secret' gets a red sticker. Next, the library has security guards (DLP policies) at every exit. When a patron tries to check out a book, the guard scans the sticker. If a patron with a regular library card tries to take a red-labeled book out of the building, the guard blocks the exit and sends an alert to the head librarian (incident report). For black-labeled books, the guard confiscates the book immediately and calls security (block action). Additionally, the library has a digital tracking system (audit logging) that records every time a book is moved from the shelf to a reading table. The guard also checks for patterns: if a patron tries to copy pages from multiple red books in one day, the system flags it as a potential data exfiltration attempt (DLP policy with a threshold). This system ensures that sensitive information is protected at all times—at rest (on the shelf), in use (being read), and in transit (being checked out).
What is Information Protection and DLP?
Information Protection in Microsoft Purview refers to the capabilities that help you discover, classify, protect, and govern sensitive information wherever it lives or travels. Data Loss Prevention (DLP) is a subset of information protection that specifically prevents accidental or intentional sharing of sensitive data outside your organization. Together, they form a layered defense for data at rest, in use, and in transit.
How Sensitivity Labels Work
Sensitivity labels are the core of information protection. They are metadata tags that can be applied to documents and emails to classify and protect data. Each label can enforce encryption, visual markings (headers/footers/watermarks), and access restrictions. Labels are published through label policies to users or groups. Users can apply labels manually, or automatic labeling can be configured using conditions like sensitive information types or trainable classifiers.
Label Configuration Details
Encryption: When enabled, the label uses Azure Rights Management (Azure RMS) to encrypt the content. You can define who can access the data (e.g., only users in your organization) and what permissions they have (view, edit, copy, print, forward, reply all).
Visual Markings: You can add custom headers, footers, or watermarks to documents and emails. For example, a 'Confidential' label might add a footer 'CONFIDENTIAL' and a watermark 'DO NOT COPY'.
Auto-labeling: You can create auto-labeling policies that automatically apply labels to files based on conditions such as sensitive information types (e.g., credit card numbers) or trainable classifiers (e.g., 'contracts'). These policies can run in simulation mode first.
Default Label: A default label can be set for new documents or emails. For example, all new documents in a SharePoint site might default to 'Internal'.
Mandatory Labeling: You can require users to apply a label before saving or sending documents/emails.
How DLP Policies Work
DLP policies are rules that inspect content for sensitive information and take protective actions. They can be applied to Exchange Online, SharePoint Online, OneDrive for Business, Teams chat and channel messages, and endpoints (Windows 10/11 devices).
DLP Policy Components
- Locations: Where the policy applies (e.g., Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages, devices). - Conditions: Rules that define what sensitive information triggers the policy. Conditions include: - Sensitive info types: Predefined or custom (e.g., U.S. Social Security Number, Credit Card Number, Azure AD client secret). - Sensitivity labels: Triggers when a document with a specific label is shared externally. - Retention labels: Triggers for items with a specific retention label. - Trainable classifiers: Machine learning models that identify content like contracts or resumes. - Actions: What happens when a match occurs: - Block: Blocks the action (e.g., sending email, sharing file) with a policy tip to the user. - Block with override: Allows the user to override the block with a business justification. - Notify: Sends an email notification to the user and/or the administrator. - Incident report: Sends an alert to the compliance portal. - Exceptions: Conditions that exclude content from the policy (e.g., only apply if shared outside the organization). - Policy tips: User notifications that appear in Outlook, SharePoint, OneDrive, Teams, etc.
DLP Rule Processing
When a user attempts to share sensitive content, the DLP engine evaluates the content against active policies. For Exchange, this happens during transport. For SharePoint and OneDrive, it happens when a file is shared externally. For endpoints, it happens when a user attempts to copy to USB or upload to a personal cloud service. The evaluation includes scanning for sensitive info types, checking sensitivity labels, and applying conditions. If a match occurs, the configured action is enforced.
Key Defaults and Timers
DLP policy evaluation: In Exchange, DLP rules are evaluated after transport rules but before message delivery.
Incident reports: Alerts are generated within minutes of a DLP match.
Policy tip refresh: In Outlook, policy tips update as the user edits the email.
Auto-labeling simulation: Policies can run in simulation mode for up to 30 days before turning on.
Interaction with Related Technologies
Microsoft Purview Compliance Portal: Central management for labels, DLP policies, and alerts.
Azure Information Protection (AIP): Unified labeling client (now integrated into Purview) for on-premises and cloud.
Microsoft Defender for Cloud Apps: Can extend DLP to third-party cloud apps via session controls.
Microsoft 365 Audit Log: Logs DLP actions for investigation.
eDiscovery: DLP policies can help identify sensitive data for legal holds.
Configuration and Verification Commands
While SC-900 does not require command-line knowledge, understanding the portal configuration is key. To create a DLP policy:
Navigate to Microsoft Purview compliance portal > Data loss prevention > Policies > Create policy.
Choose a template (e.g., Financial data) or custom.
Select locations (Exchange, SharePoint, OneDrive, Teams, Devices).
Define conditions: e.g., 'Content contains sensitive info type U.S. Social Security Number' and 'Sharing with people outside my organization'.
Set actions: Block access and notify users with a policy tip.
Enable policy.
To verify, use the DLP reports and alerts in the compliance portal. Test by sending an email with a test SSN to an external address and confirm it is blocked.
Exam-Relevant Details
Sensitivity labels are the foundation; DLP policies can use labels as conditions.
DLP policies can be applied to Exchange, SharePoint, OneDrive, Teams, and endpoints.
Policy tips appear in Outlook, SharePoint, OneDrive, and Teams.
Incident reports are sent to the compliance portal and optionally via email.
Endpoints DLP requires Windows 10/11 with Microsoft Defender for Endpoint integration.
Auto-labeling supports both sensitivity labels and retention labels.
Trainable classifiers are used for auto-labeling and DLP conditions.
Sensitive information types include predefined (e.g., ABA routing number) and custom (e.g., using regex).
Common Exam Traps
Trap: Confusing sensitivity labels with retention labels. Sensitivity labels protect data (encryption, markings), while retention labels govern how long data is kept.
Trap: Thinking DLP only applies to email. It applies to multiple workloads.
Trap: Assuming auto-labeling is the same as DLP. Auto-labeling applies labels; DLP enforces actions based on labels or sensitive info.
Trap: Forgetting that DLP policies can be configured with overrides (allow users to bypass with justification).
Trap: Overlooking that DLP incident reports are separate from audit logs.
Step-by-Step: Applying a Sensitivity Label and DLP Policy
Create Sensitivity Label: In Purview, define a label 'Confidential' with encryption and visual markings.
Publish Label: Create a label policy to make the label available to all users.
Configure Auto-Labeling: Create an auto-labeling policy that applies 'Confidential' to documents containing credit card numbers.
Create DLP Policy: Create a DLP policy that blocks sharing of documents labeled 'Confidential' with external users.
Test: Send an email with a credit card number to an external address. The auto-labeling policy applies 'Confidential', then DLP blocks the email and shows a policy tip.
Monitor: Check DLP alerts and reports in Purview.
This integrated approach ensures data is classified and protected automatically.
Create Sensitivity Label
Navigate to Microsoft Purview compliance portal > Information protection > Labels > Create a label. Define the label name, display name, and description (e.g., 'Confidential - Data'). Configure encryption using Azure RMS to restrict access to users in your organization only. Add visual markings like a footer 'CONFIDENTIAL' and a watermark 'DO NOT COPY'. Set auto-labeling conditions if desired. This label becomes the foundation for protection and DLP.
Publish Label via Label Policy
Create a label policy under Label policies. Select the label you created and assign it to users or groups (e.g., all users). Choose policy settings: make it a default label for new documents, require users to apply a label (mandatory labeling), or allow users to apply labels manually. Publish the policy. Users will now see the label in Office apps.
Configure Auto-Labeling Policy
Under Auto-labeling, create a policy. Choose a mode (simulation or real). Define conditions: e.g., 'Content contains sensitive info type Credit Card Number'. Select the label to apply automatically (e.g., 'Confidential'). Choose locations (SharePoint, OneDrive, Exchange). Run in simulation first to see matches. After 30 days, turn on real enforcement.
Create DLP Policy
Under Data loss prevention > Policies > Create policy. Choose a template or custom. Select locations: Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages. Define conditions: e.g., 'Content contains sensitivity label Confidential' AND 'Sharing with people outside my organization'. Set actions: Block access and show a policy tip. Enable the policy.
Test DLP Policy
Send an email from a user in your organization to an external email address containing a credit card number. The auto-labeling policy applies 'Confidential' label. The DLP policy detects the label and external sharing, blocks the email, and shows a policy tip in Outlook. The sender receives a notification explaining the block and can request an override if allowed.
Monitor and Respond to DLP Alerts
In Purview, go to Data loss prevention > Alerts to view incidents. Each alert shows the matched item, user, location, and action taken. You can investigate by viewing the file or email content (with appropriate permissions). Optionally, configure email notifications for administrators. Use reports to track policy matches over time and refine policies.
Enterprise Scenario 1: Financial Services Firm Protecting Client Data
A large financial services firm must comply with regulations like GDPR and PCI DSS. They use Microsoft Purview to protect client financial data. They create a sensitivity label 'Highly Confidential - Financial' that encrypts documents and restricts access to the compliance team. Auto-labeling is configured to detect patterns like IBAN numbers and apply the label automatically. A DLP policy blocks sharing of any document with this label outside the organization. In production, they run auto-labeling in simulation mode for two weeks to tune false positives. They also enable endpoint DLP on all Windows 10 devices to prevent copying labeled files to USB drives or personal cloud storage. A common issue is that users accidentally override the DLP block too often, so they configure the override to require a business justification and enable audit logging for overrides.
Enterprise Scenario 2: Healthcare Organization Protecting Patient Records
A healthcare provider uses Microsoft 365 for email and document collaboration. They must protect Protected Health Information (PHI) under HIPAA. They create a custom sensitive information type for medical record numbers. A sensitivity label 'PHI' is applied automatically via auto-labeling. DLP policies are created to block external sharing of any document with the PHI label or containing the custom sensitive info type. The DLP policy also sends an incident report to the security team. They deploy endpoint DLP to prevent printing or copying PHI to unapproved apps. Performance considerations: DLP scanning for sensitive info types can impact SharePoint upload speeds slightly, but the trade-off is acceptable. Misconfiguration example: If the DLP policy is set to block all external sharing, legitimate collaboration with business partners is blocked, so they use exceptions for specific partner domains.
Enterprise Scenario 3: Technology Company Protecting Intellectual Property
A technology company uses sensitivity labels to classify source code and trade secrets. They use trainable classifiers to detect 'source code' patterns. DLP policies block sharing of source code-labeled documents via Teams chat. They also use Microsoft Defender for Cloud Apps to extend DLP to third-party apps like Salesforce. In production, they have multiple DLP policies for different departments (e.g., engineering vs. HR). Common pitfalls: Overlapping DLP policies can cause conflicts; they use priority ordering. Also, users may complain about false positives from auto-labeling; they use simulation mode extensively before enforcement.
What SC-900 Tests on Information Protection and DLP
The SC-900 exam covers objective 4.3: 'Describe the capabilities of Microsoft Purview Information Protection and Data Loss Prevention.' You need to understand:
The purpose and capabilities of sensitivity labels (classify and protect data).
The difference between sensitivity labels and retention labels.
How DLP policies work and their components (conditions, actions, locations).
The use of auto-labeling and trainable classifiers.
The integration of DLP with Exchange, SharePoint, OneDrive, Teams, and endpoints.
The ability to recognize when to use sensitivity labels vs. DLP.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'Sensitivity labels are used to retain data.' Candidates confuse sensitivity labels (protection) with retention labels (governance). The exam tests this distinction directly.
Wrong answer: 'DLP policies only apply to email.' Many candidates think DLP is only for Exchange, but the exam emphasizes multiple workloads.
Wrong answer: 'Auto-labeling is the same as DLP.' Auto-labeling applies labels; DLP enforces actions. They are complementary but different.
Wrong answer: 'Sensitivity labels require manual application.' Auto-labeling can apply labels automatically based on conditions.
Specific Numbers and Terms Appearing on Exam
Sensitive information types: Predefined (e.g., 'U.S. Social Security Number', 'Credit Card Number') vs. custom.
Locations: Exchange, SharePoint, OneDrive, Teams, Devices.
Actions: Block, block with override, notify, incident report.
Policy tips: User notifications in Outlook, SharePoint, OneDrive, Teams.
Endpoint DLP: Requires Windows 10/11 and Microsoft Defender for Endpoint.
Trainable classifiers: For auto-labeling and DLP conditions.
Simulation mode: For auto-labeling policies (up to 30 days).
Edge Cases and Exceptions
DLP policies can use sensitivity labels as conditions, but labels must be published first.
DLP for Teams chat and channel messages is in preview (as of exam update).
Endpoint DLP can monitor cloud apps but requires Microsoft Defender for Cloud Apps integration.
Auto-labeling policies can be applied to files already in SharePoint/OneDrive (on-demand scanning).
How to Eliminate Wrong Answers
If a question asks about 'classifying data', think sensitivity labels.
If it asks about 'preventing data exfiltration', think DLP.
If it mentions 'encryption', think sensitivity labels.
If it mentions 'blocking sharing', think DLP.
If it mentions 'retaining data for a period', think retention labels (not covered in this chapter but related).
By understanding the underlying mechanisms, you can eliminate answers that confuse these concepts.
Sensitivity labels classify and protect data; DLP policies prevent data loss.
Sensitivity labels can apply encryption via Azure RMS and visual markings.
DLP policies can be applied to Exchange, SharePoint, OneDrive, Teams, and endpoints.
Auto-labeling uses sensitive info types or trainable classifiers to apply labels automatically.
DLP actions include block, block with override, notify, and incident report.
Policy tips are user notifications shown in Outlook, SharePoint, OneDrive, and Teams.
Endpoint DLP requires Windows 10/11 with Microsoft Defender for Endpoint integration.
Simulation mode for auto-labeling allows testing before enforcement (up to 30 days).
These come up on the exam all the time. Here's how to tell them apart.
Sensitivity Labels
Classify and protect data with encryption, markings, and access control.
Applied to documents and emails via manual or auto-labeling.
Do not enforce actions like blocking sharing; they set protection.
Can be used as conditions in DLP policies.
Focus on protecting data at rest, in use, and in transit.
DLP Policies
Prevent accidental or intentional sharing of sensitive data.
Apply rules to content in Exchange, SharePoint, OneDrive, Teams, and endpoints.
Enforce actions like block, notify, and incident reporting.
Can use sensitivity labels, sensitive info types, or trainable classifiers as conditions.
Focus on preventing data loss during sharing and movement.
Mistake
Sensitivity labels and retention labels are the same thing.
Correct
Sensitivity labels protect data by applying encryption, markings, and access restrictions. Retention labels govern how long data is kept and when it should be deleted. They are separate capabilities in Purview.
Mistake
DLP policies only work for email in Exchange Online.
Correct
DLP policies can be applied to Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams (chat and channel messages), and endpoints (Windows 10/11 devices).
Mistake
Auto-labeling is the same as a DLP policy.
Correct
Auto-labeling automatically applies sensitivity labels based on conditions. DLP policies enforce actions (block, notify) based on labels or sensitive information. They are complementary but distinct.
Mistake
Users must manually apply sensitivity labels; they cannot be applied automatically.
Correct
Auto-labeling policies can automatically apply labels to documents and emails based on sensitive information types, trainable classifiers, or other conditions. Users can also apply labels manually.
Mistake
DLP policies can only block actions; they cannot notify users.
Correct
DLP policies can be configured to notify users via policy tips, send email notifications to administrators, and generate incident reports. Blocking is just one of several actions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A sensitivity label protects data by applying encryption, visual markings, and access restrictions. A retention label governs how long data is kept and when it is deleted. Sensitivity labels are for security; retention labels are for compliance with legal and regulatory requirements. They are separate features in Microsoft Purview.
Yes, DLP policies can use sensitivity labels as conditions. For example, you can create a DLP policy that blocks sharing of any document labeled 'Confidential' with external users. This allows you to enforce protection based on the classification applied by the label.
DLP policies can be applied to Exchange Online (email), SharePoint Online (sites), OneDrive for Business (accounts), Microsoft Teams (chat and channel messages), and endpoints (Windows 10/11 devices). For endpoints, you need Microsoft Defender for Endpoint integration.
A policy tip is a notification shown to users when their action violates a DLP policy. For example, in Outlook, a policy tip appears at the top of the email stating 'This message contains sensitive information and cannot be sent to external recipients.' Users can sometimes override the block with a business justification if allowed.
Auto-labeling uses conditions like sensitive information types (e.g., credit card numbers) or trainable classifiers to automatically apply a sensitivity label to documents and emails. Policies can run in simulation mode first to see matches without enforcement. Auto-labeling can be applied to files already in SharePoint/OneDrive or during creation.
Trainable classifiers are machine learning models that can identify content based on patterns, such as contracts, invoices, or source code. They can be used in auto-labeling policies to automatically apply sensitivity labels, or in DLP policies as conditions to trigger actions.
Yes, DLP policies can be configured to allow users to override the block action by providing a business justification. This is useful for legitimate business needs. Overrides are logged for auditing. However, some policies can be set to block without override for strict compliance.
You've just covered Information Protection and DLP — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?